<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'><div dir='ltr'>
Some updates:<br><br>Whatever the username I pick for authentication, the request passed to Freeradius is all the same, so I guess it's<br>the problem of strongswan which handles the eap requests incorrectly?<br><br><div>> Date: Fri, 28 Oct 2011 07:46:42 +0200<br>> From: andreas.steffen@strongswan.org<br>> To: ttzforj@hotmail.com<br>> CC: users@lists.strongswan.org<br>> Subject: Re: [strongSwan] Strongswan+RADIUS secret code problem?<br>> <br>> Hello,<br>> <br>> did you enable EAP Identity?<br>> <br>> ./configure ... --enable-eap-identity<br>> <br>> Regards<br>> <br>> Andreas<br>> <br>> On 10/28/2011 06:37 AM, T Z wrote:<br>> > Hi all,<br>> ><br>> > I'm using Strongswan 4.5.2 (from Debian squeeze-backports) and<br>> > Freeradius 2.1.0 (from Debian stable) to construct an IKEv2 VPN for my<br>> > clients. It seems that Strongswan is connected with Freeradius, but<br>> > client connection just fails. Testing with Windows 7 IKEv2 client, it<br>> > prompts "Error 13801: IKE authentication credentials are unacceptable."<br>> ><br>> > Here's the log:<br>> ><br>> > /var/log/syslog:<br>> > Oct 28 13:31:06 vpn charon: 08[NET] received packet: from<br>> > client.ip.address[500] to server.ip.address[500]<br>> > Oct 28 13:31:06 vpn charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE<br>> > No N(NATD_S_IP) N(NATD_D_IP) ]<br>> > Oct 28 13:31:06 vpn charon: 08[IKE] client.ip.address is initiating an<br>> > IKE_SA<br>> > Oct 28 13:31:06 vpn charon: 08[IKE] remote host is behind NAT<br>> > Oct 28 13:31:06 vpn charon: 08[IKE] sending cert request for "C=CH,<br>> > O=TonyVPN, CN=TonyVPN CA"<br>> > Oct 28 13:31:06 vpn charon: 08[ENC] generating IKE_SA_INIT response 0 [<br>> > SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>> > Oct 28 13:31:06 vpn charon: 08[NET] sending packet: from<br>> > server.ip.address[500] to client.ip.address[500]<br>> > Oct 28 13:31:07 vpn charon: 10[NET] received packet: from<br>> > client.ip.address[4500] to server.ip.address[4500]<br>> > Oct 28 13:31:07 vpn charon: 10[ENC] unknown attribute type<br>> > INTERNAL_IP4_SERVER<br>> > Oct 28 13:31:07 vpn charon: 10[ENC] unknown attribute type<br>> > INTERNAL_IP6_SERVER<br>> > Oct 28 13:31:07 vpn charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi<br>> > CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]<br>> > Oct 28 13:31:07 vpn charon: 10[IKE] received 32 cert requests for an<br>> > unknown ca<br>> > Oct 28 13:31:07 vpn charon: 10[CFG] looking for peer configs matching<br>> > server.ip.address[%any]...client.ip.address[client.nat.ip.address]<br>> > Oct 28 13:31:07 vpn charon: 10[CFG] selected peer config 'L2TP-PSK-NAT'<br>> > Oct 28 13:31:07 vpn charon: 10[IKE] peer requested EAP, config inacceptable<br>> > Oct 28 13:31:07 vpn charon: 10[CFG] switching to peer config 'IPSec-IKEv2'<br>> > Oct 28 13:31:07 vpn charon: 10[IKE] EAP-Identity request configured, but<br>> > not supported<br>> > Oct 28 13:31:07 vpn charon: 10[CFG] sending RADIUS Access-Request to<br>> > server 'vpnserver'<br>> > Oct 28 13:31:07 vpn charon: 10[CFG] received RADIUS Access-Challenge<br>> > from server 'vpnserver'<br>> > Oct 28 13:31:07 vpn charon: 10[IKE] initiating EAP_RADIUS method (id 0x01)<br>> > Oct 28 13:31:07 vpn charon: 10[IKE] peer supports MOBIKE<br>> > Oct 28 13:31:07 vpn charon: 10[IKE] authentication of 'C=CH, O=VPN,<br>> > CN=server.ip.address' (myself) with RSA signature successful<br>> > Oct 28 13:31:07 vpn charon: 10[IKE] sending end entity cert "C=CH,<br>> > O=VPN, CN=server.ip.address"<br>> > Oct 28 13:31:07 vpn charon: 10[ENC] generating IKE_AUTH response 1 [ IDr<br>> > CERT AUTH EAP/REQ/MD5 ]<br>> > Oct 28 13:31:07 vpn charon: 10[NET] sending packet: from<br>> > server.ip.address[4500] to client.ip.address[4500]<br>> > Oct 28 13:31:36 vpn charon: 13[JOB] deleting half open IKE_SA after timeout<br>> ><br>> > /var/log/auth.log:<br>> > Oct 28 13:31:06 japanvpn charon: 08[IKE] client.ip.address is initiating<br>> > an IKE_SA<br>> ><br>> > /etc/ipsec.conf:<br>> > conn IPSec-IKEv2<br>> > keyexchange=ikev2<br>> > auto=add<br>> > left=server.ip.address<br>> > leftsubnet=0.0.0.0/0<br>> > leftauth=pubkey<br>> > leftcert=serverCert.pem<br>> > right=%any<br>> > rightsourceip=192.168.104.0/0<br>> > rightauth=eap-radius<br>> > rightsendcert=never<br>> > eap_identity=%any<br>> ><br>> > /etc/strongswan.conf:<br>> > eap-radius {<br>> > servers {<br>> > vpnserver {<br>> > secret = somesecret<br>> > address = 127.0.0.1<br>> > }<br>> > }<br>> > }<br>> ><br>> > By setting FreeRADIUS to debug mode I found that the user name<br>> > Strongswan passed to FreeRADIUS was incorrect (some gibberish), so I<br>> > guess it's a secret code problem but I'm 100% sure the secret code is<br>> > correct. Also I've tried changing it to some other string like 123456<br>> > but Strongswan passes the username as the same gibberish as before, thus<br>> > I don't think it's a secret code problem.<br>> ><br>> > Any suggestions/advices would be appreciated.<br>> <br>> ======================================================================<br>> Andreas Steffen andreas.steffen@strongswan.org<br>> strongSwan - the Linux VPN Solution! www.strongswan.org<br>> Institute for Internet Technologies and Applications<br>> University of Applied Sciences Rapperswil<br>> CH-8640 Rapperswil (Switzerland)<br>> ===========================================================[ITA-HSR]==<br></div> </div></body>
</html>