[strongSwan] EAP-MD5 failed with "inacceptable: constraint checking failed"
Andreas Steffen
andreas.steffen at strongswan.org
Mon Oct 12 21:52:18 CEST 2015
Hi Yuko,
if EAP-MD5 is used for client authentication then the IKEv2 RFC
7296 mandates that the VPN server authentication must be based on
public key authentication using a server certificate:
2.16. Extensible Authentication Protocol Methods
In addition to authentication using public key signatures and shared
secrets, IKE supports authentication using methods defined in
RFC 3748 [EAP]. Typically, these methods are asymmetric (designed
for a user authenticating to a server), and they may not be mutual.
For this reason, these protocols are typically used to authenticate
the initiator to the responder and MUST be used in conjunction with a
public-key-signature-based authentication of the responder to the
initiator.
Thus PSK-based authentication is not permitted!
Best regards
Andreas
On 10/12/2015 06:29 PM, Yuko Katori wrote:
> Hi,
>
> I'm trying to setup EAP-MD5 with Freeradius(3.0.10).
> The server sends Challenge to this strongswan(5.3.3) but, the
> strongswan is throwing the following error.
> # I don't use cert here.
>
> I'm not sure about "selected peer config 'xxx' inacceptable:
> constraint checking failed".
> It doesn't seem to be correct to configure "rightauth=psk" and
> "leftauth=eap" instead too. <<< Just only configured.
>
> Excuse me, is there any misconfiguration?
>
> ---
> Oct 13 01:19:48 test charon: 04[IKE] authentication of '11.33.116.1'
> with pre-shared key successful
> Oct 13 01:19:48 test charon: 04[CFG] constraint requires public key
> authentication, but pre-shared key was used
> Oct 13 01:19:48 test charon: 04[CFG] selected peer config
> 'eap-md5-rsa' inacceptable: constraint checking failed
> Oct 13 01:19:48 test charon: 04[CFG] no alternative config found
> Oct 13 01:19:48 test charon: 04[ENC] generating INFORMATIONAL request
> 2 [ N(AUTH_FAILED) ]
> Oct 13 01:19:48 test charon: 04[NET] sending packet: from
> 9.17.196.10[500] to 11.33.116.1[500] (76 bytes)
> Oct 13 01:19:48 test charon: 04[IKE] IKE_SA eap-md5-rsa[1] state
> change: CONNECTING => DESTROYING
>
>
> root at test:/usr/local/etc# cat ipsec.conf
> config setup
> charondebug="ike 4, chd 4"
>
> conn %default
> ikelifetime=180m
> keylife=90m
> keyexchange=ikev2
> ike = aes128-sha1-modp1024
> esp = aes128-sha1
> mobike = no
> reauth = no
>
> conn eap-md5-rsa
> left=9.17.196.10
> leftsourceip=%config
> leftid=test1 at xxx
> leftauth=eap-md5
> right=11.33.116.1
> rightsubnet=3.1.1.1/32
> rightauth=pubkey
> auto=add
>
> root at test:/usr/local/etc# cat ipsec.secrets
> test1 at xxx : EAP "test"
>
> Kind regards,
>
> YK
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151012/e714aa19/attachment-0001.bin>
More information about the Users
mailing list