Hello Martin, I have increased the log levels, however it's impossible to do a side by side analysis of the working and non-working cases due to the random NONCE_MT included in the Mater Key algorithm, even if I make the GSM triplet RANDs the same the NONCE_MT is different every time which generates a completely different MK.
I've studied the specs and the code and can't see where I have gone wrong, except it just doesn't work. If I ignore the AUTH4 failure and carry on then the RIM device just ignores the next message. So it seems it is a key mismatch rather than an incompatibility in the AUTH payload calculation. I agree, it's unlikely to be a stongSwan issue, I'm hoping someone out there has come across something similar and can point me down the right path. As an aside, I can dump the debug logs off the RIM device but the file is encrypted and needs to be decrypted by RIM, maybe someone on the list knows someone who could do this for me. Regards AlanE On Mon, Oct 22, 2012 at 1:10 PM, Martin Willi <[email protected]> wrote: > Hi Alan, > >> 02[IKE] RADIUS authentication of '...' successful >> 02[IKE] EAP method EAP_SIM succeeded, MSK established > >> 01[IKE] verification of AUTH payload with EAP MSK failed > >> Bear in mind that the same SIM Card and Security Gateway works fine on >> Andorid. > > It don't think it is related to strongSwan. As you're using a RADIUS > backend, EAP-SIM and MSK derivation happens outside of strongSwan. > > As it works with Android, it might be that the Blackberry is calculating > the IKEv2 AUTH payload from the MSK differently. > > You might try to increase the debug level on strongSwan to see what > values are used for AUTH payload calculation. If you can compare these > values with those one your UMA client, you might see a difference. > > Regards > Martin > _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
