<div dir="ltr">I do have the eap-tls plugin, I built strongswan with this option enabled. When I start ipsec, I can see that the eap-tls plugin is being loaded. Here is the exact output of "ipsec start:"<br><br>Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] detected Linux 2.6.32, no support for RTA_PREFSRC for IPv6 routes<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] known interfaces and IP addresses:<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] lo<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] 127.0.0.1<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] ::1<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] eth0<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] <local_ip><br>Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] <mac_address><br>Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loaded ca certificate "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, ST=State, L=City, E=<a href="mailto:admin@domain.com">admin@domain.com</a>" from '/etc/ipsec.d/cacerts/cacert.pem'<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server.key.pem'<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-tls xauth-generic xauth-noauth lookip<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[LIB] unable to load 6 plugin features (6 due to unmet dependencies)<br>Sep 26 12:49:48 ast-scodev-27 charon: 00[JOB] spawning 16 worker threads<br>Sep 26 12:49:48 ast-scodev-27 charon: 02[NET] waiting for data on sockets<br>Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] received stroke: add connection 'client'<br>Sep 26 12:49:48 ast-scodev-27 charon: 05[KNL] <vpn_server_ip> is not a local address or the interface is down<br>Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] loaded certificate "CN=username, C=Country, ST=State, O=Company Name, OU=Organization" from 'server.crt.pem'<br>Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] added configuration 'client'<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 26, 2014 at 12:57 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Justin,<br>
<br>
</span>Please keep it on the list.<br>
Do you have the eap-tls plugin?<br>
Also, this doesn't look good:<br>
/EAP_IDENTITY not supported, sending EAP_NAK<br>
<br>
I don't know what causes the latter error.<br>
<br>
/Mit freundlichen Grüßen/Regards,<br>
<span class="">Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
</span>Am 26.09.2014 um 19:53 schrieb Justin Michael Schwartzbeck:<br>
<span class="">> Hi Noel.<br>
><br>
> I have tried leftauth=eap-tls and it has the exact same behavior. I get the missing realm warning with other clients as well but still have a successful connection. I am thinking that the error is somewhere in the EAP transaction, especially because of this message:<br>
><br>
> [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request<br>
> [eap] Failed in handler<br>
> ++[eap] returns invalid<br>
> Failed to authenticate the user.<br>
><br>
> Because I get the same behavior with left-auth set to eap, eap-tls and eap-md5, I am thinking that the client is defaulting to EAP everything (without tls or md5).<br>
><br>
</span><span class="">> On Fri, Sep 26, 2014 at 12:45 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> wrote:<br>
><br>
><br>
> Hello Justin,<br>
><br>
> You need to set leftauth=eap-tls and the RADIUS complains about a amissing realm:/<br>
> [suffix] No '@' in User-Name = "username", looking up realm NULL<br>
> [suffix] No such realm "NULL"<br>
><br>
> /<br>
> Mit freundlichen Grüßen/Regards,<br>
> Noel Kuntze<br>
><br>
> GPG Key ID: 0x63EC6658<br>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
> Am 26.09.2014 um 19:38 schrieb Justin Michael Schwartzbeck:<br>
> > Hello,<br>
><br>
> > I am trying to set up strongswan as a client to connect to a vpn server using EAP-TLS authentication. I have my connection set up as follows:<br>
><br>
> > /conn client<br>
> > keyexchange=ikev2<br>
</span>> > right=<a href="http://myvpnserver.domain.com" target="_blank">myvpnserver.domain.com</a> <<a href="http://myvpnserver.domain.com" target="_blank">http://myvpnserver.domain.com</a>> <<a href="http://myvpnserver.domain.com" target="_blank">http://myvpnserver.domain.com</a>><br>
