[strongSwan] eap auth with 5.8 - how?

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon May 11 03:40:31 CEST 2020 

Hi,

You need to specify the EAP method you want to use to authenticate yourself.
And what's the ipsec.conf you're trying to translate?

Kind regards

Noel

Am 10.05.20 um 14:17 schrieb lejeczek:
> hi guys
> 
> I got my strongswan updated to 5.8 and I think I migrated my
> simple config correctly:
> 
> connections {
>   camuni {
>     remote_addrs="remote.fqdn"                # The location
> of the host, FQDN or IP
>     vips="0.0.0.0"
>     send_cert="never"
>     local {
>       id="me at domain"
>       auth="eap"
>     }
>     remote {
>       certs="remote.fqdn.crt"
>       id="DNS:remote.fqdn"
>       auth="eap"
>     }
>     children {
>       camuni {
>         remote_ts="172.16.0.0/12"
>         mode="pass"
>         start_action="start"
>       }
>     }
>   }
> }
> secrets {
>   eap {
>     secret="aSecret"
>     id="me at fqdn
>   }
> }
> 
> Yet still auth fails. I have no control over "remote.fqdn"
> but at my end I see:
> ...
> IKE] initiating IKE_SA camuni[9] to xx.XX.zz.ZZ
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> [NET] sending packet: from xx.XX.yy.YY[500] to
> xx.XX.zz.ZZ[500] (1400 bytes)
> [NET] received packet: from xx.XX.zz.ZZ[500] to
> xx.XX.yy.YY[500] (592 bytes)
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> [CFG] selected proposal:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
> [IKE] remote host is behind NAT
> [IKE] sending cert request for "O=CA, CN=mydom.local"
> [IKE] sending cert request for "O=CA, CN=mydom.local"
> [IKE] establishing CHILD_SA camuni{9}
> [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
> CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> [NET] sending packet: from xx.XX.yy.YY[4500] to
> xx.XX.zz.ZZ[4500] (432 bytes)
> [NET] received packet: from xx.XX.zz.ZZ[4500] to
> xx.XX.yy.YY[4500] (80 bytes)
> [ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> [IKE] received AUTHENTICATION_FAILED notify error
> initiate failed: establishing CHILD_SA 'camuni' failed
> 
> Would you have any suggestions and advice I'll be grateful.
> many thanks, L.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200511/bc8e2f16/attachment.sig>

More information about the Users mailing list