[strongSwan] eap auth with 5.8 - how?

Mon May 11 08:38:30 CEST 2020

On 11/05/2020 02:40, Noel Kuntze wrote:
> Hi,
>
> You need to specify the EAP method you want to use to authenticate yourself.
> And what's the ipsec.conf you're trying to translate?
>
> Kind regards
>
> Noel
>
> Am 10.05.20 um 14:17 schrieb lejeczek:
>> hi guys
>>
>> I got my strongswan updated to 5.8 and I think I migrated my
>> simple config correctly:
>>
>> connections {
>>   camuni {
>>     remote_addrs="remote.fqdn"                # The location
>> of the host, FQDN or IP
>>     vips="0.0.0.0"
>>     send_cert="never"
>>     local {
>>       id="me at domain"
>>       auth="eap"
>>     }
>>     remote {
>>       certs="remote.fqdn.crt"
>>       id="DNS:remote.fqdn"
>>       auth="eap"
>>     }
>>     children {
>>       camuni {
>>         remote_ts="172.16.0.0/12"
>>         mode="pass"
>>         start_action="start"
>>       }
>>     }
>>   }
>> }
>> secrets {
>>   eap {
>>     secret="aSecret"
>>     id="me at fqdn
>>   }
>> }
>>
>> Yet still auth fails. I have no control over "remote.fqdn"
>> but at my end I see:
>> ...
>> IKE] initiating IKE_SA camuni[9] to xx.XX.zz.ZZ
>> [ENC] generating IKE_SA_INIT request 0 [ SA KE No
>> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> [NET] sending packet: from xx.XX.yy.YY[500] to
>> xx.XX.zz.ZZ[500] (1400 bytes)
>> [NET] received packet: from xx.XX.zz.ZZ[500] to
>> xx.XX.yy.YY[500] (592 bytes)
>> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
>> [CFG] selected proposal:
>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
>> [IKE] remote host is behind NAT
>> [IKE] sending cert request for "O=CA, CN=mydom.local"
>> [IKE] sending cert request for "O=CA, CN=mydom.local"
>> [IKE] establishing CHILD_SA camuni{9}
>> [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
>> CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
>> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
>> N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
>> [NET] sending packet: from xx.XX.yy.YY[4500] to
>> xx.XX.zz.ZZ[4500] (432 bytes)
>> [NET] received packet: from xx.XX.zz.ZZ[4500] to
>> xx.XX.yy.YY[4500] (80 bytes)
>> [ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> [IKE] received AUTHENTICATION_FAILED notify error
>> initiate failed: establishing CHILD_SA 'camuni' failed
>>
>> Would you have any suggestions and advice I'll be grateful.
>> many thanks, L.
>>

That's the thing. In 5.7 (which still works) besides:

leftauth=eap

I have nothing else, at least not in connection specific config.