Issue #1381
EAP-MD5 fails if ID type isn't FQDN
Description
Connection to IKEv2 with EAP-MD5 fails with ...
ipsec[4356]: 13[IKE] no EAP key found for hosts 'vpn.somehost.co.za' - 'maverick'
... only when the ID "maverick" is sent as KEY_ID but works when sent as FQDN.
Host was authenticated with public key.
Also EAP-RADIUS with MD5 works in both cases. eap_identity doesn't make a difference.
History
#1 Updated by Tobias Brunner over 9 years ago
- Status changed from New to Feedback
... only when the ID "maverick" is sent as KEY_ID but works when sent as FQDN.
Due to how the identities defined as selectors in ipsec.secrets are parsed a secret associated with maverick will only match an identity of type ID_FQDN (unless you explicitly configure keyid:maverick as selector).
I assume you didn't use an EAP-Identity exchange above, so the IKE identities were used for the lookup, as only there is it even possible to define an identity type. That's because identities sent in EAP-Identity payloads (which is also what's sent to the RADIUS server) have no types associated with them (they are just binary blobs). So when receiving such an identity strongSwan first checks if it is ASN.1 encoded (if so, it is assumed to be a DN) and if not, uses the same identity parsing heuristic as above to create an identity object, so you'll most likely have a match when using an EAP-Identity exchange.
#2 Updated by Pieter Jordaan over 9 years ago
Due to how the identities defined as selectors in ipsec.secrets are parsed a secret associated with
maverickwill only match an identity of type ID_FQDN (unless you explicitly configurekeyid:maverickas selector).
Perfect thanks, this fixed the issue for me!
I assume you didn't use an EAP-Identity exchange above, so the IKE identities were used for the lookup, as only there is it even possible to define an identity type. That's because identities sent in EAP-Identity payloads (which is also what's sent to the RADIUS server) have no types associated with them (they are just binary blobs). So when receiving such an identity strongSwan first checks if it is ASN.1 encoded (if so, it is assumed to be a DN) and if not, uses the same identity parsing heuristic as above to create an identity object, so you'll most likely have a match when using an EAP-Identity exchange.
It didn't make a difference including eap_identity=%any, eap_identity=%identity (docs aren't clear on which is which) or not using it at all.
#3 Updated by Tobias Brunner over 9 years ago
I assume you didn't use an EAP-Identity exchange above, so the IKE identities were used for the lookup, as only there is it even possible to define an identity type. That's because identities sent in EAP-Identity payloads (which is also what's sent to the RADIUS server) have no types associated with them (they are just binary blobs). So when receiving such an identity strongSwan first checks if it is ASN.1 encoded (if so, it is assumed to be a DN) and if not, uses the same identity parsing heuristic as above to create an identity object, so you'll most likely have a match when using an EAP-Identity exchange.
It didn't make a difference including eap_identity=%any, eap_identity=%identity (docs aren't clear on which is which) or not using it at all.
Both are the same. If you configure it you should see an EAP-Identity exchange in the log before the actual authentication (requires the eap-identity plugin).
#4 Updated by Tobias Brunner over 9 years ago
- Category set to configuration
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required