Hi all, I am using eap-aka to do authentication, I am wondering when to use leftid and when to use eap_identity. I saw previous mailing list and knew that if we did not set eap_identity, then leftid will be used as both IKE id and eap id. I did some experiments, but the results were not what I expected. I set ipsec.secrets as follows : client side: <IMSI> : EAP "<secret>" server side: : RSA sunKey.pem <IMSI> : EAP "<secret>" (1) with no eap_identity, and leftid is filled with IMSI from USIM, eap-aka authentication worked well. (2) with eap_identity filled with IMSI, and leftid filled with cert id (although certificate is not used), eap-aka authentication failed. (3) with no leftid, and eap_identity filled with IMSI, eap-aka authentication still failed. Here is my configuration: ipsec.conf <client side> config setup plutostart=no conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 dpdaction=clear conn rw-eapaka left=192.168.0.102 leftid=001080123456412 #eap_identity=001080123456412 leftauth=eap leftsourceip=%config right=192.168.0.103 rightid="C=tw, ST=tw, O=tw, OU=tw, CN=sun" rightsubnet=0.0.0.0/0 rightauth=pubkey auto=add <server side> config setup plutostart=no strictcrlpolicy=no conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 dpdaction=clear conn rw-eapaka left=192.168.0.103 leftsubnet=0.0.0.0/0 leftid="C=tw, ST=tw, O=tw, OU=tw, CN=sun" leftcert=sunCert.pem leftauth=pubkey right=%any rightsendcert=never rightauth=eap-aka rightsourceip=192.168.2.3 auto=add
___________________________________________________ 您的生活即時通 - 溝通、娛樂、生活、工作一次搞定! http://messenger.yahoo.com.tw/ _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
