[strongSwan] Failing to login due to constraint check failed

Gilad Novik gilad at hola.org
Wed May 27 17:33:23 CEST 2015


Same code now fails on EAP authentication (username/password are valid):


May 27 11:29:08 16[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) ]
May 27 11:29:08 16[CFG] <2> looking for an ike config for 1.2.3.4...5.6.7.8
May 27 11:29:08 16[CFG] <2>   candidate: %any...%any, prio 28
May 27 11:29:08 16[CFG] <2> found matching ike config: %any...%any with prio 
28
May 27 11:29:08 16[IKE] <2> 5.6.7.8 is initiating an IKE_SA
May 27 11:29:08 16[CFG] <2> selecting proposal:
May 27 11:29:08 16[CFG] <2>   no acceptable ENCRYPTION_ALGORITHM found
May 27 11:29:08 16[CFG] <2> selecting proposal:
May 27 11:29:08 16[CFG] <2>   no acceptable DIFFIE_HELLMAN_GROUP found
May 27 11:29:08 16[CFG] <2> selecting proposal:
May 27 11:29:08 16[CFG] <2>   proposal matches
May 27 11:29:08 16[CFG] <2> received proposals: 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 27 11:29:08 16[CFG] <2> configured proposals: 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
May 27 11:29:08 16[CFG] <2> selected proposal: 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 27 11:29:08 16[IKE] <2> remote host is behind NAT
May 27 11:29:08 16[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 27 11:29:08 16[NET] <2> sending packet: from 1.2.3.4[500] to 5.6.7.8[500] 
(308 bytes)
May 27 11:29:08 04[NET] <2> received packet: from 5.6.7.8[55146] to 
1.2.3.4[4500] (316 bytes)
May 27 11:29:08 04[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) 
IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) 
N(NON_FIRST_FRAG) SA TSi TSr ]
May 27 11:29:08 04[CFG] <2> looking for peer configs matching 
1.2.3.4[vpn.domain.org]...5.6.7.8[gilad]
May 27 11:29:08 04[CFG] <2>   candidate "ios8", match: 20/1/28 (me/other/ike)
May 27 11:29:08 04[CFG] <ios8|2> selected peer config 'ios8'
May 27 11:29:08 04[IKE] <ios8|2> initiating EAP_IDENTITY method (id 0x00)
May 27 11:29:08 04[IKE] <ios8|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not 
using ESPv3 TFC padding
May 27 11:29:08 04[IKE] <ios8|2> authentication of 'vpn.domain.org' (myself) 
with pre-shared key
May 27 11:29:08 04[ENC] <ios8|2> generating IKE_AUTH response 1 [ IDr AUTH 
EAP/REQ/ID ]
May 27 11:29:08 04[NET] <ios8|2> sending packet: from 1.2.3.4[4500] to 
5.6.7.8[55146] (116 bytes)
May 27 11:29:08 03[NET] <ios8|2> received packet: from 5.6.7.8[55146] to 
1.2.3.4[4500] (68 bytes)
May 27 11:29:08 03[ENC] <ios8|2> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
May 27 11:29:08 03[IKE] <ios8|2> received EAP identity 'gilad'
May 27 11:29:08 03[IKE] <ios8|2> initiating EAP_MSCHAPV2 method (id 0x71)
May 27 11:29:08 03[ENC] <ios8|2> generating IKE_AUTH response 2 [ 
EAP/REQ/MSCHAPV2 ]
May 27 11:29:08 03[NET] <ios8|2> sending packet: from 1.2.3.4[4500] to 
5.6.7.8[55146] (100 bytes)
May 27 11:29:08 02[NET] <ios8|2> received packet: from 5.6.7.8[55146] to 
1.2.3.4[4500] (68 bytes)
May 27 11:29:08 02[ENC] <ios8|2> parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
May 27 11:29:08 02[IKE] <ios8|2> received EAP_NAK, sending EAP_FAILURE
May 27 11:29:08 02[ENC] <ios8|2> generating IKE_AUTH response 3 [ EAP/FAIL ]
May 27 11:29:08 02[NET] <ios8|2> sending packet: from 1.2.3.4[4500] to 
5.6.7.8[55146] (68 bytes)



I'm completely lost here, why it wasn't sending identity before but does sent 
it now? and why does authentication fail?

-Gilad


On 2015-05-27 16:28, Martin Willi wrote:
> Hi,
> 
>> What I don't understand is why it is failing on EAP identity when I clearly
>> defined 'eap_identity=%any'
> 
>> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>> N(MULT_AUTH) ]
> 
>> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DHCP DNS 
>> MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N)
>> authentication of '%any' with pre-shared key
>> constraint check failed: EAP identity '%any' required
> 
> Your client does not initiate EAP, but authenticates with a pre-shared
> key. It does not provide an EAP-Identity matching "%any", as no
> EAP-Identity is exchanged at all.
> 
> If you want to do EAP-MSCHAPv2 with iOS IKEv2, set ExtendedAuthEnabled,
> see [1].
> 
> Regards
> Martin
> 
> [1]https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile


More information about the Users mailing list