Hi SS team,<br><br>I am having difficulty getting strongSwan select the right IKEv1 configuration based on group attributes returned from radius server. I am using "rightgroups" to define group in ipsec.conf and radius uses Filter-Id to return the group and Tunnel-Type attribute is set to ESP. <br>
<br>SS returns "constraint check failed: group membership required".<br><br>When I commented "rightgroups", tunnel gets installed irrespective of the Filter-Id attribute returned from radius.<br><br>IKEv2 works fine in a similar setup. <br>
<br>I am using SS 5.0.0.<br><br>I have my configuration and log below. <br><br> Please let me know if there is a problem with my configuration or this is an IKEv1 bug. <br><br>I appreciate any help.<br><br>Jordan.<br><br>
==============<br>#ipsec.conf<br>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> keyingtries=3<br><br><br>conn rw1<br> keyexchange=ikev1<br> left=172.16.20.1<br>
leftcert=zeus2.pem<br> leftid=@<a href="http://zeus.test.net">zeus.test.net</a><br> leftauth=pubkey<br> leftsubnet=<a href="http://172.16.50.0/24">172.16.50.0/24</a><br> right=%any<br> rightgroups="group1"<br>
rightsourceip=<a href="http://192.16.80.10/24">192.16.80.10/24</a><br> rightauth=pubkey<br> rightauth2=xauth-eap<br> auto=add<br><br>conn rw2<br> keyexchange=ikev1<br> left=172.16.20.1<br>
leftcert=zeus2.pem<br> leftid=@<a href="http://zeus.test.net">zeus.test.net</a><br> leftauth=pubkey<br> leftsubnet=<a href="http://172.16.60.0/24">172.16.60.0/24</a><br> right=%any<br> rightsourceip=<a href="http://192.16.90.10/24">192.16.90.10/24</a><br>
rightgroups="group2"<br> rightauth=pubkey<br> rightauth2=xauth-eap<br> auto=add<br><br>====vpn log=====<br>Jul 24 08:25:29 13[IKE] 172.16.60.10 is initiating a Main Mode IKE_SA<br>Jul 24 08:25:29 13[ENC] generating ID_PROT response 0 [ SA V V V ]<br>
Jul 24 08:25:29 13[NET] sending packet: from 172.16.20.1[500] to 172.16.60.10[500]<br>Jul 24 08:25:29 14[NET] received packet: from 172.16.60.10[500] to 172.16.20.1[500]<br>Jul 24 08:25:29 14[ENC] parsed ID_PROT request 0 [ KE No CERTREQ NAT-D NAT-D ]<br>
Jul 24 08:25:29 14[IKE] ignoring certificate request without data<br>Jul 24 08:25:29 14[IKE] sending cert request for "C=US, ST=CA, L=SAC, O=UC, OU=EDU, CN=<a href="http://ares.test.net">ares.test.net</a>, E=<a href="mailto:ares@test.net">ares@test.net</a>"<br>
Jul 24 08:25:29 14[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]<br>Jul 24 08:25:29 14[NET] sending packet: from 172.16.20.1[500] to 172.16.60.10[500]<br>Jul 24 08:25:30 16[NET] received packet: from 172.16.60.10[500] to 172.16.20.1[500]<br>
Jul 24 08:25:30 16[ENC] parsed ID_PROT request 0 [ ID CERT SIG ]<br>Jul 24 08:25:30 16[IKE] received end entity cert "C=US, ST=CA, O=UC, OU=EDU, CN=<a href="http://hera.test.net">hera.test.net</a>, E=<a href="mailto:hera@test.net">hera@test.net</a>"<br>
Jul 24 08:25:30 16[CFG] looking for XAuthInitRSA peer configs matching 172.16.20.1...172.16.60.10[C=US, ST=CA, O=UC, OU=EDU, CN=<a href="http://hera.test.net">hera.test.net</a>, E=<a href="mailto:hera@test.net">hera@test.net</a>]<br>
