Description of problem: IPSec/IKEv2 clients using EAP fail to connect to Strongswan after upgrade to 5.6.1 Version-Release number of selected component (if applicable): strongswan-5.6.1 How reproducible: Every time Steps to Reproduce: 1. Configure Strongswan IKEv2 using EPEL 5.5.3 packages for EAP-RADIUS authentication. Verify connection works (in my case, MSCHAPv2 is used by the client and the RADIUS server uses ntlm_auth against AD). 2. Upgrade Strongswan to 5.6.1 from EPEL (via yum update) Actual results: Clients cannot log in any more. Charon log says: IKE verification of AUTH payload with EAP MSK failed Expected results: Clients should still be able to log in. Additional info: The error occurs after EAP-RADIUS authentication succeeds (and EAP/SUCC is received by the client), when the client sends its last AUTH request expecting back a virtual IP address, DNS etc. End of the client log with 5.5.3: Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 14[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ] Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 14[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 14[IKE] authentication of 'assen.totin' (myself) with EAP Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 14[ENC] generating IKE_AUTH request 5 [ AUTH ] Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 14[NET] sending packet: from 192.168.104.130[58216] to 213.144.1 39.34[4500] (112 bytes) Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 07[NET] received packet: from 213.144.139.34[4500] to 192.168.10 4.130[58216] (256 bytes) Mar 16 18:17:46 assen-wifi.xentio.lan charon-nm[13914]: 07[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Same with 5.6.1 Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 13[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ] Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 13[IKE] authentication of 'assen.totin' (myself) with EAP Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 13[ENC] generating IKE_AUTH request 5 [ AUTH ] Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 13[NET] sending packet: from 192.168.104.130[58216] to 213.144.1 39.245[4500] (96 bytes) Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 04[NET] received packet: from 213.144.139.245[4500] to 192.168.1 04.130[58216] (80 bytes) Mar 16 17:14:13 assen-wifi.xentio.lan charon-nm[13914]: 04[ENC] parsed IKE_AUTH response 5 [ N(AUTH_FAILED) ] Client is Fedora 26, strongswan-5.6.0-1.fc26.x86_64. The stock 5.5.3 RPMs work fine and manual downgrade resolvs the problem.
can you try 5.6.4 to see if they fixed this bug upstream? package should be in updates-testing for f32 (and is in rawhide)
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
please re-open if you have tried the latest version or have more detailed information (eg debug logs)