Hello Olivier, you must enable and load the eap-identity module:
./configure --enable-eap-identity --enable-eap-mschapv2 After starting strongSwan the command ipsec statusall should list the eap-identity and eap-mschapv2 plugins. Regards Andreas On 07/10/2011 01:46 PM, Olivier PELERIN wrote: > > I'm connecting to a Cisco router which query for the EAP identity > > The router sends: > *Jul 10 11:44:01.237: IKEv2:(SA ID = 1):Building packet for encryption. > Payload contents: > VID Next payload: IDr, reserved: 0x0, length: 20 > IDr Next payload: CERT, reserved: 0x0, length: 74 > Id type: DER ASN1 DN, Reserved: 0x0 0x0 > CERT Next payload: AUTH, reserved: 0x0, length: 865 > Cert encoding X.509 Certificate - signature > AUTH Next payload: EAP, reserved: 0x0, length: 264 > Auth method RSA, reserved: 0x0, reserved 0x0 > EAP Next payload: NONE, reserved: 0x0, length: 10 > Code: request: id: 59, length: 6 > Type: identity > > and I get a NAK from the strongswan > > > > Jul 10 13:32:26 ironmaiden charon: 13[IKE] authentication of > 'CN=10.1.1.254, OU=TAC, O=Cisco, C=BE' with RSA signature successful > Jul 10 13:32:26 ironmaiden charon: 13[IKE] server requested > EAP_IDENTITY, sending 'cisco' > Jul 10 13:32:26 ironmaiden charon: 13[IKE] EAP_IDENTITY not supported, > sending EAP_NAK > Jul 10 13:32:26 ironmaiden charon: 13[IKE] reinitiating already active tasks > Jul 10 13:32:26 ironmaiden charon: 13[IKE] IKE_AUTHENTICATE task > Jul 10 13:32:26 ironmaiden charon: 13[ENC] added payload of type > EXTENSIBLE_AUTHENTICATION to message > Jul 10 13:32:26 ironmaiden charon: 13[ENC] added payload of type > EXTENSIBLE_AUTHENTICATION to message > Jul 10 13:32:26 ironmaiden charon: 13[ENC] generating IKE_AUTH request 2 > [ EAP/RES/NAK ] > Jul 10 13:32:26 ironmaiden charon: 13[ENC] insert payload > EXTENSIBLE_AUTHENTICATION to encryption payload > > > conn cisco > left=10.1.1.1 > right=10.1.1.254 > keyexchange=ikev2 > ike=3des-sha1-modp1024 > esp=aes-sha1 > leftauth=eap-mschapv2 > leftid=10.1.1.1 > eap_identity=cisco > rightsubnet=0.0.0.0/0 > auto=start > mobike=no > > > > This config works well with a true windows7 client.... Why EAP-Identity > is not supported? > > > ------------------------------------------------------------------------ > From: [email protected] > To: [email protected] > Date: Sun, 10 Jul 2011 13:06:11 +0200 > Subject: Re: [strongSwan] trying to configure strongswan to act like a > windows7 client > > Ok I think I've found it > > http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/index.html > > Let me play a bit > > > > ------------------------------------------------------------------------ > From: [email protected] > To: [email protected] > Subject: trying to configure strongswan to act like a windows7 client > Date: Sun, 10 Jul 2011 11:57:57 +0200 > > Hello, > > > I would like to emulate a windows7 ikev2 client by using strongswan. > Does anyone have an idea? > > Cheers, ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
