Re: [strongSwan] Failing to login due to constraint check failed

Wed, 27 May 2015 06:57:02 -0700 

Hi,
Thanks for your answer. I do set the extended authentication (I do it programmatically): 

        NEVPNProtocolIKEv2* p = [[NEVPNProtocolIKEv2 alloc] init];
        p.useExtendedAuthentication = @YES;
        p.username = @"gilad";
        p.passwordReference = < password data >;
        p.serverAddress = @"1.2.3.4";
        p.authenticationMethod = NEVPNIKEAuthenticationMethodSharedSecret;
        p.sharedSecretReference = < secret data >;
        p.localIdentifier = @"gilad";
        p.remoteIdentifier = @"vpn.domain.org";
        p.disconnectOnSleep = NO;


It is working when I use a profile, but I'm trying to set the connection 
manually within my iOS app.


It might be a bug with Apple's SDK, although it states:

/*!
 * @property useExtendedAuthentication

 * @discussion A flag indicating if extended authentication will be 
negotiated. This authentication is in addition to the IKE authentication used 
to authenticate the endpoints of the IKE session.
 *   For IKE version 1, when this flag is set X-Auth authentication will be 
negotiated as part of the IKE session, using the username and password 
properties as the credential.
 *   For IKE version 2, when this flag is set EAP authentication will be 
negotiated as part of the IKE session, using the username, password, and/or 
identity properties as the credential depending on which EAP method the 
server requires.

 */
@property BOOL useExtendedAuthentication NS_AVAILABLE(10_10, 8_0);



In that case, how can I configure the server to accept connections from my 
iOS app?


Thanks,
Gilad


On 2015-05-27 16:28, Martin Willi wrote:

Hi,


What I don't understand is why it is failing on EAP identity when I clearly
defined 'eap_identity=%any'



parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(MULT_AUTH) ]



parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DHCP DNS 
MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N)

authentication of '%any' with pre-shared key
constraint check failed: EAP identity '%any' required


Your client does not initiate EAP, but authenticates with a pre-shared
key. It does not provide an EAP-Identity matching "%any", as no
EAP-Identity is exchanged at all.

If you want to do EAP-MSCHAPv2 with iOS IKEv2, set ExtendedAuthEnabled,
see [1].

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users






















					Reply via email to