Hi Martin, Thanks for your timely reply,
>A more complete log from the board would really help. I attached the board side log as below, it's not so detailed... I hope it can do a little help. --------#bash output# Starting strongSwan 4.5.3 IPsec [starter]... !! Your strongswan.conf contains manual plugin load options for !! pluto and/or charon. This is recommended for experts only, see !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad root@picopc7802:/usr/local/etc/ipsec.d/cacerts# ipsec up home initiating IKE_SA home[1] to 10.21.1.150 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 10.21.1.210[500] to 10.21.1.150[500] received packet: from 10.21.1.150[500] to 10.21.1.210[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] sending cert request for "C=CN, O=ict, CN=strongSwan CA" establishing CHILD_SA home generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 10.21.1.210[4500] to 10.21.1.150[4500] received packet: from 10.21.1.150[4500] to 10.21.1.210[4500] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/AKA ] received end entity cert "C=CN, O=ict-gw, CN=peer" using certificate "C=CN, O=ict-gw, CN=peer" using trusted ca certificate "C=CN, O=ict, CN=strongSwan CA" checking certificate status of "C=CN, O=ict-gw, CN=peer" certificate status is not available reached self-signed root ca with a path length of 0 authentication of 'C=CN, O=ict-gw, CN=peer' with RSA signature successful server requested EAP_AKA authentication (id 0xBC) generating IKE_AUTH request 2 [ EAP/RES/AKA ] sending packet: from 10.21.1.210[4500] to 10.21.1.150[4500] received packet: from 10.21.1.150[4500] to 10.21.1.210[4500] parsed IKE_AUTH response 2 [ EAP/REQ/AKA ] EAP_AKA MAC verification failed sending client error 'unable to process packet' generating IKE_AUTH request 3 [ EAP/RES/AKA ] sending packet: from 10.21.1.210[4500] to 10.21.1.150[4500] received packet: from 10.21.1.150[4500] to 10.21.1.210[4500] parsed IKE_AUTH response 3 [ EAP/FAIL ] received EAP_FAILURE, EAP authentication failed ----------#log on board# Sep 6 19:47:00 picopc7802 authpriv.warn ipsec_starter[426]: chaRnot flush IPsec state/policy database Sep 6 19:47:00 picopc7802 authpriv.warn ipsec_ authpriv.warn ipsec_starter[451]: !! http://wiki.rongswan.org/projects/strongswan/wiki/PluginLoad Sep 6 19:47:03 picopc7802 daemon.info charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3) Sep 6 19:47:03 picopc7802 daemon.info charon: 00[LIB] plugin 'curl' failed to load: /usr/local/lib/ipsec/plugin '/usr/l/etc/ipsec.d/cacerts/caCert.pem' Sep 6 19:47:04 picopc7802 daemon.info charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Sep 6 19:47:04 picopc7802 daemon.info charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.dpts' Sep 6 19:47:04 picopc7802 daemon.info charon: 00[CFG] loaded EAP secret for %any Sep 6 19:47:04 picopc7802 daemon s: 19:47:04 picopc7802 daemon.info charon: 00[KNL] eth0 Sep 19:47:04 picopc7802 daemon.info charon: 00[NET] could not open IPv6 socket, IPv6 disabled Sep 6 19:47:04 picopc7802 daemon.info charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka:06 picopc7802 daemon.info charon: 1 receistroke: initiate 'home' Sep 6 19:47:06 picopc7802 daemon.info charon: 13[IKE] initiating IKE_SA home[1] to 10.21.1.150 Sep 6 19:47:06 picopc7802 authpriv.info charon: 130.21.500] to 10.21.1.210[500] Sep 6 19:47:07 picopc7802 daemon.info charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA p07 pico802 .info charon: 15[IKE] sending cert request for "C=CN07 picopc7802 daemon.info charon: 15[NET] sending packet: from 10.21.1.210[4500] to 10.21.1.150[4500] Sep 6 19:47:07 picopc7802 daemon.info charon: 07[NET] received packet: from 10.21.1.150[4500] to 10.21.1.210[4500] Sep 6 19:47:07 picopc7802 daemon.info charon: 07[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/AKA ] Sep 6 19:47:07 picop 19:picopc7802 daemon.info charon: 07[CFG] checkingifaCgw, CN=r" Sep 6 19:47:07 picopc7802 daemon.info charon: 07[CFG] certificate status is not available Sep 6 19:47:07 picopc7802 daemon.info charon: 07[CFG] reached self-signed root ca with a path length of 0 Seaemon.charon: 07[NET] sending packet: from 10.21.1.2t.21.1.1500] to 10.21.1.210[4500] 7ceived pet: from 10.21.1.150[4500] to 10.21.1.210[4500] Sep 0802 daemoninfo charon: 12[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ] Sep 6 19:47:07 picopc7802 daemon.info charon: 12[IKE] received EAP_FAILURE, EAP authentication failed 2011-09-06 qiqi143 发件人: Martin Willi 发送时间: 2011-09-06 17:19:33 收件人: qiqi143 抄送: users 主题: Re: [strongSwan] received EAP-AKA client error 'unable to processpacket' Hi, > daemon log shows "client error 'unable to process packet'", board side > cann't log, it outputs something like 'MAC' error... The error condition occurs on your board, probably because the MAC calculated for authentication does not match. A more complete log from the board would really help. Either your secrets don't match or maybe there is a bug in the AKA algorithm on your platform. > I used cross-compilation to install strongswan onto the arm board, and > didn't enable padlock option, could that be the reason? > however, it's a pity that it'll show error message "impossible > constraint in 'asm'" during 'Make' phase if padlock option enabled. Padlock is a crypto plugin for VIA x86 processors, it does not work on ARM. Regards Martin .
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
