Hi, I want to test a TNC setup according to https://wiki.strongswan.org/projects/strongswan/wiki/TNCS https://wiki.strongswan.org/projects/strongswan/wiki/TNCC
The authentication should be EAP-MD5, so the first sample on the web site. I think I did follow the doc quite close, but I am stuck with "ipsec up" failing. The client log says: (...) EAP method EAP_TTLS succeeded, MSK established authentication of 'CN=client' (myself) with EAP generating IKE_AUTH request 12 [ AUTH ] sending packet: from 192.168.57.16[4500] to 192.168.56.25[4500] (92 bytes) received packet: from 192.168.56.25[4500] to 192.168.57.16[4500] (220 bytes) parsed IKE_AUTH response 12 [ AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ] authentication of 'CN=server' with EAP successful removed TNCCS Connection ID 1 constraint requires public key authentication, but EAP was used selected peer config 'test' inacceptable: constraint checking failed On the server side I have: conn test left = 192.168.56.25 leftsubnet=192.168.56.0/24 leftcert=server.crt leftauth=eap-ttls # rightgroups = allow rightauth=eap-ttls rightid="CN=client" right=%any rightsendcert=never # auto = add and on the client side I have: conn test left = 192.168.57.16 leftcert = client.crt leftid="CN=client" leftauth=eap # right = 192.168.56.25 rightid = "CN=server" rightsendcert=never rightsubnet=192.168.56.0/24 # auto = add Anybody here who could help me why this authentication is failing? Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users