[strongSwan] Failing to login due to constraint check failed

Gilad Novik gilad at hola.org
Wed May 27 14:25:43 CEST 2015 

I have a strongswan setup which is failing when I try to login via iOS8 
(IKEv2).

What I don't understand is why it is failing on EAP identity when I clearly 
defined 'eap_identity=%any'

Any ideas?



May 27 08:15:50 00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 
3.13.0-43-generic, x86_64)
May 27 08:15:50 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 27 08:15:50 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 27 08:15:50 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
May 27 08:15:50 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
May 27 08:15:50 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 27 08:15:50 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 27 08:15:50 00[CFG]   loaded IKE secret for %any
May 27 08:15:50 00[CFG]   loaded EAP secret for gilad
May 27 08:15:50 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp 
dnskey sshkey pem gcrypt fips-prf gmp agent xcbc cmac hmac attr 
kernel-netlink resolve socket-default connmark farp stroke updown 
eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls xauth-generic
May 27 08:15:50 00[JOB] spawning 16 worker threads
May 27 08:15:50 11[CFG] received stroke: add connection 'ios8'
May 27 08:15:50 11[CFG] conn ios8
May 27 08:15:50 11[CFG]   left=%any
May 27 08:15:50 11[CFG]   leftsubnet=0.0.0.0/0
May 27 08:15:50 11[CFG]   leftauth=psk
May 27 08:15:50 11[CFG]   leftid=vpn.domain.org
May 27 08:15:50 11[CFG]   right=%any
May 27 08:15:50 11[CFG]   rightsourceip=10.0.0.0/15
May 27 08:15:50 11[CFG]   rightdns=8.8.8.8,8.8.4.4
May 27 08:15:50 11[CFG]   rightauth=eap-mschapv2
May 27 08:15:50 11[CFG]   eap_identity=%any
May 27 08:15:50 11[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
May 27 08:15:50 11[CFG]   esp=aes128-sha1,3des-sha1
May 27 08:15:50 11[CFG]   dpddelay=30
May 27 08:15:50 11[CFG]   dpdtimeout=150
May 27 08:15:50 11[CFG]   dpdaction=1
May 27 08:15:50 11[CFG]   mediation=no
May 27 08:15:50 11[CFG]   keyexchange=ikev2
May 27 08:15:50 11[CFG] left nor right host is our side, assuming left=local
May 27 08:15:50 11[CFG] adding virtual IP address pool 10.0.0.0/15
May 27 08:15:50 11[CFG] added configuration 'ios8'
May 27 08:16:00 06[NET] <1> received packet: from 5.6.7.8[500] to 
1.2.3.4[500] (284 bytes)
May 27 08:16:00 06[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) ]
May 27 08:16:00 06[CFG] <1> looking for an ike config for 1.2.3.4...5.6.7.8
May 27 08:16:00 06[CFG] <1>   candidate: %any...%any, prio 28
May 27 08:16:00 06[CFG] <1> found matching ike config: %any...%any with prio 
28
May 27 08:16:00 06[IKE] <1> 5.6.7.8 is initiating an IKE_SA
May 27 08:16:00 06[CFG] <1> selecting proposal:
May 27 08:16:00 06[CFG] <1>   no acceptable ENCRYPTION_ALGORITHM found
May 27 08:16:00 06[CFG] <1> selecting proposal:
May 27 08:16:00 06[CFG] <1>   no acceptable DIFFIE_HELLMAN_GROUP found
May 27 08:16:00 06[CFG] <1> selecting proposal:
May 27 08:16:00 06[CFG] <1>   proposal matches
May 27 08:16:00 06[CFG] <1> received proposals: 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 27 08:16:00 06[CFG] <1> configured proposals: 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
May 27 08:16:00 06[CFG] <1> selected proposal: 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 27 08:16:00 06[IKE] <1> remote host is behind NAT
May 27 08:16:00 06[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 27 08:16:00 06[NET] <1> sending packet: from 1.2.3.4[500] to 5.6.7.8[500] 
(308 bytes)
May 27 08:16:00 13[NET] <1> received packet: from 5.6.7.8[55612] to 
1.2.3.4[4500] (348 bytes)
May 27 08:16:00 13[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) 
IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) 
N(NON_FIRST_FRAG) SA TSi TSr ]
May 27 08:16:00 13[CFG] <1> looking for peer configs matching 
1.2.3.4[vpn.domain.org]...5.6.7.8[%any]
May 27 08:16:00 13[CFG] <1>   candidate "ios8", match: 20/1/28 (me/other/ike)
May 27 08:16:00 13[CFG] <ios8|1> selected peer config 'ios8'
May 27 08:16:00 13[IKE] <ios8|1> authentication of '%any' with pre-shared key 
successful
May 27 08:16:00 13[CFG] <ios8|1> constraint check failed: EAP identity '%any' 
required
May 27 08:16:00 13[CFG] <ios8|1> selected peer config 'ios8' inacceptable: 
non-matching authentication done
May 27 08:16:00 13[CFG] <ios8|1> no alternative config found
May 27 08:16:00 13[IKE] <ios8|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not 
using ESPv3 TFC padding
May 27 08:16:00 13[ENC] <ios8|1> generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]
May 27 08:16:00 13[NET] <ios8|1> sending packet: from 1.2.3.4[4500] to 
5.6.7.8[55612] (68 bytes)

More information about the Users mailing list