<div>Hi Everyone,</div>
<div> </div>
<div>I am having difficulties connectiong to strongSwan IKEv2 using eap-radius from a windows7 Agile VPN client. Below are my vpn server, windows7, radius configuration and error messages. I have followed the strongSwan windows7 certificate requirements and tried for a couple of days different recommendations from the strongswam mailing archive but I couldn't make it to work. I really appreciate any help.</div>
<div> </div>
<div>=======================</div>
<div>#vpn server configuration</div>
<div>config setup<br> charonstart=yes<br> plutostart=no</div>
<div>conn myvpn~mypolicy<br> vpn=myvpn<br> mobike=no<br> left=172.16.30.2<br> leftsubnet=<a href="http://172.26.40.0/24">172.26.40.0/24</a><br> <a href="mailto:leftid=@zeus.test.net">leftid=@zeus.test.net</a></div>
<div> <a href="mailto:leftcert=zeus@ares.cer">leftcert=zeus@ares.cer</a><br> leftauth=pubkey<br> ike=3des-sha1-modp1024!<br> esp=3des-sha1-modp1024!</div>
<div> keyexchange=ikev2<br> ikelifetime=8h</div>
<div> keylife=1h<br> right=%any<br> rightsendcert=never<br> rightsourceip=<a href="http://172.16.80.0/24">172.16.80.0/24</a><br> rightauth=eap-radius<br> eap_identity=%identity<br>
auto=add<br>========================</div>
<div>Note:</div>
<ul>
<li><a href="mailto:zeus@ares.cert">zeus@ares.cert</a> is the vpn server certificate file name</li>
<li>"<a href="http://zeus.test.net">zeus.test.net</a>" is the vpn server certificate CN.</li>
<li>vpn server x509 certificates meets Windows 7 requirements. Below are the subject alt name and extended key usage values from teh server certificate</li></ul>
<div> X509v3 Subject Alternative Name: </div>
<div> DNS:<a href="http://zeus.tes.net">zeus.tes.net</a></div>
<div> X509v3 Extended Key Usage: </div>
<div> 1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication</div>
<ul>
<li>eap-radius, eap-md5, and eap-identity plugins are loaded on the strongswan vpn server.</li></ul>
<div>#strongswan.conf contains the eap-radius configuration</div>
<div> </div>
<div>charon {</div>
<div> plugins {<br> eap-radius {<br> # server myradius<br> server = XX.XXX.XXX.XX<br> secret = testing123<br> nas-id = mynas }<br> }<br>}<br></div>
<div>
<div>=============================</div>
<div> </div>
<div>#I am using FreeRADIUS for eap-radius authentication. FreeRadius is configured as follows:</div>
<div> </div>
<div> /etc/raddb/clients.conf<br>client XX.XXX.0.0/16 {<br>secret = testing123<br>shortname= my-private-network</div>
<div>nastype = mynas<br>...</div>
<div>}<br><br># /etc/raddb/eap.conf<br>eap{<br>default_eap_type= md5<br>md5 {<br>}<br>}<br></div>
<div># /etc/raddb/users<br>carol Cleartext-Password := "testtest"<br>=============================</div></div>
<div> #Windows 7 Agile vpn client</div>
<ul>
<li>Type of VPN : IKEv2</li>
<li>Authentication: EAP ; sub-menu: tried both PEAP and EAP-MSCHAP v2</li>
<li>X509 machine certificate and CA certificate installed , and verified as valid</li>
<li>Added the following configuration to the windows 7 hosts file </li></ul>
<div><strong> 172.16.30.2 <a href="http://zeus.test.net">zeus.test.net</a> </strong></div>
<div>( 172.16.30.2 refers to the vpn gateway interface, and <a href="http://zeus.test.net">zeus.test.net</a> is the vpn gateway certificate CN and subject alt name).====</div>
<div> </div>
<div>when I started the Windows 7 Agile vpn connection, the following error message shows on the vpn gateway and windows7 :</div>
<div> </div>
<div>#strongswan vpn gateway error messages</div>
