[strongSwan] EAP-MD5 failed with "inacceptable: constraint checking failed"

Yuko Katori k10lie.gm at gmail.com
Mon Oct 12 18:29:44 CEST 2015


Hi,

I'm trying to setup EAP-MD5 with Freeradius(3.0.10).
The server sends Challenge to this strongswan(5.3.3) but, the
strongswan is throwing the following error.
# I don't use cert here.

I'm not sure about "selected peer config 'xxx' inacceptable:
constraint checking failed".
It doesn't seem to be correct to configure "rightauth=psk" and
"leftauth=eap" instead too. <<< Just only configured.

Excuse me, is there any misconfiguration?

---
Oct 13 01:19:48 test charon: 04[IKE] authentication of '11.33.116.1'
with pre-shared key successful
Oct 13 01:19:48 test charon: 04[CFG] constraint requires public key
authentication, but pre-shared key was used
Oct 13 01:19:48 test charon: 04[CFG] selected peer config
'eap-md5-rsa' inacceptable: constraint checking failed
Oct 13 01:19:48 test charon: 04[CFG] no alternative config found
Oct 13 01:19:48 test charon: 04[ENC] generating INFORMATIONAL request
2 [ N(AUTH_FAILED) ]
Oct 13 01:19:48 test charon: 04[NET] sending packet: from
9.17.196.10[500] to 11.33.116.1[500] (76 bytes)
Oct 13 01:19:48 test charon: 04[IKE] IKE_SA eap-md5-rsa[1] state
change: CONNECTING => DESTROYING


root at test:/usr/local/etc# cat ipsec.conf
config setup
        charondebug="ike 4, chd 4"

conn %default
        ikelifetime=180m
        keylife=90m
        keyexchange=ikev2
        ike = aes128-sha1-modp1024
        esp = aes128-sha1
        mobike = no
        reauth = no

conn eap-md5-rsa
        left=9.17.196.10
        leftsourceip=%config
        leftid=test1 at xxx
        leftauth=eap-md5
        right=11.33.116.1
        rightsubnet=3.1.1.1/32
        rightauth=pubkey
        auto=add

root at test:/usr/local/etc# cat ipsec.secrets
test1 at xxx : EAP "test"

Kind regards,

YK


More information about the Users mailing list