[strongSwan] eap auth with 5.8 - how?

lejeczek peljasz at yahoo.co.uk
Sun May 10 14:17:39 CEST 2020


hi guys

I got my strongswan updated to 5.8 and I think I migrated my
simple config correctly:

connections {
  camuni {
    remote_addrs="remote.fqdn"                # The location
of the host, FQDN or IP
    vips="0.0.0.0"
    send_cert="never"
    local {
      id="me at domain"
      auth="eap"
    }
    remote {
      certs="remote.fqdn.crt"
      id="DNS:remote.fqdn"
      auth="eap"
    }
    children {
      camuni {
        remote_ts="172.16.0.0/12"
        mode="pass"
        start_action="start"
      }
    }
  }
}
secrets {
  eap {
    secret="aSecret"
    id="me at fqdn
  }
}

Yet still auth fails. I have no control over "remote.fqdn"
but at my end I see:
...
IKE] initiating IKE_SA camuni[9] to xx.XX.zz.ZZ
[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from xx.XX.yy.YY[500] to
xx.XX.zz.ZZ[500] (1400 bytes)
[NET] received packet: from xx.XX.zz.ZZ[500] to
xx.XX.yy.YY[500] (592 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
[IKE] remote host is behind NAT
[IKE] sending cert request for "O=CA, CN=mydom.local"
[IKE] sending cert request for "O=CA, CN=mydom.local"
[IKE] establishing CHILD_SA camuni{9}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from xx.XX.yy.YY[4500] to
xx.XX.zz.ZZ[4500] (432 bytes)
[NET] received packet: from xx.XX.zz.ZZ[4500] to
xx.XX.yy.YY[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
[IKE] received AUTHENTICATION_FAILED notify error
initiate failed: establishing CHILD_SA 'camuni' failed

Would you have any suggestions and advice I'll be grateful.
many thanks, L.


More information about the Users mailing list