Many thanks Andreas, I've reemerged the package with the proper USE flags on my
gentoo linux
EAP now is succesful. However I'm getting the following error message
Jul 11 11:54:06 ironmaiden charon: 16[ENC] found payload of type
SECURITY_ASSOCIATION
Jul 11 11:54:06 ironmaiden charon: 16[ENC] found payload of type
TRAFFIC_SELECTOR_INITIATOR
Jul 11 11:54:06 ironmaiden charon: 16[ENC] found payload of type
TRAFFIC_SELECTOR_RESPONDER
Jul 11 11:54:06 ironmaiden charon: 16[ENC] parsed IKE_AUTH response 5 [ AUTH SA
TSi TSr N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Jul 11 11:54:06 ironmaiden charon: 16[IKE] received SET_WINDOW_SIZE notify
Jul 11 11:54:06 ironmaiden charon: 16[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED notify
Jul 11 11:54:06 ironmaiden charon: 16[IKE] received NON_FIRST_FRAGMENTS_ALSO
notify
Jul 11 11:54:06 ironmaiden charon: 16[IKE] authentication of 'CN=10.1.1.254,
OU=TAC, O=Cisco, C=BE' with EAP successful
Jul 11 11:54:06 ironmaiden charon: 16[CFG] constraint check failed: identity
'C=BE, O=CISCO, OU=TAC, CN=10.1.1.254' required
Jul 11 11:54:06 ironmaiden charon: 16[CFG] selected peer config
'C=BE,O=CISCO,OU=TAC,CN=10.1.1.254' inacceptable
Jul 11 11:54:06 ironmaiden charon: 16[CFG] no alternative config found
Jul 11 11:54:06 ironmaiden charon: 16[KNL] deleting SAD entry with SPI ce5058a0
Jul 11 11:54:06 ironmaiden charon: 16[KNL] deleted SAD entry with SPI ce5058a0
Jul 11 11:54:06 ironmaiden charon: 16[IKE] IKE_SA
C=BE,O=CISCO,OU=TAC,CN=10.1.1.254[1] state change: CONNECTING => DESTROYING
Jul 11 11:54:10 ironmaiden charon: 01[JOB] got event, queuing job for execution
Why my peer config is unacceptable?
ironmaiden strongswan_ikev2 # cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc 2, lib 2"
crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=yes
# Add connections here.
conn "C=BE,O=CISCO,OU=TAC,CN=10.1.1.254"
left=10.1.1.1
right=10.1.1.254
keyexchange=ikev2
ike=3des-sha1-modp1024
esp=aes-sha1
leftauth=eap-mschapv2
leftid=cisco
rightid="C=BE,O=CISCO,OU=TAC,CN=10.1.1.254"
eap_identity=cisco
rightsubnet=0.0.0.0/0
auto=start
mobike=no
I've tried various rightid's but it never went ok.
> Date: Sun, 10 Jul 2011 21:47:36 +0200
> From: [email protected]
> To: [email protected]
> CC: [email protected]
> Subject: Re: [strongSwan] trying to configure strongswan to act like a
> windows7 client
>
> Hello Olivier,
>
> you must enable and load the eap-identity module:
>
> ./configure --enable-eap-identity --enable-eap-mschapv2
>
> After starting strongSwan the command
>
> ipsec statusall
>
> should list the eap-identity and eap-mschapv2 plugins.
>
> Regards
>
> Andreas
>
> On 07/10/2011 01:46 PM, Olivier PELERIN wrote:
> >
> > I'm connecting to a Cisco router which query for the EAP identity
> >
> > The router sends:
> > *Jul 10 11:44:01.237: IKEv2:(SA ID = 1):Building packet for encryption.
> > Payload contents:
> > VID Next payload: IDr, reserved: 0x0, length: 20
> > IDr Next payload: CERT, reserved: 0x0, length: 74
> > Id type: DER ASN1 DN, Reserved: 0x0 0x0
> > CERT Next payload: AUTH, reserved: 0x0, length: 865
> > Cert encoding X.509 Certificate - signature
> > AUTH Next payload: EAP, reserved: 0x0, length: 264
> > Auth method RSA, reserved: 0x0, reserved 0x0
> > EAP Next payload: NONE, reserved: 0x0, length: 10
> > Code: request: id: 59, length: 6
> > Type: identity
> >
> > and I get a NAK from the strongswan
> >
> >
> >
> > Jul 10 13:32:26 ironmaiden charon: 13[IKE] authentication of
> > 'CN=10.1.1.254, OU=TAC, O=Cisco, C=BE' with RSA signature successful
> > Jul 10 13:32:26 ironmaiden charon: 13[IKE] server requested
> > EAP_IDENTITY, sending 'cisco'
> > Jul 10 13:32:26 ironmaiden charon: 13[IKE] EAP_IDENTITY not supported,
> > sending EAP_NAK
> > Jul 10 13:32:26 ironmaiden charon: 13[IKE] reinitiating already active tasks
> > Jul 10 13:32:26 ironmaiden charon: 13[IKE] IKE_AUTHENTICATE task
> > Jul 10 13:32:26 ironmaiden charon: 13[ENC] added payload of type
> > EXTENSIBLE_AUTHENTICATION to message
> > Jul 10 13:32:26 ironmaiden charon: 13[ENC] added payload of type
> > EXTENSIBLE_AUTHENTICATION to message
> > Jul 10 13:32:26 ironmaiden charon: 13[ENC] generating IKE_AUTH request 2
> > [ EAP/RES/NAK ]
> > Jul 10 13:32:26 ironmaiden charon: 13[ENC] insert payload
> > EXTENSIBLE_AUTHENTICATION to encryption payload
> >
> >
> > conn cisco
> > left=10.1.1.1
> > right=10.1.1.254
> > keyexchange=ikev2
> > ike=3des-sha1-modp1024
> > esp=aes-sha1
> > leftauth=eap-mschapv2
> > leftid=10.1.1.1
> > eap_identity=cisco
> > rightsubnet=0.0.0.0/0
> > auto=start
> > mobike=no
> >
> >
> >
> > This config works well with a true windows7 client.... Why EAP-Identity
> > is not supported?
> >
> >
> > ------------------------------------------------------------------------
> > From: [email protected]
> > To: [email protected]
> > Date: Sun, 10 Jul 2011 13:06:11 +0200
> > Subject: Re: [strongSwan] trying to configure strongswan to act like a
> > windows7 client
> >
> > Ok I think I've found it
> >
> > http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/index.html
> >
> > Let me play a bit
> >
> >
> >
> > ------------------------------------------------------------------------
> > From: [email protected]
> > To: [email protected]
> > Subject: trying to configure strongswan to act like a windows7 client
> > Date: Sun, 10 Jul 2011 11:57:57 +0200
> >
> > Hello,
> >
> >
> > I would like to emulate a windows7 ikev2 client by using strongswan.
> > Does anyone have an idea?
> >
> > Cheers,
>
> ======================================================================
> Andreas Steffen [email protected]
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
