<font style="font-family: arial black,sans-serif;" size="2"><br clear="all">Hello experts,<br><br>I'm using Strongswan version 4.6.1 for establishing an ipsec tunnel with the EAP-SIM authentication method.<br>I have strored the triplets.dat file on the client at</font><font style="font-family: arial black,sans-serif;" color="#000000" size="2"><b> /etc/ipsec.d/triplets.dat</b></font><font style="font-family: arial black,sans-serif;" size="2"> <br>
while on the radius server it is stored in <b>/etc/raddb/triplets.dat<br></b></font><pre class="western" style="margin-bottom: 0.05in; widows: 2; orphans: 2; font-family: arial black,sans-serif;"><font color="#000000" size="2">The contents of triplets.dat on both client and free radius are:</font><font size="2">
</font><font color="#000000" size="2">228060123456001,30000000000000000000000000000000,30112233,305566778899AABB</font><font size="2">
</font><font color="#000000" size="2">228060123456001,31000000000000000000000000000000,31112233,315566778899AABB</font><font size="2">
</font><font color="#000000" size="2">228060123456001,32000000000000000000000000000000,32112233,325566778899AABB</font><font size="2"><br><br>The ipsec client side configs are:<br> <br></font><font color="#000000" size="2">conn android<br>
left=192.168.1.8<br> leftid=192.168.1.8<br> leftauth=eap<br> eap_identity=deepika<br> right=192.168.1.154<br> rightid=192.168.1.154<br> rightauth=pubkey<br> auto=start<br><br>The ipsec server side configs are:<br>
<br>conn android<br>left=192.168.1.154<br>leftid=192.168.1.154<br>leftcert=moonCert.oem<br>leftauth=pubkey<br>right=%any<br>rightid=192.168.1.8<br>rightsourceip=<a href="http://10.0.5.0/24">10.0.5.0/24</a><br>rightauth=eap-radius<br>
rightsendcert=never<br>eap_identity=%any<br>auto=add<br><br>However, on establishing the tunnel by using free radius server, I'm getting the following <b>error logs on ipsec client:</b><br></font><font><font color="#000000" size="2"><br>
root@ubuntu5-desktop:/usr/local/etc# ipsec up android<br>initiating IKE_SA android[3] to 192.168.1.154<br>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>sending packet: from 192.168.1.8[500] to 192.168.1.154[500]<br>
received packet: from 192.168.1.154[500] to 192.168.1.8[500]<br>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>sending cert request for "C=UK, CN=nits"<br>establishing CHILD_SA android<br>
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500]<br>received packet: from 192.168.1.154[4500] to 192.168.1.8[4500]<br>
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]<br>received end entity cert "C=UK, CN=nits"<br> using certificate "C=UK, CN=nits"<br> using trusted ca certificate "C=UK, CN=nits"<br>
checking certificate status of "C=UK, CN=nits"<br>certificate status is not available<br> reached self-signed root ca with a path length of 0<br>authentication of '192.168.1.154' with RSA signature successful<br>
server requested EAP_IDENTITY (id 0x00), sending 'deepika'<br>generating IKE_AUTH request 2 [ EAP/RES/ID ]<br>sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500]<br>received packet: from 192.168.1.154[4500] to 192.168.1.8[4500]<br>
parsed IKE_AUTH response 2 [ EAP/FAIL ]<br>received EAP_FAILURE, EAP authentication failed<br>root@ubuntu5-desktop:/usr/local/etc# </font></font><br><font color="#000000" size="2"><br><br><b>Error logs on free radius server:</b><br>
<br>Found Auth-Type = EAP<br># Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type sim<br> <b> can not initiate sim, no RAND1 attribute</b><br>
[eap] Default EAP type sim failed in initiate<br>[eap] Failed in EAP select<br>++[eap] returns invalid<br>Failed to authenticate the user.<br>Using Post-Auth-Type Reject<br># Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>
+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> deepika<br>attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 3 for 1 seconds<br>
Going to the next request<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 3<br>Sending Access-Reject of id 42 to 127.0.0.1 port 39620<br> EAP-Message = 0x04000004<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
Waking up in 4.9 seconds.<br>Cleaning up request 3 ID 42 with timestamp +71279<br>Ready to process requests.<br><br>I'm suspecting that it has something to do with the error message : " </font><font><font color="#000000" size="2">can not initiate sim, no RAND1 attribute". <br>
Please let me know if the format and location of triplets.dat file is correct or <br>if I'm missing something in the configs which is leading to this error .<br><br>Thanks in advance<br>Deepika<br><br><br></font><b><font color="#000000" size="2"><b><br>
<br><br></b></font></b></font><font color="#000000" size="2"><br><br><br><br></font></pre><font style="font-family: arial black,sans-serif;" size="2">
<br><br>-- <br>If you think you can or if you think you can't, you are right.<br>-Henry Ford<br></font>