[strongSwan] Failing to login due to constraint check failed

Martin Willi martin at strongswan.org
Wed May 27 15:28:33 CEST 2015


Hi,

> What I don't understand is why it is failing on EAP identity when I clearly 
> defined 'eap_identity=%any'

> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]

> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) 
> authentication of '%any' with pre-shared key 
> constraint check failed: EAP identity '%any' required

Your client does not initiate EAP, but authenticates with a pre-shared
key. It does not provide an EAP-Identity matching "%any", as no
EAP-Identity is exchanged at all.

If you want to do EAP-MSCHAPv2 with iOS IKEv2, set ExtendedAuthEnabled,
see [1].

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile



More information about the Users mailing list