Jul 24 08:25:30 16[CFG<span style="background-color:rgb(255,255,255)">] </span><b style="background-color:rgb(255,255,255);color:rgb(204,0,0)">selected peer config "rw1"</b><span style="background-color:rgb(255,255,255);color:rgb(204,0,0)"></span><br>
Jul 24 08:25:30 16[CFG] using certificate "C=US, ST=CA, O=UC, OU=EDU, CN=<a href="http://hera.test.net">hera.test.net</a>, E=<a href="mailto:hera@test.net">hera@test.net</a>"<br>Jul 24 08:25:30 16[CFG] using trusted ca certificate "C=US, ST=CA, L=SAC, O=UC, OU=EDU, CN=<a href="http://ares.test.com">ares.test.com</a>, E=<a href="mailto:ares@test.net">ares@test.net</a>"<br>
Jul 24 08:25:30 16[CFG] checking certificate status of "C=US, ST=CA, O=UC, OU=EDU, CN=<a href="http://hera.test.net">hera.test.net</a>, E=<a href="mailto:hera@test.net">hera@test.net</a>"<br>Jul 24 08:25:30 16[CFG] certificate status is not available<br>
Jul 24 08:25:30 16[CFG] reached self-signed root ca with a path length of 0<br>Jul 24 08:25:30 16[IKE] authentication of 'C=US, ST=CA, O=UC, OU=EDU, CN=<a href="http://hera.test.net">hera.test.net</a>, E=<a href="mailto:hera@test.net">hera@test.net</a>' with RSA successful<br>
Jul 24 08:25:30 16[CFG] <b style="color:rgb(255,0,0)">constraint check failed: group membership required</b><br>Jul 24 08:25:30 16[CFG<span style="background-color:rgb(255,255,255)">]<span style="color:rgb(102,0,0)"> </span></span><b style="color:rgb(255,0,0)"><span style="background-color:rgb(255,0,0)"><span style="background-color:rgb(255,255,255)">switching to peer config 'rw1-ikev1-rep'</span></span></b><br>
Jul 24 08:25:30 16[CFG] using certificate "C=US, ST=CA, O=UC, OU=EDU, CN=<a href="http://hera.test.net">hera.test.net</a>, E=<a href="mailto:hera@test.net">hera@test.net</a>"<br>Jul 24 08:25:30 16[CFG] using trusted ca certificate "C=US, ST=CA, L=SAC, O=UC, OU=EDU, CN=<a href="http://ares.test.net">ares.test.net</a>, E=<a href="mailto:ares@test.net">ares@test.net</a>"<br>
Jul 24 08:25:30 16[CFG] checking certificate status of "C=US, ST=CA, O=UC, OU=EDU, CN=<a href="http://hera.test.net">hera.test.net</a>, E=<a href="mailto:hera@test.net">hera@test.net</a>"<br>Jul 24 08:25:30 16[CFG] certificate status is not available<br>
Jul 24 08:25:30 16[CFG] reached self-signed root ca with a path length of 0<br>Jul 24 08:25:30 16[IKE] authentication of 'C=US, ST=CA, O=UC, OU=EDU, CN=<a href="http://hera.test.net">hera.test.net</a>, E=<a href="mailto:hera@test.net">hera@test.net</a>' with RSA successful<br>
Jul 24 08:25:30 16[CFG]<b><span style="color:rgb(153,0,0)"> <span style="color:rgb(255,0,0)">constraint check failed: group membership required</span></span></b><br>Jul 24 08:25:30 16[CFG] no alternative config found<br>Jul 24 08:25:30 16[ENC] generating INFORMATIONAL_V1 request 735498134 [ HASH N(AUTH_FAILED) ]<br>
Jul 24 08:25:30 16[NET] sending packet: from 172.16.20.1[500] to 172.16.60.10[500]<br><br>