[strongSwan] constraint requires public key authentication, but EAP was used on strongswan android client
Tom Hu
pleasetalktome at gmail.com
Fri May 8 20:37:01 CEST 2015
Hi all
During working on Android strongswan client using ikev2 TNC EAP
authentication method with strongswan server 5.2.2. I got "constraint
requires public key authentication, but EAP was used" error. I have no
idea where is wrong. Any input, I am appreciated
attached is my client GUI capture from android screen,
debug for server and client, server strongswan.conf, and
ipsec.secrets, server config and tnc_config
>From client log, you can see at end of IKEv2 negotiation (search for >>>>)
May 7 12:17:57 02[CFG] constraint requires public key authentication,
but EAP was used
May 7 12:17:57 02[CFG] selected peer config 'android' inacceptable:
constraint checking failed
May 7 12:17:57 02[CFG] no alternative config found
The server log showed is very close end of exchange
12:31:10 08[IKE] CHILD_SA eap{1} established with SPIs c80494b2_i
05452fce_o and TS 192.168.11.12/32 === 10.3.0.1/32
12:31:10 08[ENC] generating IKE_AUTH response 12 [ AUTH CPRP(ADDR) SA
TSi TSr N(AUTH_LFT) ]
12:31:10 08[NET] sending packet: from 192.168.11.12[4500] to
192.168.11.6[58136] (220 bytes)
12:31:10 10[NET] received packet: from 192.168.11.6[58136] to
192.168.11.12[4500] (76 bytes)
12:31:10 10[ENC] parsed INFORMATIONAL request 13 [ N(AUTH_FAILED) ]
My server files contain:
/etc/ipsec.conf
conn eap
type=tunnel
auto=add
esp=aes192-sha1!
ike=aes128-sha1-modp1024!
left=192.168.11.12
right=%any
leftauth=eap-ttls
rightsourceip=10.3.0.0/28
rightauth=eap-ttls
leftcert=hostCert4.pem
rightid="C=US, ST=CA, O=xxx, OU=Dev, CN=vpn3"
/etc/strongswan.conf:
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl
revocation hmac stroke kernel-netlink socket-default eap-identity
eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
close_ike_on_child_failure = yes
multiple_authentication=no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc_method = tnc
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
tnc-imv {
recommendation_policy = default
}
}
}
libimcv {
plugins {
imv-test {
rounds = 1
}
}
}
/etc/ipsec.setcrets
: EAP "admin"
: RSA hostKeyout4.pem
/etc/tnc_config
IMV "Test" /lib/ipsec/imcvs/imv-test.so
IMV "Scanner" /lib/ipsec/imcvs/imc-scanner.so
Thanks
Tom
-------------- next part --------------
Server debug
============
<<<<<<< show the problem
12:31:09 08[NET] received packet: from 192.168.11.6[33532] to 192.168.11.12[500] (868 bytes)
12:31:09 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
12:31:09 08[IKE] 192.168.11.6 is initiating an IKE_SA
12:31:09 08[IKE] remote host is behind NAT
12:31:09 08[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1"
12:31:09 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
12:31:09 08[NET] sending packet: from 192.168.11.12[500] to 192.168.11.6[33532] (329 bytes)
12:31:09 09[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (588 bytes)
12:31:09 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
12:31:09 09[IKE] received cert request for "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1"
12:31:09 09[CFG] looking for peer configs matching 192.168.11.12[%any]...192.168.11.6[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
12:31:09 09[CFG] selected peer config 'eap'
12:31:09 09[IKE] initiating EAP_TTLS method (id 0xA0)
12:31:09 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
12:31:09 09[IKE] peer supports MOBIKE, but disabled in config
12:31:09 09[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
12:31:09 09[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (156 bytes)
12:31:09 10[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (236 bytes)
12:31:09 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
12:31:09 10[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
12:31:09 10[TLS] sending TLS server certificate 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4'
12:31:09 10[TLS] sending TLS cert request for 'C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1'
12:31:09 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
12:31:09 10[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (1100 bytes)
12:31:09 11[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (76 bytes)
12:31:09 11[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
12:31:09 11[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
12:31:09 11[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (1100 bytes)
12:31:09 12[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (76 bytes)
12:31:09 12[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
12:31:09 12[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
12:31:09 12[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (220 bytes)
12:31:10 13[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (428 bytes)
12:31:10 13[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
12:31:10 13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
12:31:10 13[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
12:31:10 13[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (220 bytes)
12:31:10 14[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (220 bytes)
12:31:10 14[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
12:31:10 14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
12:31:10 14[IKE] received EAP identity 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3'
