[strongSwan] insufficient authentication rounds
Volodymyr Litovka
doka.ua at gmx.com
Thu Jul 16 11:01:17 CEST 2020
Hi, colleagues,
probably, this is very simple question and I'm just missing something very clear :)
I’m trying to use few rounds of auth, like this:
connections {
ikev2-eap-mschapv2 {
version = 2
local_addrs = x.x.x.x
remote_addrs = %any
pools = radius
[ … ]
local {
auth = pubkey
certs = fullchain.pem
id = fqdn.my
}
remote-eap {
round = 1
auth = eap-radius
id = %any
eap_id = %any
}
remote-psk {
round = 2
auth = psk
id = %any
}
children {
[ … ]
}
}
}
secrets {
[ … ]
}
The basic idea is to give a client chance to authenticate in two ways: try EAP and if it fails, then try PSK.
But on the output I see the following error in syslog:
Jul 16 11:47:47 test charon-systemd[25937]: authentication of 'doka' with EAP successful
Jul 16 11:47:47 test strongswan: 12[IKE] <ikev2-eap-mschapv2|75> authentication of 'doka' with EAP successful
Jul 16 11:47:47 test charon-systemd[25937]: selected peer config 'ikev2-eap-mschapv2' inacceptable: insufficient authentication rounds
Jul 16 11:47:47 test strongswan: 12[IKE] <ikev2-eap-mschapv2|75> IKE_SA ikev2-eap-mschapv2[75] state change: CONNECTING => DESTROYING
Jul 16 11:47:47 test charon-systemd[25937]: no alternative config found
Jul 16 11:47:47 test charon-systemd[25937]: generating IKE_AUTH response 5 [ N(AUTH_FAILED) ]
Also, I tried to create local-c1 {round = 1} and local-c2 {round = 2} in order to conform number of rounds in remote sections, but with the same result.
So, the question is - whether my understanding of rounds is correct and, if yes, what I’m missing in this config to get it working as I expect?
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
More information about the Users
mailing list