[strongSwan] EAP-AKA failure: AKA_SYNCHRONIZATION_FAILURE

Tomasz Osiński osinstom at gmail.com
Wed Apr 24 17:43:21 CEST 2019 

Hi Tobias,

Thanks for your answer. The phone indicates the invalid value of SQN, see
the logs below:

04-20 13:23:11.242  1000  5204  5247 I eris    : 14[ENC] parsed IKE_AUTH
response 2 [ EAP/REQ/AKA ]
04-20 13:23:11.242  1000  5204  5247 I eris    : 14[DMN] simID : 0
04-20 13:23:11.316  1000  5204  5247 I eris    : 14[LIB] rossoneri
get_quintuplet() EC_USIM_SYNC_FAILED
04-20 13:23:11.316  1000  5204  5247 I eris    : 14[LIB] rossoneri: resync()
*04-20 13:23:11.316  1000  5204  5247 I eris    : 14[IKE] received SQN
invalid, sending AKA_SYNCHRONIZATION_FAILURE*
04-20 13:23:11.317  1000  5204  5247 I eris    : 14[ENC] generating
IKE_AUTH request 3 [ EAP/RES/AKA ]
04-20 13:23:11.317  1000  5204  5247 I eris    : 14[NET] sending packet:
from 192.168.137.201[38316] to 192.168.137.194[4500] (92 bytes)
04-20 13:23:11.344  1000  5204  5257 I eris    : 15[NET] received packet:
from 192.168.137.194[4500] to 192.168.137.201[38316] (220 bytes)
04-20 13:23:11.344  1000  5204  5257 I eris    : 15[ENC] parsed IKE_AUTH
response 3 [ EAP/REQ/AKA ]
04-20 13:23:11.344  1000  5204  5257 I eris    : 15[DMN] simID : 0
04-20 13:23:11.414  1000  5204  5257 I eris    : 15[LIB] rossoneri
get_quintuplet() EC_USIM_SYNC_FAILED
04-20 13:23:11.414  1000  5204  5257 I eris    : 15[LIB] rossoneri: resync()
04-20 13:23:11.414  1000  5204  5257 I eris    : 15[IKE] received SQN
invalid, sending AKA_SYNCHRONIZATION_FAILURE
04-20 13:23:11.415  1000  5204  5257 I eris    : 15[ENC] generating
IKE_AUTH request 4 [ EAP/RES/AKA ]
04-20 13:23:11.415  1000  5204  5257 I eris    : 15[NET] sending packet:
from 192.168.137.201[38316] to 192.168.137.194[4500] (92 bytes)
04-20 13:23:11.446  1000  5204  5247 I eris    : 14[NET] received packet:
from 192.168.137.194[4500] to 192.168.137.201[38316] (76 bytes)
04-20 13:23:11.446  1000  5204  5247 I eris    : 14[ENC] parsed IKE_AUTH
response 4 [ EAP/FAIL ]
04-20 13:23:11.447  1000  5204  5247 I eris    : 14[IKE] received
EAP_FAILURE, EAP authentication failed

Unfortunately, I am not able to get more detailed logs.

Regarding the plugin, I'm using eap-aka-3gpp, as it provides support for
Milenage algorithm (the eap-aka-3gpp2 didn't work for me). Do you think
that the EPDG (strongswan) have been resynchronized? And because of
time-based SQN generation it generates the invalid SQN? How we could fix it
potentially?

Regards,
Tomek

śr., 24 kwi 2019 o 10:21 Tobias Brunner <tobias at strongswan.org> napisał(a):

> Hi Tomek,
>
> > However, the
> > phone didn't accept the new AUTN and sent synchronization failure again.
>
> Does it report the reason why it does so?
>
> > Do you have any idea why the phone is sending the
> > AKA_SYNCHRONIZATION_FAILURE?
>
> No.  You should really check the logs there to see why it does.
>
> > In meanwhile, I was changing some
> > configuration parameters to deal with another issue. Can this issue be
> > caused by some configuration parameter?
>
> Maybe.  Without knowing what you changed it's hard to tell.
>
> Which plugin are you using on the server?  Because I noticed that the
> eap-aka-3gpp2 plugin (as compared to the eap-aka-3gpp plugin) does not
> increase SQN with each get_quintuplet() call, which seems like a bug.
> However, that should not have an effect right after the resync as that
> explicitly sets SQN to the supplied value + 1.  And I also saw that both
> plugins use a global, non-persistent and initially time-based SQN, which
> might not work well with multiple clients (in particularly if they
> connect concurrently and/or resync).  So I guess these two plugins are
> really only intended for testing.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190424/91dd6934/attachment.html>

More information about the Users mailing list