12:31:10 14[IKE] phase2 method EAP_MD5 selected
12:31:10 14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
12:31:10 14[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
12:31:10 14[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (172 bytes)
12:31:10 15[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (172 bytes)
12:31:10 15[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
12:31:10 15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
12:31:10 15[IKE] EAP_TTLS phase2 authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3' with EAP_MD5 successful
12:31:10 15[IKE] phase2 method EAP_PT_EAP selected
12:31:10 15[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
12:31:10 15[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
12:31:10 15[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (156 bytes)
12:31:10 04[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (364 bytes)
12:31:10 04[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
12:31:10 04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
12:31:10 04[TNC] assigned TNCCS Connection ID 1
12:31:10 04[TNC] received TNCCS batch (212 bytes) for Connection ID 1
12:31:10 04[TNC] processing PB-TNC CDATA batch
12:31:10 04[TNC] creating PA-TNC message with ID 0x2fedcbb3
12:31:10 04[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
12:31:10 04[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
12:31:10 04[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
12:31:10 04[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (204 bytes)
12:31:10 06[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (156 bytes)
12:31:10 06[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
12:31:10 06[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
12:31:10 06[TNC] received TNCCS batch (8 bytes) for Connection ID 1
12:31:10 06[TNC] processing PB-TNC CDATA batch
12:31:10 06[TNC] sending PB-TNC RESULT batch (109 bytes) for Connection ID 1
12:31:10 06[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
12:31:10 06[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]
12:31:10 06[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (268 bytes)
12:31:10 05[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (156 bytes)
12:31:10 05[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]
12:31:10 05[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
12:31:10 05[TNC] received TNCCS batch (8 bytes) for Connection ID 1
12:31:10 05[TNC] processing PB-TNC CLOSE batch
12:31:10 05[TNC] final recommendation is 'allow' and evaluation is 'don't know'
12:31:10 05[TNC] policy enforced on peer 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3' is 'allow'
12:31:10 05[TNC] policy enforcement point added group membership 'allow'
12:31:10 05[IKE] EAP_TTLS phase2 authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3' with EAP_PT_EAP successful
12:31:10 05[TNC] removed TNCCS Connection ID 1
12:31:10 05[TLS] sending TLS close notify
12:31:10 05[ENC] generating IKE_AUTH response 10 [ EAP/REQ/TTLS ]
12:31:10 05[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (140 bytes)
12:31:10 07[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (140 bytes)
12:31:10 07[ENC] parsed IKE_AUTH request 11 [ EAP/RES/TTLS ]
12:31:10 07[IKE] EAP method EAP_TTLS succeeded, MSK established
12:31:10 07[ENC] generating IKE_AUTH response 11 [ EAP/SUCC ]
12:31:10 07[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (76 bytes)
12:31:10 08[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (92 bytes)
12:31:10 08[ENC] parsed IKE_AUTH request 12 [ AUTH ]
12:31:10 08[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3' with EAP successful
12:31:10 08[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4' (myself) with EAP
12:31:10 08[IKE] IKE_SA eap[2] established between 192.168.11.12[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4]...192.168.11.6[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
12:31:10 08[IKE] scheduling reauthentication in 3395s
12:31:10 08[IKE] maximum IKE_SA lifetime 3575s
12:31:10 08[IKE] peer requested virtual IP %any
12:31:10 08[CFG] assigning new lease to 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3'
12:31:10 08[IKE] assigning virtual IP 10.3.0.1 to peer 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3'
12:31:10 08[IKE] peer requested virtual IP %any6
12:31:10 08[IKE] no virtual IP found for %any6 requested by 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3'
12:31:10 08[IKE] CHILD_SA eap{1} established with SPIs c80494b2_i 05452fce_o and TS 192.168.11.12/32 === 10.3.0.1/32
12:31:10 08[ENC] generating IKE_AUTH response 12 [ AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) ]
12:31:10 08[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (220 bytes)
12:31:10 10[NET] received packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (76 bytes)
12:31:10 10[ENC] parsed INFORMATIONAL request 13 [ N(AUTH_FAILED) ]<<<<<<<
12:31:10 10[IKE] received DELETE for IKE_SA eap[2]
12:31:10 10[IKE] deleting IKE_SA eap[2] between 192.168.11.12[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4]...192.168.11.6[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
12:31:10 10[IKE] IKE_SA deleted
12:31:10 10[ENC] generating INFORMATIONAL response 13 [ ]
12:31:10 10[NET] sending packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (76 bytes)
