[strongSwan] EAP-AKA failure: AKA_SYNCHRONIZATION_FAILURE

Tomasz OsiƄski osinstom at gmail.com
Sat Apr 20 15:15:09 CEST 2019


Hello,

I am trying to configure StrongSwan as the EPDG server. I have a
programmable SIM provisioned with Ki and OPc. The SIM card is inserted into
commercial Samsung S7 phone. I am able to reach the last phase of IKE_AUTH,
but in the last step the EPDG received AKA_SYNCHRONIZATION_FAILURE from the
phone.

The logs:

Apr 20 14:49:24 osinstom charon: 11[NET] received packet: from
192.168.137.201[38316] to 192.168.137.194[4500] (92 bytes)
Apr 20 14:49:24 osinstom charon: 11[ENC] parsed IKE_AUTH request 3 [
EAP/RES/AKA ]
Apr 20 14:49:24 osinstom charon: 11[IKE] received synchronization request,
retrying...

<New EAP-AKA challange here>

Apr 20 14:49:24 osinstom charon: 11[ENC] generating IKE_AUTH response 3 [
EAP/REQ/AKA ]
Apr 20 14:49:24 osinstom charon: 11[NET] sending packet: from
192.168.137.194[4500] to 192.168.137.201[38316] (220 bytes)
Apr 20 14:49:24 osinstom charon: 11[MGR] checkin IKE_SA rw-eap-aka[3]
Apr 20 14:49:24 osinstom charon: 11[MGR] checkin of IKE_SA successful
Apr 20 14:49:24 osinstom charon: 12[MGR] checkout IKEv2 SA by message with
SPIs 3899f3d11866ced7_i 86c88ba05f31461b_r
Apr 20 14:49:24 osinstom charon: 12[MGR] IKE_SA rw-eap-aka[3] successfully
checked out
Apr 20 14:49:24 osinstom charon: 12[NET] received packet: from
192.168.137.201[38316] to 192.168.137.194[4500] (92 bytes)
Apr 20 14:49:24 osinstom charon: 12[ENC] parsed IKE_AUTH request 4 [
EAP/RES/AKA ]
Apr 20 14:49:24 osinstom charon: 12[IKE] received
AKA_SYNCHRONIZATION_FAILURE, but peer did already resynchronize
Apr 20 14:49:24 osinstom charon: 12[IKE] EAP method EAP_AKA failed for peer
0260060000000001 at 16-2D-27-E0-D2-BF:nai.epc.mncXXX.mccXXX.3gppnetwork.org
Apr 20 14:49:24 osinstom charon: 12[ENC] generating IKE_AUTH response 4 [
EAP/FAIL ]
Apr 20 14:49:24 osinstom charon: 12[NET] sending packet: from
192.168.137.194[4500] to 192.168.137.201[38316] (76 bytes)
Apr 20 14:49:24 osinstom charon: 12[MGR] checkin and destroy IKE_SA
rw-eap-aka[3]
Apr 20 14:49:24 osinstom charon: 12[IKE] IKE_SA rw-eap-aka[3] state change:
CONNECTING => DESTROYING

I am using the following ipsec.conf:

conn rw-eap-aka
    left=192.168.137.194
    leftsubnet=192.168.137.0/24
    leftid=keyid:ims
    eap_identity=ims
    leftauth=eap
    leftfirewall=yes
    right=%any
    rightid=0260060000000001 at 16-2D-27-E0-D2-BF:
nai.epc.mnc006.mcc260.3gppnetwork.org
    rightsendcert=never
    rightauth=eap-aka
    auto=add
    ike=aes256-sha1-modp8192,3des-sha1-modp8192!
    esp=aes256-sha1,3des-sha1!

As you can see the server received first AKA_SYNCHRONIZATION_FAILURE and
sent a new EAP-AKA challenge, what is in line with RFC. However, the phone
didn't accept the new AUTN and sent synchronization failure again. Do you
have any idea why the phone is sending the AKA_SYNCHRONIZATION_FAILURE? I
didn't find any similar issue on the mailing list. The strange thing is
that the IKE authentication already worked for me, but it stopped. In
meanwhile, I was changing some configuration parameters to deal with
another issue. Can this issue be caused by some configuration parameter?

Regards,
Tomek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190420/2113fc55/attachment.html>


More information about the Users mailing list