[strongSwan] StrongSwan as IKEv2 VPN client with EAP-TLS

Noel Kuntze noel at familie-kuntze.de
Fri Sep 26 19:45:43 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Justin,

You need to set leftauth=eap-tls and the RADIUS complains about a amissing realm:/
[suffix] No '@' in User-Name = "username", looking up realm NULL
[suffix] No such realm "NULL"

/
Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 26.09.2014 um 19:38 schrieb Justin Michael Schwartzbeck:
> Hello,
>
> I am trying to set up strongswan as a client to connect to a vpn server using EAP-TLS authentication. I have my connection set up as follows:
>
> /conn client
>      keyexchange=ikev2
>      right=myvpnserver.domain.com <http://myvpnserver.domain.com>
>      rightid=%myvpnserver.domain.com <http://myvpnserver.domain.com>
>      rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>      leftsourceip=%config
>      leftauth=eap
>      left=myclient.domain.com <http://myclient.domain.com>
>      leftid=username
>      leftcert=server.crt.pem
>      auto=add/
>
> When I enter "ipsec up client" I get a failure on the client side:
>
> /initiating IKE_SA client[1] to <vpn_server_ip>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708 bytes)
> received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38 bytes)
> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> peer didn't accept DH group MODP_2048, it requested MODP_1024
> initiating IKE_SA client[1] to <vpn_server_ip>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580 bytes)
> received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> received cert request for "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:admin at domain.com>"
> received 1 cert requests for an unknown ca
> sending cert request for "CN=rootCA, CN=Common Name, O=Common Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:admin at domain.com>"
> establishing CHILD_SA client
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
> sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380 bytes)
> received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420 bytes)
> parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]
> received end entity cert "CN=myvpnserver.domain.com <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, OU=Organization"
>   using certificate "CN=myvpnserver.domain.com <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, OU=Organization"
>   using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:admin at domain.com>"
> checking certificate status of "CN=myvpnserver.domain.com <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, OU=Organization"
> certificate status is not available
>   reached self-signed root ca with a path length of 0
> authentication of '<vpn_server_ip>' with RSA signature successful
> server requested EAP_IDENTITY (id 0x3B), sending 'username'
> EAP_IDENTITY not supported, sending EAP_NAK
> generating IKE_AUTH request 2 [ EAP/RES/NAK ]
> sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76 bytes)
> received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76 bytes)
> parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> establishing connection 'client' failed/
>
> On the server side, I am using remote authentication with RADIUS. The EAP request seems to be incomplete, or fails somehow:
>
> /rad_recv: Access-Request packet from host 10.89.150.210 port 1645, id=131, length=135
>     Service-Type = Login-User
>     Cisco-AVPair = "service-type=Login"
>     Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D"
>     User-Name = "username"
>     EAP-Message = 0x023b0006030d
>     Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f
>     NAS-IP-Address = <vpn_server_ip>
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "username", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 59 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry DEFAULT at line 50
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
> [eap] Failed in handler
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> username
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 129 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 129
> Sending Access-Reject of id 131 to 10.89.150.210 port 1645
> Waking up in 4.9 seconds.
> Cleaning up request 129 ID 131 with timestamp +64810
> Ready to process requests.
>
> /
> So here is my impression of what's happening, and correct me if I'm wrong: I think that on the strongswan side, EAP authentication is being used but there is no TLS happening. It seems like RADIUS is trying to determine whether the client is using TLS, MD5, etc. but fails to determine this. From the strongswan documentation I have gotten the idea that the client does not initiate EAP-TLS but it is enforced on the server side. Is there a way to do what I am trying to do?
>
> Thanks in advance.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUJaZHAAoJEDg5KY9j7GZYPn0P/jFwOp44fTnzYRCmP/0nD1SH
jLtMF7hBrHH9N9pG/ak+1d2S4z5sMpuQVTo2aRge0zxT0gaUQHucDk9kX5XBlg31
AwaDJF+0a4W6NA5TbTs9Cb2rzwsKE6U/Jgi5+Ern7zxQGiVYHI+20Fw+EjFDg1JW
VV1nKYUYC9yGVX5bbiNI57eJZP6nh2E6V2BlwoaNNNU/+Di6OXKWrcR99rZR/VT/
FuoKyOVdWGq00TuMAzmn32km+3d53ZCe8xyZXKGJJiWyO7Sq67OeS3nllxRhQeVJ
ywZoEkUHV7H44Y0SEKtzr9FCDdDh+VJuBmgSh4URAVuZ4VO/vzz8+NuqnbksCTEd
ivps8Q4w6Iynp2GQTFeY6sVoqmKk8AepUCeu6kaNOSABkw0RUgnLQ20ntDhagO7W
5hej6TlMY8kfv6LldbA9/TzMBb3OI6jBMG0ayeq8tnlK+bBpK9qHKghQ25SjOO3z
gpvqpcM7VgA9aBysV2CNnO+rTA14KzWtuFU46RlVquuuapap02tDUL3lqifv/wL2
61g4PSfBb/xn+coB5ShpmTk1zDlNQ58tpRFxXX/jH8zkuZn+IzIv5cMujSolYPzG
ClPPcBTPj3tq1oO/mkyiBAuR/JGTssTywvv3wrkT0vDuEXa5MK3FZO8pdXqXUBnh
CsFk4L2A5gOzk6GjjYy1
=Ljct
-----END PGP SIGNATURE-----

More information about the Users mailing list