[strongSwan] eap auth with 5.8 - how?

Mon May 11 08:45:37 CEST 2020

Hi,

in the remote section you have to set

  auth = pubkey

since the responder is using a certificate-based
authentication.

Regards

Andreas

On 10.05.20 14:17, lejeczek wrote:
> hi guys
> 
> I got my strongswan updated to 5.8 and I think I migrated my
> simple config correctly:
> 
> connections {
>   camuni {
>     remote_addrs="remote.fqdn"                # The location
> of the host, FQDN or IP
>     vips="0.0.0.0"
>     send_cert="never"
>     local {
>       id="me at domain"
>       auth="eap"
>     }
>     remote {
>       certs="remote.fqdn.crt"
>       id="DNS:remote.fqdn"
>       auth="eap"
>     }
>     children {
>       camuni {
>         remote_ts="172.16.0.0/12"
>         mode="pass"
>         start_action="start"
>       }
>     }
>   }
> }
> secrets {
>   eap {
>     secret="aSecret"
>     id="me at fqdn
>   }
> }
> 
> Yet still auth fails. I have no control over "remote.fqdn"
> but at my end I see:
> ...
> IKE] initiating IKE_SA camuni[9] to xx.XX.zz.ZZ
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> [NET] sending packet: from xx.XX.yy.YY[500] to
> xx.XX.zz.ZZ[500] (1400 bytes)
> [NET] received packet: from xx.XX.zz.ZZ[500] to
> xx.XX.yy.YY[500] (592 bytes)
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> [CFG] selected proposal:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
> [IKE] remote host is behind NAT
> [IKE] sending cert request for "O=CA, CN=mydom.local"
> [IKE] sending cert request for "O=CA, CN=mydom.local"
> [IKE] establishing CHILD_SA camuni{9}
> [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
> CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> [NET] sending packet: from xx.XX.yy.YY[4500] to
> xx.XX.zz.ZZ[4500] (432 bytes)
> [NET] received packet: from xx.XX.zz.ZZ[4500] to
> xx.XX.yy.YY[4500] (80 bytes)
> [ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> [IKE] received AUTHENTICATION_FAILED notify error
> initiate failed: establishing CHILD_SA 'camuni' failed
> 
> Would you have any suggestions and advice I'll be grateful.
> many thanks, L.
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==