Hi Martin,
      Thanks for your response. ^_______^
 
But i got the error message after i migrated from strongswan 4.3.2 to 
strongswan 4.3.5 with eap-aka authentication:
"received EAP_FAILURE, EAP authentication failed". 
Do i need to do extra action with eap-aka-3gpp2??
 
I've added --enable-eap-aka and --enable-eap-aka-3gpp2 when i execute 
./configure.
 
Here is the error message:
initiating IKE_SA profile1[2] to 192.168.5.120
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.5.125[500] to 192.168.5.120[500]
received packet: from 192.168.5.120[500] to 192.168.5.125[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) 
]
sending cert request for "C=tw, ST=tw, L=tw, O=tw, OU=tw, CN=leo"
establishing CHILD_SA profile1
generating IKE_AUTH request 1 [ IDi CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) 
N(NO_ADD_ADDR) N(MULT_AUTH) ]
sending packet: from 192.168.5.125[4500] to 192.168.5.120[4500]
received packet: from 192.168.5.120[4500] to 192.168.5.125[4500]
parsed IKE_AUTH response 1 [ IDr EAP ]
received EAP_FAILURE, EAP authentication failed
 
Here is the configuration:
 
<client configuration>
config setup
         plutostart=no
conn %default
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev2
         dpdaction=clear
conn  profile1 
        left=192.168.5.125
        leftid=001080123456144
        leftauth=eap
        right=192.168.5.120
        rightid="C=tw, ST=tw, O=tw, OU=tw, CN=sun"
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        auto=add
 
ipsec.secrets
  001080123456144 : EAP "goodgoodgoodgood"
 
strongswan.conf
  charon {
  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey pem pkcs1 hmac xcbc 
stroke kernel-netlink fips-prf eapaka updown
  }
 
<GW configuration>
config setup
         strictcrlpolicy=no
         plutostart=no
conn %default
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev2
conn  test
        left=192.168.5.120
        leftid="C=tw, ST=tw, O=tw, OU=tw, CN=sun"
        leftcert=sunCert.pem
        leftauth=pubkey
        right=%any
        rightid=001080123456144
        rightsendcert=never
        rightauth=eap-aka
        auto=add

ipsec.secrets
       : RSA sunKey.pem "1234"  
       001080123456144 : EAP "goodgoodgoodgood"
 
strongswan.conf
     charon {
  load = curl aes des sha1 sha2 md5 gmp random x509 pkcs1 pem hmac xcbc stroke 
kernel-netlink fips-prf eap-aka updown
}
 

 
 


--- 09/11/10 (二),Martin Willi <[email protected]> 寫道:


寄件者: Martin Willi <[email protected]>
主旨: Re: [strongSwan] strongswan-4.3.5 eap-aka eap-aka-3gpp2
收件者: "Jessie Liu" <[email protected]>
副本: [email protected]
日期: 2009年11月10日,二,下午7:45


Hi,

> What is the difference between the two plugins eap-aka and eap-aka-3gpp2? 

The eap-aka plugin provides the protocol layer of the EAP-AKA
functionality, but no quintuplet calculation. It uses other plugins
implementing the sim_card_t/sim_provider_t interface to actually
calculate the quintuplets.

The eap-aka-3gpp2 plugin is such a backend for quintuplet calculation,
it implements the 3GPP2 specs in software. 

> And where could i fill the IMSI information and shared secret to do the
> eap-aka authentication?? in ipsec.secrets?

The IMSI is configured in ipsec.conf as leftid to use it within the
IKEv2 identity exchange, or as eap_identity to use a separate
EAP-Identity exchange.
For eap-aka-3gpp2, the secret K is looked up in ipsec.secrets (using the
EAP credential type).

Regards
Martin



___________________________________________________ 
 您的生活即時通 - 溝通、娛樂、生活、工作一次搞定! 
 http://messenger.yahoo.com.tw/
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to