Hi Jessie, I see that you are using explicit load statements in strongswan.conf. As you can see from the 4.3.5 ChangeLog a change in the naming of the eap plugins was introduced. Our example EAP-AKA scenario
http://www.strongswan.org/uml/testresults43/ikev2/rw-eap-aka-rsa/ has the following load statement: load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc \ stroke kernel-netlink fips-prf eap-aka eap-aka-3gpp2 updown ^^^^^^^ ^^^^^^^^^^^^^ Actually if you enable only those plugins during compilation time (./configure ...) that you actually are going to need then there is no need for an explicit load statement. Best regards Andreas Jessie Liu wrote: > Hi Martin, > Thanks for your response. ^_______^ > > But i got the error message after i migrated from strongswan 4.3.2 to > strongswan 4.3.5 with eap-aka authentication: > "received EAP_FAILURE, EAP authentication failed". > Do i need to do extra action with eap-aka-3gpp2?? > > I've added --enable-eap-aka and --enable-eap-aka-3gpp2 when i execute > ./configure. > > Here is the error message: > initiating IKE_SA profile1[2] to 192.168.5.120 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > sending packet: from 192.168.5.125[500] to 192.168.5.120[500] > received packet: from 192.168.5.120[500] to 192.168.5.125[500] > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(MULT_AUTH) ] > sending cert request for "C=tw, ST=tw, L=tw, O=tw, OU=tw, CN=leo" > establishing CHILD_SA profile1 > generating IKE_AUTH request 1 [ IDi CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) > N(NO_ADD_ADDR) N(MULT_AUTH) ] > sending packet: from 192.168.5.125[4500] to 192.168.5.120[4500] > received packet: from 192.168.5.120[4500] to 192.168.5.125[4500] > parsed IKE_AUTH response 1 [ IDr EAP ] > received EAP_FAILURE, EAP authentication failed > > Here is the configuration: > > <client configuration> > config setup > plutostart=no > conn %default > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > dpdaction=clear > conn profile1 > left=192.168.5.125 > leftid=001080123456144 > leftauth=eap > right=192.168.5.120 > rightid="C=tw, ST=tw, O=tw, OU=tw, CN=sun" > rightauth=pubkey > rightsubnet=0.0.0.0/0 > auto=add > > ipsec.secrets > 001080123456144 : EAP "goodgoodgoodgood" > > strongswan.conf > charon { > load = curl aes des sha1 sha2 md5 gmp random x509 pubkey pem pkcs1 hmac > xcbc stroke kernel-netlink fips-prf eapaka updown > } > > <GW configuration> > config setup > strictcrlpolicy=no > plutostart=no > conn %default > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > conn test > left=192.168.5.120 > leftid="C=tw, ST=tw, O=tw, OU=tw, CN=sun" > leftcert=sunCert.pem > leftauth=pubkey > right=%any > rightid=001080123456144 > rightsendcert=never > rightauth=eap-aka > auto=add > > ipsec.secrets > : RSA sunKey.pem "1234" > 001080123456144 : EAP "goodgoodgoodgood" > > strongswan.conf > charon { > load = curl aes des sha1 sha2 md5 gmp random x509 pkcs1 pem hmac xcbc > stroke kernel-netlink fips-prf eap-aka updown > } > > > > > > > --- 09/11/10 (二),Martin Willi <mar...@strongswan.org> 寫道: > > > 寄件者: Martin Willi <mar...@strongswan.org> > 主旨: Re: [strongSwan] strongswan-4.3.5 eap-aka eap-aka-3gpp2 > 收件者: "Jessie Liu" <iamnotjes...@yahoo.com.tw> > 副本: users@lists.strongswan.org > 日期: 2009年11月10日,二,下午7:45 > > > Hi, > >> What is the difference between the two plugins eap-aka and eap-aka-3gpp2? > > The eap-aka plugin provides the protocol layer of the EAP-AKA > functionality, but no quintuplet calculation. It uses other plugins > implementing the sim_card_t/sim_provider_t interface to actually > calculate the quintuplets. > > The eap-aka-3gpp2 plugin is such a backend for quintuplet calculation, > it implements the 3GPP2 specs in software. > >> And where could i fill the IMSI information and shared secret to do the >> eap-aka authentication?? in ipsec.secrets? > > The IMSI is configured in ipsec.conf as leftid to use it within the > IKEv2 identity exchange, or as eap_identity to use a separate > EAP-Identity exchange. > For eap-aka-3gpp2, the secret K is looked up in ipsec.secrets (using the > EAP credential type). > > Regards > Martin > > > > ___________________________________________________ > 您的生活即時通 - 溝通、娛樂、生活、工作一次搞定! > http://messenger.yahoo.com.tw/ > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
