[strongSwan] Question on

Shreyas Heranjal shreyas at viptela.com
Thu Aug 3 00:11:30 CEST 2017


Hi!

I am trying to use strongswan for IKEv2.

The use case that I am stuck with is where strongswan acts as initiator and
Ixia acts as the responder.

Despite setting psk as the leftauth/rightauth method in the ipsec.conf
file, I see that the  IKE_AUTH is sent in the Initiator request

This is what the ike_auth message shows up as in strongswan
"[ IDi IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) *N(EAP_ONLY)* N(MSG_ID_SYN_SUP) ]"

Shouldn't this be sent only if eap is enabled in the leftauth field? Looks
like its the same issue with Cisco as well.

I spoke to the Ixia folks and this is what they had to say -
"After investigating this issue we found out as possible cause for it the
fact that the packet IKE_AUTH sent by initiator (strongswan or even your
sw) contains the EAP_ONLY payload.
  When IxLoad IPSec responder mode receives the IKE_AUTH packet containing
the EAP_ONLY payload, it does not insert the Authentication payload in its
IKE_AUTH response and this seems to make the initiator to send
Authentication Failed."

So, my question - What is EAP_ONLY sent? Is this configurable not to send
it?

- Shreyas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170802/5955261e/attachment.html>


More information about the Users mailing list