Bug 1557486

Summary: strongswan IKE verification of AUTH payload with EAP MSK failed
Product: [Fedora] Fedora EPEL Reporter: Assen Totin <assen>
Component: strongswanAssignee: Paul Wouters <paul.wouters>
Status: CLOSED DEFERRED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: code, jan.public, pwouters, redhatbugs
Target Milestone: ---Flags: pwouters: needinfo? (assen)
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-11 00:49:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Assen Totin 2018-03-16 16:33:42 UTC 
Description of problem:
IPSec/IKEv2 clients using EAP fail to connect to Strongswan after upgrade to 5.6.1

Version-Release number of selected component (if applicable):
strongswan-5.6.1

How reproducible:
Every time

Steps to Reproduce:
1. Configure Strongswan IKEv2 using EPEL 5.5.3 packages for EAP-RADIUS authentication. Verify connection works (in my case, MSCHAPv2 is used by the client and the RADIUS server uses ntlm_auth against AD).
2. Upgrade Strongswan to 5.6.1 from EPEL (via yum update)

Actual results:

Clients cannot log in any more. Charon log says: 
IKE verification of AUTH payload with EAP MSK failed

Expected results:

Clients should still be able to log in. 

Additional info:

The error occurs after EAP-RADIUS authentication succeeds (and EAP/SUCC is received by the client), when the client sends its last AUTH request expecting back a virtual IP address, DNS etc. 

End of the client log with 5.5.3:

Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 14[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 14[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 14[IKE] authentication of 'assen.totin' (myself) with EAP
Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 14[ENC] generating IKE_AUTH request 5 [ AUTH ]
Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 14[NET] sending packet: from 192.168.104.130[58216] to 213.144.1
39.34[4500] (112 bytes)
Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 07[NET] received packet: from 213.144.139.34[4500] to 192.168.10
4.130[58216] (256 bytes)
Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 07[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA 
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]

Same with 5.6.1

Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 13[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 13[IKE] authentication of 'assen.totin' (myself) with EAP
Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 13[ENC] generating IKE_AUTH request 5 [ AUTH ]
Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 13[NET] sending packet: from 192.168.104.130[58216] to 213.144.1
39.245[4500] (96 bytes)
Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 04[NET] received packet: from 213.144.139.245[4500] to 192.168.1
04.130[58216] (80 bytes)
Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 04[ENC] parsed IKE_AUTH response 5 [ N(AUTH_FAILED) ]

Client is Fedora 26, strongswan-5.6.0-1.fc26.x86_64.

The stock 5.5.3 RPMs work fine and manual downgrade resolvs the problem.
Comment 1 Paul Wouters 2020-04-22 00:49:21 UTC 
can you try 5.6.4 to see if they fixed this bug upstream?

package should be in updates-testing for f32 (and is in rawhide)
Comment 2 Fedora Admin user for bugzilla script actions 2021-04-19 12:24:11 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Comment 3 Fedora Admin user for bugzilla script actions 2021-07-17 00:13:26 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Comment 4 Paul Wouters 2023-07-11 00:49:00 UTC 
please re-open if you have tried the latest version or have more detailed information (eg debug logs)