[strongSwan] Question on
Shreyas Heranjal
shreyas at viptela.com
Thu Aug 3 00:11:30 CEST 2017
Hi!
I am trying to use strongswan for IKEv2.
The use case that I am stuck with is where strongswan acts as initiator and
Ixia acts as the responder.
Despite setting psk as the leftauth/rightauth method in the ipsec.conf
file, I see that the IKE_AUTH is sent in the Initiator request
This is what the ike_auth message shows up as in strongswan
"[ IDi IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) *N(EAP_ONLY)* N(MSG_ID_SYN_SUP) ]"
Shouldn't this be sent only if eap is enabled in the leftauth field? Looks
like its the same issue with Cisco as well.
I spoke to the Ixia folks and this is what they had to say -
"After investigating this issue we found out as possible cause for it the
fact that the packet IKE_AUTH sent by initiator (strongswan or even your
sw) contains the EAP_ONLY payload.
When IxLoad IPSec responder mode receives the IKE_AUTH packet containing
the EAP_ONLY payload, it does not insert the Authentication payload in its
IKE_AUTH response and this seems to make the initiator to send
Authentication Failed."
So, my question - What is EAP_ONLY sent? Is this configurable not to send
it?
- Shreyas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170802/5955261e/attachment.html>
More information about the Users
mailing list