Hello Daniel, there are several difficulties:
- First, ipsec starter doesn't know anything about charon's loaded plugins. Therefore we cannot do any checks during the parsing of ipsec.conf. - Second, an EAP client doesn't know which EAP method will be applied before receiving this information from the EAP server during the actual negotiation. Thus we could check for the presence of EAP plugins when receiving connection information via the stroke interface for servers only. - Third, the plugin loader does not know which methods are registed by a given plugin. It is even possible that several plugin register different implementations of the same method. Thus we are not able to point to a missing plugin if a required method is missing. - Also there might be several possible reason why a plugin is not loaded. Either it hasn't been compiled at all (missing --enable directive) or the plugin is not listed in an explicit load statement in strongswan.conf. - What I can offer towards increased user friendliness is to differentiate between the server error messages: moon charon: 14[IKE] loading EAP_MSCHAPV2 method failed if no method, i.e. no plugin implementing this method is present and the existing error message moon charon: 14[IKE] initiating EAP_MSCHAPV2 method failed if the subsequent initialization fails due to various internal reasons. - On the EAP client the error message remains carol charon: 14[IKE] server requested EAP_MSCHAPV2 authentication carol charon: 14[IKE] EAP method not supported, sending EAP_NAK This change has been checked in as http://wiki.strongswan.org/repositories/revision/1/83c282ebb44d10d09223f62e97295f7603d61b08 Best regards Andreas Daniel Mentz wrote: > I tried to setup a strongSwan as a gateway for Windows 7 (MSCHAPv2). But > it did not work. After some time of troubleshooting, it turned out that > I failed to include the following parameters when running ./configure > > --enable-eap-mschapv2 > --enable-md4 > > The log file of strongSwan wasn't very helpful while troubleshooting. My > request is to improve on that. Example: If I include the following line > in ipsec.conf > > leftauth=eap-mschapv2 > > and eap-mschapv2 is not compiled in, it should tell me something like > "Hey dude, you're trying to use MSCHAPv2 but it's not compiled in. Check > the installation instructions and recompile" > > Also, I think the autoconf script should complain if I enable > eap-mschapv2 but not md4 at the same time. > > Should we add this hint also to the wiki page? I think we should. > > Thanks > -Daniel ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
