Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: Oliver on March 22, 2023, 03:43:27 PM

Title: VPN > IPSec: Strongswan 5.9.10+ prevents EAP-TLS authentication
Post by: Oliver on March 22, 2023, 03:43:27 PM
A regression in the eap-tls plugin of Strongswan 5.9.10+ prevents EAP-TLS authentication. The log shows:

Code Select
11[IKE] <con1|2> verification of AUTH payload with EAP MSK failed

Details: https://github.com/strongswan/strongswan/discussions/1613

Remedy: Downgrade to Strongswan 5.9.9_1 via

Code Select
opnsense-revert -r 23.1.1 strongswan

But keep in mind that this version is affected by vulnerability CVE-2023-26463 (https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html).
Title: Re: VPN > IPSec: Strongswan 5.9.10+ prevents EAP-TLS authentication
Post by: franco on March 22, 2023, 03:44:59 PM
But keep in mind that was fixed in 23.1.4 yesterday? ;)


Cheers,
Franco
Title: Re: VPN > IPSec: Strongswan 5.9.10+ prevents EAP-TLS authentication
Post by: Oliver on March 22, 2023, 03:51:09 PM
OK, tried again after the upgrade to 23.1.4 (strongswan 5.9.10_1) did not fix the problem for me:

I had to manually restart the IPSec service (which the update apparently did not do), then it worked again.
Title: Re: VPN > IPSec: Strongswan 5.9.10+ prevents EAP-TLS authentication
Post by: franco on March 22, 2023, 04:13:10 PM
Yep, we don't restart services (unless there is a reboot for other reasons).


Cheers,
Franco
Text only | Text with Images