> > rightid=%<a href="http://myvpnserver.domain.com" target="_blank">myvpnserver.domain.com</a> <<a href="http://myvpnserver.domain.com" target="_blank">http://myvpnserver.domain.com</a>> <<a href="http://myvpnserver.domain.com" target="_blank">http://myvpnserver.domain.com</a>><br>
> > rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
> > leftsourceip=%config<br>
> > leftauth=eap<br>
> > left=<a href="http://myclient.domain.com" target="_blank">myclient.domain.com</a> <<a href="http://myclient.domain.com" target="_blank">http://myclient.domain.com</a>> <<a href="http://myclient.domain.com" target="_blank">http://myclient.domain.com</a>><br>
<span class="">> > leftid=username<br>
> > leftcert=server.crt.pem<br>
> > auto=add/<br>
><br>
> > When I enter "ipsec up client" I get a failure on the client side:<br>
><br>
> > /initiating IKE_SA client[1] to <vpn_server_ip><br>
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708 bytes)<br>
> > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38 bytes)<br>
> > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]<br>
> > peer didn't accept DH group MODP_2048, it requested MODP_1024<br>
> > initiating IKE_SA client[1] to <vpn_server_ip><br>
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580 bytes)<br>
> > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381 bytes)<br>
> > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]<br>
</span>> > received cert request for "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, ST=State, L=City, E=<a href="mailto:admin@domain.com">admin@domain.com</a> <mailto:<a href="mailto:admin@domain.com">admin@domain.com</a>> <mailto:<a href="mailto:admin@domain.com">admin@domain.com</a> <mailto:<a href="mailto:admin@domain.com">admin@domain.com</a>>>"<br>
<span class="">> > received 1 cert requests for an unknown ca<br>
</span>> > sending cert request for "CN=rootCA, CN=Common Name, O=Common Name, OU=Organization, C=Country, ST=State, L=City, E=<a href="mailto:admin@domain.com">admin@domain.com</a> <mailto:<a href="mailto:admin@domain.com">admin@domain.com</a>> <mailto:<a href="mailto:admin@domain.com">admin@domain.com</a> <mailto:<a href="mailto:admin@domain.com">admin@domain.com</a>>>"<br>
<span class="">> > establishing CHILD_SA client<br>
> > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]<br>
> > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380 bytes)<br>
> > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420 bytes)<br>
> > parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]<br>
</span>> > received end entity cert "CN=<a href="http://myvpnserver.domain.com" target="_blank">myvpnserver.domain.com</a> <<a href="http://myvpnserver.domain.com" target="_blank">http://myvpnserver.domain.com</a>> <<a href="http://myvpnserver.domain.com" target="_blank">http://myvpnserver.domain.com</a>>, C=Country, ST=State, O=Company, OU=Organization"<br>
> > using certificate "CN=<a href="http://myvpnserver.domain.com" target="_blank">myvpnserver.domain.com</a> <<a href="http://myvpnserver.domain.com" target="_blank">http://myvpnserver.domain.com</a>> <<a href="http://myvpnserver.domain.com" target="_blank">http://myvpnserver.domain.com</a>>, C=Country, ST=State, O=Company, OU=Organization"<br>
> > using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, ST=State, L=City, E=<a href="mailto:admin@domain.com">admin@domain.com</a> <mailto:<a href="mailto:admin@domain.com">admin@domain.com</a>> <mailto:<a href="mailto:admin@domain.com">admin@domain.com</a> <mailto:<a href="mailto:admin@domain.com">admin@domain.com</a>>>"<br>
> > checking certificate status of "CN=<a href="http://myvpnserver.domain.com" target="_blank">myvpnserver.domain.com</a> <<a href="http://myvpnserver.domain.com" target="_blank">http://myvpnserver.domain.com</a>> <<a href="http://myvpnserver.domain.com" target="_blank">http://myvpnserver.domain.com</a>>, C=Country, ST=State, O=Company, OU=Organization"<br>
<div><div class="h5">> > certificate status is not available<br>
> > reached self-signed root ca with a path length of 0<br>
> > authentication of '<vpn_server_ip>' with RSA signature successful<br>
> > server requested EAP_IDENTITY (id 0x3B), sending 'username'<br>
> > EAP_IDENTITY not supported, sending EAP_NAK<br>
> > generating IKE_AUTH request 2 [ EAP/RES/NAK ]<br>
> > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76 bytes)<br>
> > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76 bytes)<br>
> > parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ]<br>
> > received AUTHENTICATION_FAILED notify error<br>
> > establishing connection 'client' failed/<br>
><br>
> > On the server side, I am using remote authentication with RADIUS. The EAP request seems to be incomplete, or fails somehow:<br>
><br>
> > /rad_recv: Access-Request packet from host 10.89.150.210 port 1645, id=131, length=135<br>
> > Service-Type = Login-User<br>
> > Cisco-AVPair = "service-type=Login"<br>
> > Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D"<br>
> > User-Name = "username"<br>
> > EAP-Message = 0x023b0006030d<br>
> > Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f<br>
> > NAS-IP-Address = <vpn_server_ip><br>
> > # Executing section authorize from file /etc/raddb/sites-enabled/default<br>
> > +- entering group authorize {...}<br>
> > ++[preprocess] returns ok<br>
> > ++[chap] returns noop<br>
> > ++[mschap] returns noop<br>
> > ++[digest] returns noop<br>
> > [suffix] No '@' in User-Name = "username", looking up realm NULL<br>
> > [suffix] No such realm "NULL"<br>
> > ++[suffix] returns noop<br>
> > [eap] EAP packet type response id 59 length 6<br>
> > [eap] No EAP Start, assuming it's an on-going EAP conversation<br>
> > ++[eap] returns updated<br>
> > [files] users: Matched entry DEFAULT at line 50<br>
> > ++[files] returns ok<br>
> > ++[expiration] returns noop<br>
> > ++[logintime] returns noop<br>
> > [pap] WARNING: Auth-Type already set. Not setting to PAP<br>
> > ++[pap] returns noop<br>
> > Found Auth-Type = EAP<br>
> > # Executing group from file /etc/raddb/sites-enabled/default<br>
> > +- entering group authenticate {...}<br>
> > [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request<br>
> > [eap] Failed in handler<br>
> > ++[eap] returns invalid<br>
> > Failed to authenticate the user.<br>
> > Using Post-Auth-Type Reject<br>
> > # Executing group from file /etc/raddb/sites-enabled/default<br>
> > +- entering group REJECT {...}<br>
> > [attr_filter.access_reject] expand: %{User-Name} -> username<br>
> > attr_filter: Matched entry DEFAULT at line 11<br>
> > ++[attr_filter.access_reject] returns updated<br>
> > Delaying reject of request 129 for 1 seconds<br>
> > Going to the next request<br>
> > Waking up in 0.9 seconds.<br>
> > Sending delayed reject for request 129<br>
> > Sending Access-Reject of id 131 to 10.89.150.210 port 1645<br>
> > Waking up in 4.9 seconds.<br>
> > Cleaning up request 129 ID 131 with timestamp +64810<br>
> > Ready to process requests.<br>
><br>
> > /<br>
> > So here is my impression of what's happening, and correct me if I'm wrong: I think that on the strongswan side, EAP authentication is being used but there is no TLS happening. It seems like RADIUS is trying to determine whether the client is using TLS, MD5, etc. but fails to determine this. From the strongswan documentation I have gotten the idea that the client does not initiate EAP-TLS but it is enforced on the server side. Is there a way to do what I am trying to do?<br>
><br>
> > Thanks in advance.<br>
><br>
><br>
> > _______________________________________________<br>
> > Users mailing list<br>
</div></div>> > <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
> > <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
<span class="">> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
</span>iQIcBAEBCAAGBQJUJakFAAoJEDg5KY9j7GZY+/cQAJWpsLjjWyVkD8Y6RQYBVFPp<br>
XVCLeKsFxn5RPVzj1DxLltMiREBQ0LVMzp/Ibq6X/NvsPvdASEyguq/741rxGEle<br>
5aX+DpLhqROqo2J9V5xvAZjEIaF793h4eSBK2N13PUl53s9KDVUQ72xfP/9mDUDR<br>
aSAi1lehciO8soeLVrYhH4QYZ0c1cwYQ+/mk8XSYBFSLGUbHlWuUo3X/yI7olPqw<br>
+KosIOOlEMM5nuUuxdUZy3InvyAHVFSZruG/PofC/l5UA+L6VOmD6mOP+jdodCL4<br>
jvM/KB/LXbVLUoy1yQPBISgTDyxlwxOK8mXs2vIHrYc66h7hp4NdEE+d+QEsa9c5<br>
GEXnUi/DANVSIjWc0e2fiMwFaQH3SPXJeAenEdvZSA4zr5qRyUzPAVuZwe7UbCCL<br>
+0d5lJp6t1hdWWVFMtXcuCxLLmmNUniDIrQXwL0WvirYPN8qTI7DIaDlvNLEwB1c<br>
HnnvJ4Vz6bt2nLWh9kEZktbbpiVpNa2HZ/cLGG2rIflXSYTfEfRd2O1qCIjS+42d<br>
dfaSZvTZ8pwy0YItvsZkFkLMPCRWRRe1YaK0m5OjgbPg4vO/SwurSfKw7zI6d7Aj<br>
OAmOZIiFdT1x01dHDcHokRNkvviMqtTadSt4R6FKz5CfJ9e1mUsAEgjYHmbDJeZs<br>
/0Ne3OSZKlz+h3O61NCL<br>
=/Jbp<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div>