Hi, You need to specify the EAP method you want to use to authenticate yourself. And what's the ipsec.conf you're trying to translate?
Kind regards Noel Am 10.05.20 um 14:17 schrieb lejeczek: > hi guys > > I got my strongswan updated to 5.8 and I think I migrated my > simple config correctly: > > connections { > camuni { > remote_addrs="remote.fqdn" # The location > of the host, FQDN or IP > vips="0.0.0.0" > send_cert="never" > local { > id="me@domain" > auth="eap" > } > remote { > certs="remote.fqdn.crt" > id="DNS:remote.fqdn" > auth="eap" > } > children { > camuni { > remote_ts="172.16.0.0/12" > mode="pass" > start_action="start" > } > } > } > } > secrets { > eap { > secret="aSecret" > id="me@fqdn > } > } > > Yet still auth fails. I have no control over "remote.fqdn" > but at my end I see: > ... > IKE] initiating IKE_SA camuni[9] to xx.XX.zz.ZZ > [ENC] generating IKE_SA_INIT request 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > [NET] sending packet: from xx.XX.yy.YY[500] to > xx.XX.zz.ZZ[500] (1400 bytes) > [NET] received packet: from xx.XX.zz.ZZ[500] to > xx.XX.yy.YY[500] (592 bytes) > [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] > [CFG] selected proposal: > IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 > [IKE] remote host is behind NAT > [IKE] sending cert request for "O=CA, CN=mydom.local" > [IKE] sending cert request for "O=CA, CN=mydom.local" > [IKE] establishing CHILD_SA camuni{9} > [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) > CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) > N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) > N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] > [NET] sending packet: from xx.XX.yy.YY[4500] to > xx.XX.zz.ZZ[4500] (432 bytes) > [NET] received packet: from xx.XX.zz.ZZ[4500] to > xx.XX.yy.YY[4500] (80 bytes) > [ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] > [IKE] received AUTHENTICATION_FAILED notify error > initiate failed: establishing CHILD_SA 'camuni' failed > > Would you have any suggestions and advice I'll be grateful. > many thanks, L. >
signature.asc
Description: OpenPGP digital signature