<div><br>Jun 11 07:08:07 router CHARON-INFO: 10[NET] received packet: from [500] to [500]<br>Jun 11 07:08:07 router CHARON-INFO: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>Jun 11 07:08:07 router CHARON-INFO: 10[IKE] 172.16.50.10 is initiating an IKE_SA<br>
Jun 11 07:08:07 router CHARON-INFO: 10[IKE] 172.16.50.10 is initiating an IKE_SA<br>Jun 11 07:08:07 router CHARON-INFO: 10[IKE] sending cert request for "C=US, ST=MYSTATE, L=MYCITY, O=MYORG, OU=MYUNIT, CN=<a href="http://ares.test.net">ares.test.net</a>, <a href="mailto:E=ares@test.net">E=ares@test.net</a>"<br>
Jun 11 07:08:07 router CHARON-INFO: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>Jun 11 07:08:07 router CHARON-INFO: 10[NET] sending packet: from [500] to [500]<br>
Jun 11 07:08:07 router CHARON-INFO: 13[NET] received packet: from [4500] to [4500]<br>Jun 11 07:08:07 router CHARON-INFO: 13[ENC] unknown attribute type INTERNAL_IP4_SERVER<br>Jun 11 07:08:07 router CHARON-INFO: 13[ENC] unknown attribute type INTERNAL_IP6_SERVER<br>
Jun 11 07:08:07 router CHARON-INFO: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for "C=US, ST=CA, L=MYCITY, O=MYORG, OU=MYUNIT, CN=<a href="http://ares.test.net">ares.test.net</a>, <a href="mailto:E=ares@test.net">E=ares@test.net</a>"<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid c0:7a:98:68:8d:89:fb:ab:05:64:0c:11:7d:aa:7d:65:b8:ca:cc:4e<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 4a:81:0c:de:f0:c0:90:0f:19:06:42:31:35:a2:a2:8d:d3:44:fd:08<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid f0:17:62:13:55:3d:b3:ff:0a:00:6b:fb:50:84:97:f3:ed:62:d0:1a<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 42:32:b6:16:fa:04:fd:fe:5d:4b:7a:c3:fd:f7:4c:40:1d:5a:43:af<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid be:a8:a0:74:72:50:6b:44:b7:c9:23:d8:fb:a8:ff:b3:57:6b:68:6c<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid fb:61:40:61:b4:8a:bc:eb:56:1d:64:16:1f:ab:6d:f3:f7:ae:45:a5<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 53:32:d1:b3:cf:7f:fa:e0:f1:a0:5d:85:4e:92:d2:9e:45:1d:b4:4f<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 00:ad:d9:a3:f6:79:f6:6e:74:a9:7f:33:3d:81:17:d7:4c:cf:33:de<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid a8:48:b4:24:2f:c6:ea:24:a0:d7:8e:3c:b9:3c:5c:78:d7:98:33:e4<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid a1:72:5f:26:1b:28:98:43:95:5d:07:37:d5:85:96:9d:4b:d2:c3:45<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87<br>Jun 11 07:08:07 router CHARON-INFO: 13[CFG] looking for peer configs matching 172.16.30.2[%any]...172.16.50.10[172.16.50.10]<br>
Jun 11 07:08:07 router CHARON-INFO: 13[CFG] selected peer config 'myvpn~mypolicy'<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] initiating EAP-Identity request<br>Jun 11 07:08:07 router CHARON-INFO: 13[IKE] peer supports MOBIKE, but disabled in config<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] authentication of 'C=US, ST=MYSTATE, O=MYORG, OU=SPG, CN=<a href="http://zeus.test.net">zeus.test.net</a>, <a href="mailto:E=zeus@test.net'">E=zeus@test.net'</a> (myself) with RSA signature successful<br>
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] sending end entity cert "C=US, ST=MYSTATE, O=MYORG, OU=SPG, CN=<a href="http://zeus.test.net">zeus.test.net</a>, <a href="mailto:E=zeus@test.net">E=zeus@test.net</a>"</div>
<div> </div>
<div>=================</div>
<div>
<div>#Windows7 error message</div>
<div> </div>
<div>starts "Verifying user name and password and displays </div>
<div>Error:13801: IKE authentication credentials are unacceptable</div>
<div>=============================</div>
<div> </div>
<div>No user authentication request send to the radius server.</div>
<div> </div>
<div>Thank you!</div>
<div> </div>
<div>Jordan.</div></div>