Hi Martin,
Thanks for your response. ^_______^
But i got the error message after i migrated from strongswan 4.3.2 to
strongswan 4.3.5 with eap-aka authentication:
"received EAP_FAILURE, EAP authentication failed".
Do i need to do extra action with eap-aka-3gpp2??
I've added --enable-eap-aka and --enable-eap-aka-3gpp2 when i execute
./configure.
Here is the error message:
initiating IKE_SA profile1[2] to 192.168.5.120
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.5.125[500] to 192.168.5.120[500]
received packet: from 192.168.5.120[500] to 192.168.5.125[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH)
]
sending cert request for "C=tw, ST=tw, L=tw, O=tw, OU=tw, CN=leo"
establishing CHILD_SA profile1
generating IKE_AUTH request 1 [ IDi CERTREQ IDr SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) ]
sending packet: from 192.168.5.125[4500] to 192.168.5.120[4500]
received packet: from 192.168.5.120[4500] to 192.168.5.125[4500]
parsed IKE_AUTH response 1 [ IDr EAP ]
received EAP_FAILURE, EAP authentication failed
Here is the configuration:
<client configuration>
config setup
plutostart=no
conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
dpdaction=clear
conn profile1
left=192.168.5.125
leftid=001080123456144
leftauth=eap
right=192.168.5.120
rightid="C=tw, ST=tw, O=tw, OU=tw, CN=sun"
rightauth=pubkey
rightsubnet=0.0.0.0/0
auto=add
ipsec.secrets
001080123456144 : EAP "goodgoodgoodgood"
strongswan.conf
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pubkey pem pkcs1 hmac xcbc
stroke kernel-netlink fips-prf eapaka updown
}
<GW configuration>
config setup
strictcrlpolicy=no
plutostart=no
conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn test
left=192.168.5.120
leftid="C=tw, ST=tw, O=tw, OU=tw, CN=sun"
leftcert=sunCert.pem
leftauth=pubkey
right=%any
rightid=001080123456144
rightsendcert=never
rightauth=eap-aka
auto=add
ipsec.secrets
: RSA sunKey.pem "1234"
001080123456144 : EAP "goodgoodgoodgood"
strongswan.conf
charon {
load = curl aes des sha1 sha2 md5 gmp random x509 pkcs1 pem hmac xcbc stroke
kernel-netlink fips-prf eap-aka updown
}
--- 09/11/10 (二),Martin Willi <[email protected]> 寫道:
寄件者: Martin Willi <[email protected]>
主旨: Re: [strongSwan] strongswan-4.3.5 eap-aka eap-aka-3gpp2
收件者: "Jessie Liu" <[email protected]>
副本: [email protected]
日期: 2009年11月10日,二,下午7:45
Hi,
> What is the difference between the two plugins eap-aka and eap-aka-3gpp2?
The eap-aka plugin provides the protocol layer of the EAP-AKA
functionality, but no quintuplet calculation. It uses other plugins
implementing the sim_card_t/sim_provider_t interface to actually
calculate the quintuplets.
The eap-aka-3gpp2 plugin is such a backend for quintuplet calculation,
it implements the 3GPP2 specs in software.
> And where could i fill the IMSI information and shared secret to do the
> eap-aka authentication?? in ipsec.secrets?
The IMSI is configured in ipsec.conf as leftid to use it within the
IKEv2 identity exchange, or as eap_identity to use a separate
EAP-Identity exchange.
For eap-aka-3gpp2, the secret K is looked up in ipsec.secrets (using the
EAP credential type).
Regards
Martin
___________________________________________________
您的生活即時通 - 溝通、娛樂、生活、工作一次搞定!
http://messenger.yahoo.com.tw/
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
