Hi! I am trying to use strongswan for IKEv2.
The use case that I am stuck with is where strongswan acts as initiator and Ixia acts as the responder. Despite setting psk as the leftauth/rightauth method in the ipsec.conf file, I see that the IKE_AUTH is sent in the Initiator request This is what the ike_auth message shows up as in strongswan "[ IDi IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) *N(EAP_ONLY)* N(MSG_ID_SYN_SUP) ]" Shouldn't this be sent only if eap is enabled in the leftauth field? Looks like its the same issue with Cisco as well. I spoke to the Ixia folks and this is what they had to say - "After investigating this issue we found out as possible cause for it the fact that the packet IKE_AUTH sent by initiator (strongswan or even your sw) contains the EAP_ONLY payload. When IxLoad IPSec responder mode receives the IKE_AUTH packet containing the EAP_ONLY payload, it does not insert the Authentication payload in its IKE_AUTH response and this seems to make the initiator to send Authentication Failed." So, my question - What is EAP_ONLY sent? Is this configurable not to send it? - Shreyas