12:31:10 10[CFG] lease 10.3.0.1 by 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3' went offline
#
===========================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.eap-tnc.conf
Type: application/octet-stream
Size: 268 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150508/1839ae48/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.secrets
Type: application/octet-stream
Size: 56 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150508/1839ae48/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan.conf
Type: application/octet-stream
Size: 2841 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150508/1839ae48/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tnc_config
Type: application/octet-stream
Size: 88 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150508/1839ae48/attachment-0007.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20150507_195353[1].jpg
Type: image/jpeg
Size: 3035256 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150508/1839ae48/attachment-0001.jpg>
-------------- next part --------------
Client debug
============
<<<<<<< show the problem
May 7 12:17:55 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, Linux 3.0.52, armv7l)
May 7 12:17:55 00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN capability
May 7 12:17:55 00[LIB] libimcv initialized
May 7 12:17:55 00[IMC] IMC 1 "Android" initialized
May 7 12:17:55 00[TNC] IMC 1 "Android" loaded
May 7 12:17:55 00[LIB] loaded plugins: androidbridge android-byod charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default kernel-netlink eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20
May 7 12:17:55 00[LIB] unable to load 9 plugin features (9 due to unmet dependencies)
May 7 12:17:55 00[JOB] spawning 16 worker threads
May 7 12:17:55 10[IKE] initiating IKE_SA android[17] to 192.168.11.12
May 7 12:17:56 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 7 12:17:56 10[NET] sending packet: from 192.168.11.6[33532] to 192.168.11.12[500] (996 bytes)
May 7 12:17:56 16[NET] received packet: from 192.168.11.12[500] to 192.168.11.6[33532] (38 bytes)
May 7 12:17:56 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
May 7 12:17:56 16[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
May 7 12:17:56 16[IKE] initiating IKE_SA android[17] to 192.168.11.12
May 7 12:17:56 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 7 12:17:56 16[NET] sending packet: from 192.168.11.6[33532] to 192.168.11.12[500] (868 bytes)
May 7 12:17:56 12[NET] received packet: from 192.168.11.12[500] to 192.168.11.6[33532] (329 bytes)
May 7 12:17:56 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
May 7 12:17:56 12[IKE] faking NAT situation to enforce UDP encapsulation
May 7 12:17:56 12[IKE] received cert request for "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1"
May 7 12:17:56 12[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1"
May 7 12:17:56 12[IKE] establishing CHILD_SA android
May 7 12:17:56 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
May 7 12:17:56 12[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (588 bytes)
May 7 12:17:56 04[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (156 bytes)
May 7 12:17:56 04[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
May 7 12:17:56 04[IKE] server requested EAP_TTLS authentication (id 0xA0)
May 7 12:17:56 04[TLS] EAP_TTLS version is v0
May 7 12:17:56 04[IKE] allow mutual EAP-only authentication
May 7 12:17:56 04[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
May 7 12:17:56 04[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (236 bytes)
May 7 12:17:56 03[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (1100 bytes)
May 7 12:17:56 03[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
May 7 12:17:56 03[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
May 7 12:17:56 03[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (76 bytes)
May 7 12:17:56 02[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (1100 bytes)
May 7 12:17:56 02[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
May 7 12:17:56 02[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
May 7 12:17:56 02[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (76 bytes)
May 7 12:17:56 01[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (220 bytes)
May 7 12:17:56 01[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
May 7 12:17:56 01[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
May 7 12:17:56 01[TLS] received TLS server certificate 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4'
May 7 12:17:56 01[CFG] using certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4"
May 7 12:17:56 01[CFG] using trusted ca certificate "C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1"
May 7 12:17:56 01[CFG] reached self-signed root ca with a path length of 0
May 7 12:17:57 01[TLS] received TLS cert request for 'C=US, ST=CA, L=San, O=IBM, OU=Dev, CN=CA1
May 7 12:17:57 01[TLS] no TLS peer certificate found for 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3', skipping client authentication
May 7 12:17:57 01[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
May 7 12:17:57 01[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (428 bytes)
May 7 12:17:57 15[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (220 bytes)
May 7 12:17:57 15[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
May 7 12:17:57 15[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
