Hi Richard, I found the reason for this failure. The only thing from the IKE_AUTH request, that affects the computation of the AUTH value is the ID as in prf(Sk_px, IDx'). Now I somehow assumed IDx' is just the Identification Data of the IDx payload, but it's not, IDx' is actually IDType | RESERVED | IDData. The problem is that in build_tbs_octets ([1]) IDx' is built from the identification_t object, it's not based on the actually received payload and there it is assumed that RESERVED is zero. Fixing this properly would probably need quite some changes, I have to discuss that with Martin first. To verify it you can set the three reserved bytes in build_tbs_octets to the value sent by the initiator.
Regards, Tobias [1] src/charon/sa/authenticators/psk_authenticator.c _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users