Hi Schreyas, N(EAP_ONLY) is just the announcement of the RFC 5998 Mutual EAP capability and this notification is always sent by a strongSwan initiator, even when it is doing PSK or public key based authentication.
EAP is only activated by the responder when the AUTH payload is missing in the IKE_AUTH request which is clearly *not* the case in your example. Regards Andreas On 03.08.2017 00:11, Shreyas Heranjal wrote: > Hi! > > I am trying to use strongswan for IKEv2. > > The use case that I am stuck with is where strongswan acts as > initiator and Ixia acts as the responder. > > Despite setting psk as the leftauth/rightauth method in the ipsec.conf > file, I see that the IKE_AUTH is sent in the Initiator request > > This is what the ike_auth message shows up as in strongswan > "[ IDi IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) > N(MULT_AUTH) *N(EAP_ONLY)* N(MSG_ID_SYN_SUP) ]" > > Shouldn't this be sent only if eap is enabled in the leftauth field? > Looks like its the same issue with Cisco as well. > > I spoke to the Ixia folks and this is what they had to say - > "After investigating this issue we found out as possible cause for it > the fact that the packet IKE_AUTH sent by initiator (strongswan or even > your sw) contains the EAP_ONLY payload. > When IxLoad IPSec responder mode receives the IKE_AUTH packet > containing the EAP_ONLY payload, it does not insert the Authentication > payload in its IKE_AUTH response and this seems to make the initiator to > send Authentication Failed." > > So, my question - What is EAP_ONLY sent? Is this configurable not to > send it? > > - Shreyas ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
