<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'><div dir='ltr'>
Hi all,<br><br>I'm using Strongswan 4.5.2 (from Debian squeeze-backports) and Freeradius 2.1.0 (from Debian stable) to construct an IKEv2 VPN for my clients. It seems that Strongswan is connected with Freeradius, but client connection just fails. Testing with Windows 7 IKEv2 client, it prompts "Error 13801: IKE authentication credentials are unacceptable."<br><br>Here's the log:<br><br>/var/log/syslog:<br>Oct 28 13:31:06 vpn charon: 08[NET] received packet: from client.ip.address[500] to server.ip.address[500]<br>Oct 28 13:31:06 vpn charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>Oct 28 13:31:06 vpn charon: 08[IKE] client.ip.address is initiating an IKE_SA<br>Oct 28 13:31:06 vpn charon: 08[IKE] remote host is behind NAT<br>Oct 28 13:31:06 vpn charon: 08[IKE] sending cert request for "C=CH, O=TonyVPN, CN=TonyVPN CA"<br>Oct 28 13:31:06 vpn charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>Oct 28 13:31:06 vpn charon: 08[NET] sending packet: from server.ip.address[500] to client.ip.address[500]<br>Oct 28 13:31:07 vpn charon: 10[NET] received packet: from client.ip.address[4500] to server.ip.address[4500]<br>Oct 28 13:31:07 vpn charon: 10[ENC] unknown attribute type INTERNAL_IP4_SERVER<br>Oct 28 13:31:07 vpn charon: 10[ENC] unknown attribute type INTERNAL_IP6_SERVER<br>Oct 28 13:31:07 vpn charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]<br>Oct 28 13:31:07 vpn charon: 10[IKE] received 32 cert requests for an unknown ca<br>Oct 28 13:31:07 vpn charon: 10[CFG] looking for peer configs matching server.ip.address[%any]...client.ip.address[client.nat.ip.address]<br>Oct 28 13:31:07 vpn charon: 10[CFG] selected peer config 'L2TP-PSK-NAT'<br>Oct 28 13:31:07 vpn charon: 10[IKE] peer requested EAP, config inacceptable<br>Oct 28 13:31:07 vpn charon: 10[CFG] switching to peer config 'IPSec-IKEv2'<br>Oct 28 13:31:07 vpn charon: 10[IKE] EAP-Identity request configured, but not supported<br>Oct 28 13:31:07 vpn charon: 10[CFG] sending RADIUS Access-Request to server 'vpnserver'<br>Oct 28 13:31:07 vpn charon: 10[CFG] received RADIUS Access-Challenge from server 'vpnserver'<br>Oct 28 13:31:07 vpn charon: 10[IKE] initiating EAP_RADIUS method (id 0x01)<br>Oct 28 13:31:07 vpn charon: 10[IKE] peer supports MOBIKE<br>Oct 28 13:31:07 vpn charon: 10[IKE] authentication of 'C=CH, O=VPN, CN=server.ip.address' (myself) with RSA signature successful<br>Oct 28 13:31:07 vpn charon: 10[IKE] sending end entity cert "C=CH, O=VPN, CN=server.ip.address"<br>Oct 28 13:31:07 vpn charon: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MD5 ]<br>Oct 28 13:31:07 vpn charon: 10[NET] sending packet: from server.ip.address[4500] to client.ip.address[4500]<br>Oct 28 13:31:36 vpn charon: 13[JOB] deleting half open IKE_SA after timeout<br><br>/var/log/auth.log:<br>Oct 28 13:31:06 japanvpn charon: 08[IKE] client.ip.address is initiating an IKE_SA<br><br>/etc/ipsec.conf:<br>conn IPSec-IKEv2<br> keyexchange=ikev2<br> auto=add<br> left=server.ip.address<br> leftsubnet=0.0.0.0/0<br> leftauth=pubkey<br> leftcert=serverCert.pem<br> right=%any<br> rightsourceip=192.168.104.0/0<br> rightauth=eap-radius<br> rightsendcert=never<br> eap_identity=%any<br><br>/etc/strongswan.conf:<br> eap-radius {<br> servers {<br> vpnserver {<br> secret = somesecret<br> address = 127.0.0.1<br> }<br> }<br> }<br><br>By setting FreeRADIUS to debug mode I found that the user name Strongswan passed to FreeRADIUS was incorrect (some gibberish), so I guess it's a secret code problem but I'm 100% sure the secret code is correct. Also I've tried changing it to some other string like 123456 but Strongswan passes the username as the same gibberish as before, thus I don't think it's a secret code problem.<br><br>Any suggestions/advices would be appreciated.<br> </div></body>
</html>