[strongSwan] Question on

Andreas Steffen andreas.steffen at strongswan.org
Thu Aug 3 05:52:22 CEST 2017 

Hi Schreyas,

N(EAP_ONLY) is just the announcement of the RFC 5998 Mutual EAP
capability and this notification is always sent by a strongSwan
initiator, even when it is doing PSK or public key based authentication.

EAP is only activated by the responder when the AUTH payload is missing
in the IKE_AUTH request which is clearly *not* the case in your example.

Regards

Andreas

On 03.08.2017 00:11, Shreyas Heranjal wrote:
> Hi!
> 
> I am trying to use strongswan for IKEv2.
> 
> The use case that I am stuck with is where strongswan acts as
> initiator and Ixia acts as the responder.
> 
> Despite setting psk as the leftauth/rightauth method in the ipsec.conf
> file, I see that the  IKE_AUTH is sent in the Initiator request
> 
> This is what the ike_auth message shows up as in strongswan
> "[ IDi IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
> N(MULT_AUTH) *N(EAP_ONLY)* N(MSG_ID_SYN_SUP) ]"
> 
> Shouldn't this be sent only if eap is enabled in the leftauth field?
> Looks like its the same issue with Cisco as well. 
> 
> I spoke to the Ixia folks and this is what they had to say - 
> "After investigating this issue we found out as possible cause for it
> the fact that the packet IKE_AUTH sent by initiator (strongswan or even
> your sw) contains the EAP_ONLY payload.
>   When IxLoad IPSec responder mode receives the IKE_AUTH packet
> containing the EAP_ONLY payload, it does not insert the Authentication
> payload in its IKE_AUTH response and this seems to make the initiator to
> send Authentication Failed."
> 
> So, my question - What is EAP_ONLY sent? Is this configurable not to
> send it?
> 
> - Shreyas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170803/9d8be7e1/attachment.bin>

More information about the Users mailing list