[strongSwan] Failing to login due to constraint check failed

Martin Willi martin at strongswan.org
Thu May 28 08:35:08 CEST 2015

> why it wasn't sending identity before but does sent it now?

The client now offers EAP authentication by omitting the AUTH payload in
the first IKE_AUTH exchange. This allows the server to trigger the
EAP-Identity exchange, followed by EAP-MSCHAPv2.

>  and why does authentication fail?

The client rejects the EAP-MSCHAPv2 method with EAP-NAK. It is
configured to use something else or does not support it. AFAIK iOS
supports EAP-MSCHAPv2, so most likely this is a client configuration


More information about the Users mailing list