Re: [strongSwan] insufficient authentication rounds

Thu, 16 Jul 2020 03:59:01 -0700 

Hi Volodymyr,

the authentication rounds are mandatory, not optional.
That's why charon expects three rounds of auth and
fails since only two were done.
You need to split the config into one where you only
offer pubkey + eap auth and the other one employing
psk only. charon should then be able to select the
appropriate config based on the peer's auth.

Thomas

Note: re-reply to address list

On 7/16/20 11:01 AM, Volodymyr Litovka wrote:
> Hi, colleagues,
>
> probably, this is very simple question and I'm just missing something very 
> clear :)
>
> I’m trying to use few rounds of auth, like this:
>
> connections {
>         ikev2-eap-mschapv2 {
>                 version = 2
>                 local_addrs = x.x.x.x
>                 remote_addrs = %any
>                 pools = radius
>               [ … ]
>                 local {
>                         auth = pubkey
>                         certs = fullchain.pem
>                         id = fqdn.my
>                 }
>                 remote-eap {
>                         round = 1
>                         auth = eap-radius
>                         id = %any
>                         eap_id = %any
>                 }
>                 remote-psk {
>                         round = 2
>                         auth = psk
>                         id = %any
>                 }
>                 children {
>                       [ … ]
>               }
>       }
> }
> secrets {
>       [ … ]
> }
>
> The basic idea is to give a client chance to authenticate in two ways: try 
> EAP and if it fails, then try PSK.
>
> But on the output I see the following error in syslog:
>
> Jul 16 11:47:47 test charon-systemd[25937]: authentication of 'doka' with EAP 
> successful
> Jul 16 11:47:47 test strongswan: 12[IKE] <ikev2-eap-mschapv2|75> 
> authentication of 'doka' with EAP successful
> Jul 16 11:47:47 test charon-systemd[25937]: selected peer config 
> 'ikev2-eap-mschapv2' inacceptable: insufficient authentication rounds
> Jul 16 11:47:47 test strongswan: 12[IKE] <ikev2-eap-mschapv2|75> IKE_SA 
> ikev2-eap-mschapv2[75] state change: CONNECTING => DESTROYING
> Jul 16 11:47:47 test charon-systemd[25937]: no alternative config found
> Jul 16 11:47:47 test charon-systemd[25937]: generating IKE_AUTH response 5 [ 
> N(AUTH_FAILED) ]
>
> Also, I tried to create local-c1 {round = 1} and local-c2 {round = 2} in 
> order to conform number of rounds in remote sections, but with the same 
> result.
>
> So, the question is - whether my understanding of rounds is correct and, if 
> yes, what I’m missing in this config to get it working as I expect?
>
> Thank you.
>

Reply via email to