[strongSwan] Strange message sent in IKEv2 EAP

RICHARD, Denis (Denis)** CTR ** Denis.Richard at alcatel-lucent.com
Tue Sep 22 17:02:16 CEST 2015 

Hello all,

I am trying to set a VPN between Strongswan (5.3.3) on Linux and a Fortigate 60D (FortiOS 5.2.4), in IKEv2 EAP identity.

The Fortigate sends the EAP_IDENTITY and Strongswan answers with EAP_IDENTITY.
When eap_identity is 172.26.185.1 the message EAP_IDENTITY length is 96 bytes (see Strongswan traces)

Sep 22 16:32:04 (none) charon: 09[NET] received packet: from 172.26.185.50[4500] to 172.26.185.82[4500] (192 bytes)
Sep 22 16:32:04 (none) charon: 09[ENC] parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
Sep 22 16:32:04 (none) charon: 09[IKE] authentication of '172.26.185.50' with pre-shared key successful
Sep 22 16:32:04 (none) charon: 09[IKE] server requested EAP_IDENTITY (id 0x2A), sending '172.26.185.1'
Sep 22 16:32:04 (none) charon: 09[IKE] reinitiating already active tasks
Sep 22 16:32:04 (none) charon: 09[IKE]   IKE_AUTH task
Sep 22 16:32:04 (none) charon: 09[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 22 16:32:04 (none) charon: 09[NET] sending packet: from 172.26.185.82[4500] to 172.26.185.50[4500] (96 bytes)
Sep 22 16:32:04 (none) charon: 04[NET] sending packet: from 172.26.185.82[4500] to 172.26.185.50[4500]
Sep 22 16:32:04 (none) charon: 09[MGR] checkin IKE_SA vpn_FGT[1]
Sep 22 16:32:04 (none) charon: 09[MGR] check-in of IKE_SA successful.
Sep 22 16:32:07 (none) charon: 10[MGR] checkout IKE_SA

But when received by Fortigate, the identity is wrong (fortigate traces):

2015-09-22 16:08:08 ike 0: comes 172.26.185.82:4500->10.0.0.2:4500,ifindex=5....
2015-09-22 16:08:08 ike 0: IKEv2 exchange=AUTH id=90a5f8b92f8ab9da/b2d3b9839ad56895:00000002 len=96
2015-09-22 16:08:08 ike 0: in 90A5F8B92F8AB9DAB2D3B9839AD568952E202308000000020000006030000044C6A08A5B75AFA1D9070798469318CE7F054CB250AF1A3D3D39F7AB5BB89405435CB93F27DEE89EFF7ABA2F7CD9A5D8AF4312B2D6697B7EB34DD9BADD4B62BDCD
2015-09-22 16:08:08 ike 0:poc:42: dec 90A5F8B92F8AB9DAB2D3B9839AD568952E202308000000020000002D300000040000000D022A000901AC1AB901
2015-09-22 16:08:08 ike 0:poc:42: responder received EAP msg
2015-09-22 16:08:08 ike 0:poc:42: send EAP message to FNBAM
2015-09-22 16:08:08 ike 0:poc:42: initiating EAP authentication
2015-09-22 16:08:08 ike 0:poc: EAP user "��"

When I change eap_identity to 172.26.185.A, the message EAP_IDENTITY length, send by Stronswan, is 112 bytes:

Sep 22 16:24:02 (none) charon: 10[NET] received packet: from 172.26.185.50[4500] to 172.26.185.82[4500] (192 bytes)
Sep 22 16:24:02 (none) charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
Sep 22 16:24:02 (none) charon: 10[IKE] authentication of '172.26.185.50' with pre-shared key successful
Sep 22 16:24:02 (none) charon: 10[IKE] server requested EAP_IDENTITY (id 0x28), sending '172.26.185.A'
Sep 22 16:24:02 (none) charon: 10[IKE] reinitiating already active tasks
Sep 22 16:24:02 (none) charon: 10[IKE]   IKE_AUTH task
Sep 22 16:24:02 (none) charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 22 16:24:02 (none) charon: 10[NET] sending packet: from 172.26.185.82[4500] to 172.26.185.50[4500] (112 bytes)
Sep 22 16:24:02 (none) charon: 04[NET] sending packet: from 172.26.185.82[4500] to 172.26.185.50[4500]
Sep 22 16:24:02 (none) charon: 10[MGR] checkin IKE_SA vpn_FGT[1]
Sep 22 16:24:02 (none) charon: 10[MGR] check-in of IKE_SA successful.
Sep 22 16:24:05 (none) charon: 11[MGR] checkout IKE_SA

And, on Fortigate, the eap_identity is get well :

2015-09-22 16:00:06 ike 0: comes 172.26.185.82:4500->10.0.0.2:4500,ifindex=5....
2015-09-22 16:00:06 ike 0: IKEv2 exchange=AUTH id=c583379a3f946357/953d7d30d37f1773:00000002 len=112
2015-09-22 16:00:06 ike 0: in C583379A3F946357953D7D30D37F17732E202308000000020000007030000054277F6F2974A652A7182F04E79E22EE87BC29BB3E168D409273D8396A5B1B33B5107CF299BFDF3DBBC8DEBD856D277C299A98770F6B7518AFFE87595F7EE892AD79960DB96CB20EB263E4508CE7DF11B9
2015-09-22 16:00:06 ike 0:poc:40: dec C583379A3F946357953D7D30D37F17732E2023080000000200000035300000040000001502280011013137322E32362E3138352E41
                                                                                                ############ my comment: In ascii        1  7  2  .    2   6  .  1  8   5  .  A
2015-09-22 16:00:06 ike 0:poc:40: responder received EAP msg
2015-09-22 16:00:06 ike 0:poc:40: send EAP message to FNBAM
2015-09-22 16:00:06 ike 0:poc:40: initiating EAP authentication
2015-09-22 16:00:06 ike 0:poc: EAP user "172.26.185.A"

Why this length difference when only one char is modified ? Is it normal ?
Is the message sent well when eap_identity is set to “172.26.185.1”?

For info, when I set eap_identity to 172.26.185.82 (client IP address), the message sent seems also wrong, with also a size of 96 bytes.

For info (2), the ipsec.conf file used is:

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="cfg 2, chd 2, dmn 2, esp 2, ike 2, knl 2, mgr 2, net 3"
# Add connections here.
conn %default
        keyexchange=ikev2
# Sample VPN connections
conn vpn_FGT
        left=172.26.185.82
        leftsourceip=%config
        leftauth=eap
        leftfirewall=yes
        leftid=172.26.185.82
        eap_identity=172.26.185.1
        auto=start
        ike=aes256-sha256-modp2048
        esp=aes256-sha256-modp2048
        right=172.26.185.50
        rightsubnet=172.26.185.50/32
        rightid=%any
        rightauth=psk

Thanks and regards

Denis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150922/c60fe8fb/attachment.html>

More information about the Users mailing list