Hi ecdsa,
First of all, thanks for your answer.
After several tries and after talking with people in charge of the SeGW, I realized that I was using a wrong IP in the right party.
I've made a few modifications to my ipsec.conf file and now it looks as follows:
Code:
conn connname
left=x.x.x.x
leftauth=eap-md5
leftsendcert=never
leftid=id@myid.com
leftsourceip=%config4,%config6
eap_identity=%any
ike=3des,sha1,modp1024
keyexchange=ikev2
type=tunnel
right=y.y.y.y
rightauth=psk
rightsubnet=0.0.0.0/0
auto=add
mobike=no
With this configuration, my first IKE_AUTH looks fine since it is not including the AUTH payload.
I receive a response from SeGW asking for EAP authentication and in logs I can see that PSK authentication was successfull.
I sent a new IKE_AUTH (request 2) including EAP_IDENTITY, but SeGW responds with AUTH_FAILED.
This is my log file:
Code:
initiating IKE_SA connname[1] to y.y.y.ygenerating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from x.x.x.x[500] to y.y.y.y[500] (768 bytes)
received packet: from y.y.y.y[500] to x.x.x.x[500] (300 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
local host is behind NAT, sending keep alives
establishing CHILD_SA connname
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(EAP_ONLY) ]
sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (412 bytes)
received packet: from y.y.y.y[4500] to x.x.x.x[4500] (108 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
authentication of 'y.y.y.y' with pre-shared key successful
server requested EAP_IDENTITY (id 0x01), sending 'id@myid.com'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (92 bytes)
received packet: from y.y.y.y[4500] to x.x.x.x[4500] (76 bytes)
parsed IKE_AUTH response 2 [ EAP/FAIL N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'connname' failed
Any idea?
Thanks in advance.
Bookmarks