[strongSwan] insufficient authentication rounds

Thomas Egerer hakke_007 at gmx.de
Thu Jul 16 12:58:01 CEST 2020


Hi Volodymyr,

the authentication rounds are mandatory, not optional.
That's why charon expects three rounds of auth and
fails since only two were done.
You need to split the config into one where you only
offer pubkey + eap auth and the other one employing
psk only. charon should then be able to select the
appropriate config based on the peer's auth.

Thomas

Note: re-reply to address list

On 7/16/20 11:01 AM, Volodymyr Litovka wrote:
> Hi, colleagues,
>
> probably, this is very simple question and I'm just missing something very clear :)
>
> I’m trying to use few rounds of auth, like this:
>
> connections {
>         ikev2-eap-mschapv2 {
>                 version = 2
>                 local_addrs = x.x.x.x
>                 remote_addrs = %any
>                 pools = radius
> 		[ … ]
>                 local {
>                         auth = pubkey
>                         certs = fullchain.pem
>                         id = fqdn.my
>                 }
>                 remote-eap {
>                         round = 1
>                         auth = eap-radius
>                         id = %any
>                         eap_id = %any
>                 }
>                 remote-psk {
>                         round = 2
>                         auth = psk
>                         id = %any
>                 }
>                 children {
> 			[ … ]
> 		}
> 	}
> }
> secrets {
> 	[ … ]
> }
>
> The basic idea is to give a client chance to authenticate in two ways: try EAP and if it fails, then try PSK.
>
> But on the output I see the following error in syslog:
>
> Jul 16 11:47:47 test charon-systemd[25937]: authentication of 'doka' with EAP successful
> Jul 16 11:47:47 test strongswan: 12[IKE] <ikev2-eap-mschapv2|75> authentication of 'doka' with EAP successful
> Jul 16 11:47:47 test charon-systemd[25937]: selected peer config 'ikev2-eap-mschapv2' inacceptable: insufficient authentication rounds
> Jul 16 11:47:47 test strongswan: 12[IKE] <ikev2-eap-mschapv2|75> IKE_SA ikev2-eap-mschapv2[75] state change: CONNECTING => DESTROYING
> Jul 16 11:47:47 test charon-systemd[25937]: no alternative config found
> Jul 16 11:47:47 test charon-systemd[25937]: generating IKE_AUTH response 5 [ N(AUTH_FAILED) ]
>
> Also, I tried to create local-c1 {round = 1} and local-c2 {round = 2} in order to conform number of rounds in remote sections, but with the same result.
>
> So, the question is - whether my understanding of rounds is correct and, if yes, what I’m missing in this config to get it working as I expect?
>
> Thank you.
>



More information about the Users mailing list