[strongSwan] Failing to login due to constraint check failed
gilad at hola.org
Wed May 27 15:55:48 CEST 2015
Thanks for your answer. I do set the extended authentication (I do it
NEVPNProtocolIKEv2* p = [[NEVPNProtocolIKEv2 alloc] init];
p.useExtendedAuthentication = @YES;
p.username = @"gilad";
p.passwordReference = < password data >;
p.serverAddress = @"220.127.116.11";
p.authenticationMethod = NEVPNIKEAuthenticationMethodSharedSecret;
p.sharedSecretReference = < secret data >;
p.localIdentifier = @"gilad";
p.remoteIdentifier = @"vpn.domain.org";
p.disconnectOnSleep = NO;
It is working when I use a profile, but I'm trying to set the connection
manually within my iOS app.
It might be a bug with Apple's SDK, although it states:
* @property useExtendedAuthentication
* @discussion A flag indicating if extended authentication will be
negotiated. This authentication is in addition to the IKE authentication used
to authenticate the endpoints of the IKE session.
* For IKE version 1, when this flag is set X-Auth authentication will be
negotiated as part of the IKE session, using the username and password
properties as the credential.
* For IKE version 2, when this flag is set EAP authentication will be
negotiated as part of the IKE session, using the username, password, and/or
identity properties as the credential depending on which EAP method the
@property BOOL useExtendedAuthentication NS_AVAILABLE(10_10, 8_0);
In that case, how can I configure the server to accept connections from my
On 2015-05-27 16:28, Martin Willi wrote:
>> What I don't understand is why it is failing on EAP identity when I clearly
>> defined 'eap_identity=%any'
>> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> N(MULT_AUTH) ]
>> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DHCP DNS
>> MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N)
>> authentication of '%any' with pre-shared key
>> constraint check failed: EAP identity '%any' required
> Your client does not initiate EAP, but authenticates with a pre-shared
> key. It does not provide an EAP-Identity matching "%any", as no
> EAP-Identity is exchanged at all.
> If you want to do EAP-MSCHAPv2 with iOS IKEv2, set ExtendedAuthEnabled,
> see .
More information about the Users