[strongSwan] payload of type AUTH more than 1 times (2) occurred in current message
Alexis Salinas
asalinas at sierrawireless.com
Mon Jul 20 19:09:11 CEST 2015
________________________________________
From: Alexis Salinas
Sent: July 14, 2015 12:05
To: Andreas Steffen
Subject: RE: [strongSwan] payload of type AUTH more than 1 times (2) occurred in current message
Thanks for the reply Andreas.
That is what I thought too, but I was wondering if that was allowed. So, thank you for the strong clarification.
Do you know if this was allowed in IKEv1 and perhaps these guys just re-use part of their code?
As per your request, here are 2 files. One with ike=3 enabled, which didn't show much more detail around the error. On the second fiIe I also enable enc=2 in case that is more useful (you can see the parsing and verification of the message)
Let me know if you need anything else.
Cheers,
Alexis.
________________________________________
From: Andreas Steffen [andreas.steffen at strongswan.org]
Sent: July 14, 2015 03:12
To: Alexis Salinas; users at lists.strongswan.org
Subject: Re: [strongSwan] payload of type AUTH more than 1 times (2) occurred in current message
Hi Alexis,
it looks as if the 3rd party VPN client sends two AUTH payloads in its
IKE_AUTH request. This does not conform with the IKEv2 RFC. Could you
send me a strongSwan log file with the log level set to
charondebug="ike 3"
in ipsec.conf.
Best regards
Andreas
On 07/13/2015 09:23 PM, Alexis Salinas wrote:
> Hello All,
> I'm testing strongSwan as a VPN gateway for a 3rd party VPN client. PSK and certificate authentication works fine, but when testing EAP-TLS and I get this error message on the strongSwan side, after the EAP authentication succeeds.
>
> Jul 10 16:42:11 debian-vm1-alexis charon: 14[ENC] payload of type AUTH more than 1 times (2) occurred in current message
> Jul 10 16:42:11 debian-vm1-alexis charon: 14[IKE] message verification failed
>
> See attachment for full logs.
>
> Here is my strongSwan configuration:
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
>
> conn rw-eap-tls
> left=10.1.65.147
> leftid=ocm at test.org
> leftsubnet=10.99.0.0/24
> leftcert=ocmCert.pem
> leftauth=pubkey
> leftfirewall=yes
> rightsourceip=172.22.0.0/24
> rightauth=eap-radius
> rightsendcert=never
> right=%any
> auto=add
> eap_identity=%identity
>
> Does any of you know what this is about?
>
> what is strongSwan expecting at this point? Looking at the RFC [1] there should be a message type AUTH (message 7).
>
> I can enable more logging if needed.
>
> Thanks.
> Alexis.
>
>
>
> [1] : https://tools.ietf.org/html/rfc7296#section-2.16
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list