[strongSwan] Question on
andreas.steffen at strongswan.org
Thu Aug 3 05:52:22 CEST 2017
N(EAP_ONLY) is just the announcement of the RFC 5998 Mutual EAP
capability and this notification is always sent by a strongSwan
initiator, even when it is doing PSK or public key based authentication.
EAP is only activated by the responder when the AUTH payload is missing
in the IKE_AUTH request which is clearly *not* the case in your example.
On 03.08.2017 00:11, Shreyas Heranjal wrote:
> I am trying to use strongswan for IKEv2.
> The use case that I am stuck with is where strongswan acts as
> initiator and Ixia acts as the responder.
> Despite setting psk as the leftauth/rightauth method in the ipsec.conf
> file, I see that the IKE_AUTH is sent in the Initiator request
> This is what the ike_auth message shows up as in strongswan
> "[ IDi IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
> N(MULT_AUTH) *N(EAP_ONLY)* N(MSG_ID_SYN_SUP) ]"
> Shouldn't this be sent only if eap is enabled in the leftauth field?
> Looks like its the same issue with Cisco as well.
> I spoke to the Ixia folks and this is what they had to say -
> "After investigating this issue we found out as possible cause for it
> the fact that the packet IKE_AUTH sent by initiator (strongswan or even
> your sw) contains the EAP_ONLY payload.
> When IxLoad IPSec responder mode receives the IKE_AUTH packet
> containing the EAP_ONLY payload, it does not insert the Authentication
> payload in its IKE_AUTH response and this seems to make the initiator to
> send Authentication Failed."
> So, my question - What is EAP_ONLY sent? Is this configurable not to
> send it?
> - Shreyas
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users