[strongSwan] Failing to login due to constraint check failed

Gilad Novik gilad at hola.org
Wed May 27 15:55:48 CEST 2015 

Hi,

Thanks for your answer. I do set the extended authentication (I do it 
programmatically):

         NEVPNProtocolIKEv2* p = [[NEVPNProtocolIKEv2 alloc] init];
         p.useExtendedAuthentication = @YES;
         p.username = @"gilad";
         p.passwordReference = < password data >;
         p.serverAddress = @"1.2.3.4";
         p.authenticationMethod = NEVPNIKEAuthenticationMethodSharedSecret;
         p.sharedSecretReference = < secret data >;
         p.localIdentifier = @"gilad";
         p.remoteIdentifier = @"vpn.domain.org";
         p.disconnectOnSleep = NO;

It is working when I use a profile, but I'm trying to set the connection 
manually within my iOS app.

It might be a bug with Apple's SDK, although it states:

/*!
  * @property useExtendedAuthentication
  * @discussion A flag indicating if extended authentication will be 
negotiated. This authentication is in addition to the IKE authentication used 
to authenticate the endpoints of the IKE session.
  *   For IKE version 1, when this flag is set X-Auth authentication will be 
negotiated as part of the IKE session, using the username and password 
properties as the credential.
  *   For IKE version 2, when this flag is set EAP authentication will be 
negotiated as part of the IKE session, using the username, password, and/or 
identity properties as the credential depending on which EAP method the 
server requires.
  */
@property BOOL useExtendedAuthentication NS_AVAILABLE(10_10, 8_0);


In that case, how can I configure the server to accept connections from my 
iOS app?

Thanks,
Gilad


On 2015-05-27 16:28, Martin Willi wrote:
> Hi,
> 
>> What I don't understand is why it is failing on EAP identity when I clearly
>> defined 'eap_identity=%any'
> 
>> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>> N(MULT_AUTH) ]
> 
>> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DHCP DNS 
>> MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N)
>> authentication of '%any' with pre-shared key
>> constraint check failed: EAP identity '%any' required
> 
> Your client does not initiate EAP, but authenticates with a pre-shared
> key. It does not provide an EAP-Identity matching "%any", as no
> EAP-Identity is exchanged at all.
> 
> If you want to do EAP-MSCHAPv2 with iOS IKEv2, set ExtendedAuthEnabled,
> see [1].
> 
> Regards
> Martin
> 
> [1]https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile

More information about the Users mailing list