May 7 12:17:57 15[IKE] server requested EAP_IDENTITY authentication (id 0x00)
May 7 12:17:57 15[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
May 7 12:17:57 15[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
May 7 12:17:57 15[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (220 bytes)
May 7 12:17:57 11[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (172 bytes)
May 7 12:17:57 11[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
May 7 12:17:57 11[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
May 7 12:17:57 11[IKE] server requested EAP_MD5 authentication (id 0xE5)
May 7 12:17:57 11[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
May 7 12:17:57 11[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
May 7 12:17:57 11[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (172 bytes)
May 7 12:17:57 10[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (156 bytes)
May 7 12:17:57 10[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
May 7 12:17:57 10[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
May 7 12:17:57 10[IKE] server requested EAP_PT_EAP authentication (id 0xDE)
May 7 12:17:57 10[TLS] EAP_PT_EAP version is v1
May 7 12:17:57 10[TNC] assigned TNCCS Connection ID 1
May 7 12:17:57 10[TNC] creating PA-TNC message with ID 0x6246f932
May 7 12:17:57 10[TNC] sending PB-TNC CDATA batch (212 bytes) for Connection ID 1
May 7 12:17:57 10[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
May 7 12:17:57 10[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]
May 7 12:17:57 10[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (364 bytes)
May 7 12:17:57 16[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (204 bytes)
May 7 12:17:57 16[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]
May 7 12:17:57 16[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
May 7 12:17:57 16[TNC] received TNCCS batch (56 bytes) for Connection ID 1
May 7 12:17:57 16[TNC] processing PB-TNC SDATA batch
May 7 12:17:57 16[TNC] processing PA-TNC message with ID 0x2fedcbb3
May 7 12:17:57 16[IMC] ***** assessment of IMC 1 "Android" from IMV 2 *****
May 7 12:17:57 16[IMC] assessment result is 'don't know'
May 7 12:17:57 16[IMC] ***** end of assessment *****
May 7 12:17:57 16[TNC] sending PB-TNC CDATA batch (8 bytes) for Connection ID 1
May 7 12:17:57 16[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
May 7 12:17:57 16[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]
May 7 12:17:57 16[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (156 bytes)
May 7 12:17:57 12[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (268 bytes)
May 7 12:17:57 12[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TTLS ]
May 7 12:17:57 12[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/PT]
May 7 12:17:57 12[TNC] received TNCCS batch (109 bytes) for Connection ID 1
May 7 12:17:57 12[TNC] processing PB-TNC RESULT batch
May 7 12:17:57 12[TNC] PB-TNC assessment result is 'don't know'
May 7 12:17:57 12[TNC] PB-TNC access recommendation is 'Access Allowed'
May 7 12:17:57 12[TNC] reason string is 'IMC Test was not configured with "command = allow"' [en]
May 7 12:17:57 12[TNC] sending PB-TNC CLOSE batch (8 bytes) for Connection ID 1
May 7 12:17:57 12[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/PT]
May 7 12:17:57 12[ENC] generating IKE_AUTH request 10 [ EAP/RES/TTLS ]
May 7 12:17:57 12[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (156 bytes)
May 7 12:17:57 04[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (140 bytes)
May 7 12:17:57 04[ENC] parsed IKE_AUTH response 10 [ EAP/REQ/TTLS ]
May 7 12:17:57 04[TLS] received TLS close notify
May 7 12:17:57 04[TLS] sending TLS close notify
May 7 12:17:57 04[ENC] generating IKE_AUTH request 11 [ EAP/RES/TTLS ]
May 7 12:17:57 04[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (140 bytes)
May 7 12:17:57 03[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (76 bytes)
May 7 12:17:57 03[ENC] parsed IKE_AUTH response 11 [ EAP/SUCC ]
May 7 12:17:57 03[IKE] EAP method EAP_TTLS succeeded, MSK established
May 7 12:17:57 03[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3' (myself) with EAP
May 7 12:17:57 03[ENC] generating IKE_AUTH request 12 [ AUTH ]
May 7 12:17:57 03[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (92 bytes)
May 7 12:17:57 02[NET] received packet: from 192.168.11.12[4500] to 192.168.11.6[58136] (220 bytes)
May 7 12:17:57 02[ENC] parsed IKE_AUTH response 12 [ AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) ]
May 7 12:17:57 02[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4' with EAP successful
May 7 12:17:57 02[TNC] removed TNCCS Connection ID 1
******IKE_SA home[1] established between 192.168.0.100[C=CH, O=Linux strongSwan, OU=Research, CN=carol at strongswan.org]...192.168.0.1[moon.strongswan.org]*****
May 7 12:17:57 02[CFG] constraint requires public key authentication, but EAP was used <<<<<<<<<<
May 7 12:17:57 02[CFG] selected peer config 'android' inacceptable: constraint checking failed
May 7 12:17:57 02[CFG] no alternative config found
May 7 12:17:57 02[ENC] generating INFORMATIONAL request 13 [ N(AUTH_FAILED) ]
May 7 12:17:57 02[NET] sending packet: from 192.168.11.6[58136] to 192.168.11.12[4500] (76 bytes)
May 7 12:43:47 00[IMC] IMC 1 "Android" terminated
May 7 12:43:47 00[LIB] libimcv terminated
Displaying charon.log.
More information about the Users
mailing list