<div dir="ltr"><div>Thank you for answer.</div><div><br></div>I'm sorry for the confusion.<div><br></div><div>To put it delicately, I want to add Radius server in G/W1 ==== G/W2 IPsec.<br></div><div><br></div><div>So, G/W1 and G/W2 have to work as a Radius client.</div><div><br></div><div><img src="cid:ii_14f43f8eceafeed2" alt="본문 이미지 1" width="503" height="260"><br></div><div><br></div><div><br></div><div>Currently, I tried out the tips from you.</div><div><br></div><div>rightauth=eap-md5 => eap-radius</div><div><br></div><div><br></div><div><span style="font-size:14px">> *<Server configuration>*</span><br style="font-size:14px"><span style="font-size:14px">></span><br style="font-size:14px"><span style="font-size:14px">> 1) ipsec.conf</span><br style="font-size:14px"><span style="font-size:14px">> [...]</span><br style="font-size:14px"><span style="font-size:14px">> conn rw-eap</span><br style="font-size:14px"><span style="font-size:14px">> rightauth=eap-radius</span><br style="font-size:14px"><span style="font-size:14px">> [...]</span><br></div><div><br></div><div><br></div><div><b>My problem is....</b></div><div><b><br></b></div><div><b>1) Why this message is generated ??</b></div><div><b><br></b></div><div><b>syslog message : Aug 19 12:14:23 radSer charon: 10[IKE] loading EAP_RADIUS method failed</b></div><div><b><br></b></div><div><b><br></b></div><div><b>2) Radius Server couldn't capture any packet.</b></div><div><br></div><div><br></div><div>How can I solve this problem...? Please help me.</div><div><br></div><div><br></div><div><br></div><div><br></div><div><span style="font-size:14px">This is my configuration. </span></div><div><span style="font-size:14px">(I raised the debugging level : charondebug="lib 3,cfg 3,net 3,ike 3, enc 3, chd 3, mgr 3, dmn 3")</span></div><div><br></div><div><br></div><div><div style="font-size:14px"><b><font size="4"><G/W1 configuration></font></b></div><div style="font-size:14px"><br></div><div style="font-size:14px"><font size="4">1) ipsec.conf</font></div></div><div><div>config setup</div><div><br></div><div>conn %default</div><div> ikelifetime=60m</div><div> keylife=20m</div><div> rekeymargin=3m</div><div> keyingtries=1</div><div> keyexchange=ikev2</div><div><br></div><div>conn rw-eap</div><div> left=192.168.0.1</div><div> leftsubnet=<a href="http://129.254.73.0/24">129.254.73.0/24</a></div><div> leftcert=moon.pem</div><div> leftid=strongswan moon</div><div> leftauth=pubkey</div><div> leftfirewall=yes</div><div> rightid=strongswan sun</div><div> <font color="#ff0000">rightauth=eap-radius</font></div><div> rightsendcert=never</div><div> right=192.168.0.2</div><div> auto=add</div></div><div><br></div><div style="font-size:14px"><span style="font-size:large">2) strongswan.conf</span><font size="4"><br></font></div><div style="font-size:14px"><span style="font-size:large"><br></span></div><div><div>charon {</div><div> load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown</div><div><br></div><div>plugins{</div><div> eap-radius {</div><div> secret = testing123</div><div> address = 129.254.72.87</div><div> }</div><div> }</div><div>}</div></div><div><br></div><div><br></div><div style="font-size:14px"><span style="font-size:large">3) ipsec.secrets</span><span style="font-size:large"><br></span></div><div style="font-size:14px"><span style="font-size:large"><br></span></div><div><div>: RSA moon.key "1p2p3p"</div><div>: RSA ca.key "1p2p3p"</div><div style="font-size:14px"><br></div></div><div style="font-size:14px"><span style="font-size:large">4) ipsec statusall</span><span style="font-size:large"><br></span></div><div style="font-size:14px"><span style="font-size:large"><br></span></div><div><div>Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.13.0-61-generic, x86_64):</div><div> uptime: 59 minutes, since Aug 19 12:22:10 2015</div><div> malloc: sbrk 2568192, mmap 0, used 398432, free 2169760</div><div> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0</div><div> loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown</div><div>Listening IP addresses:</div><div> 192.168.0.1</div><div> 129.254.73.189</div><div>Connections:</div><div> rw-eap: 192.168.0.1...192.168.0.2 IKEv2</div><div> rw-eap: local: [C=KR, ST=Some-State, O=Etri, CN=strongswan moon] uses public key authentication</div><div> rw-eap: cert: "C=KR, ST=Some-State, O=Etri, CN=strongswan moon"</div><div> rw-eap: remote: [strongswan sun] uses EAP_RADIUS authentication</div><div> rw-eap: child: <a href="http://129.254.73.0/24">129.254.73.0/24</a> === dynamic TUNNEL</div><div>Security Associations (0 up, 0 connecting):</div><div> none</div></div><div style="font-size:14px"><span style="font-size:large"><br></span></div><div><span style="font-size:large">5) </span><font size="4">tail -f /var/log/syslog /var/log/auth.log</font><span style="font-size:large"><br></span></div><div><font size="4"><br></font></div><div><div>root@radSer:/home/guest/temp/strongswan-5.2.2# tail -f /var/log/syslog /var/log/auth.log</div><div>==> /var/log/syslog <==</div><div>Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid response packet from host 129.254.190.77.</div><div>Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid response packet from host 129.254.195.208.</div><div>Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid response packet from host 129.254.172.192.</div><div>Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid response packet from host fe80::6e3b:e5ff:fe06:ad82.</div><div>Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid response packet from host 129.254.172.139.</div><div>Aug 19 13:15:10 radSer avahi-daemon[904]: server.c: Packet too short or invalid while reading known answer record. (Maybe a UTF-8 problem?)</div><div>Aug 19 13:17:01 radSer CRON[30816]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)</div><div>Aug 19 13:20:21 radSer avahi-daemon[904]: message repeated 4 times: [ server.c: Packet too short or invalid while reading known answer record. (Maybe a UTF-8 problem?)]</div><div>Aug 19 13:21:09 radSer avahi-daemon[904]: Invalid response packet from host fe80::5265:f3ff:fe5d:c1a.</div><div>Aug 19 13:22:01 radSer avahi-daemon[904]: server.c: Packet too short or invalid while reading known answer record. (Maybe a UTF-8 problem?)</div><div><br></div><div>==> /var/log/auth.log <==</div><div>Aug 19 12:22:10 radSer ipsec_starter[30718]: !! <a href="http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad">http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad</a></div><div>Aug 19 12:22:11 radSer ipsec_starter[30739]: charon (30740) started after 20 ms</div><div>Aug 19 12:22:21 radSer charon: 12[IKE] 192.168.0.2 is initiating an IKE_SA</div><div>Aug 19 12:22:32 radSer charon: 04[IKE] 192.168.0.2 is initiating an IKE_SA</div><div>Aug 19 12:39:01 radSer CRON[30777]: pam_unix(cron:session): session opened for user root by (uid=0)</div><div>Aug 19 12:39:01 radSer CRON[30777]: pam_unix(cron:session): session closed for user root</div><div>Aug 19 13:09:01 radSer CRON[30800]: pam_unix(cron:session): session opened for user root by (uid=0)</div><div>Aug 19 13:09:01 radSer CRON[30800]: pam_unix(cron:session): session closed for user root</div><div>Aug 19 13:17:01 radSer CRON[30815]: pam_unix(cron:session): session opened for user root by (uid=0)</div><div>Aug 19 13:17:01 radSer CRON[30815]: pam_unix(cron:session): session closed for user root</div><div><br></div><div>==> /var/log/syslog <==</div><div>Aug 19 13:22:35 radSer charon: 13[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] (692 bytes)</div><div>Aug 19 13:22:35 radSer charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div><div>Aug 19 13:22:35 radSer charon: 13[IKE] 192.168.0.2 is initiating an IKE_SA</div><div><br></div><div>==> /var/log/auth.log <==</div><div>Aug 19 13:22:35 radSer charon: 13[IKE] 192.168.0.2 is initiating an IKE_SA</div><div><br></div><div>==> /var/log/syslog <==</div><div>Aug 19 13:22:36 radSer charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]</div><div>Aug 19 13:22:36 radSer charon: 13[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] (440 bytes)</div><div>Aug 19 13:22:36 radSer charon: 14[NET] received packet: from 192.168.0.2[4500] to 192.168.0.1[4500] (492 bytes)</div><div>Aug 19 13:22:36 radSer charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]</div><div>Aug 19 13:22:36 radSer charon: 14[IKE] received cert request for "C=KR, ST=Some-State, O=Etri, CN=strongswan1"</div><div>Aug 19 13:22:36 radSer charon: 14[CFG] looking for peer configs matching 192.168.0.1[C=KR, ST=Some-State, O=Etri, CN=strongswan moon]...192.168.0.2[strongswan sun]</div><div>Aug 19 13:22:36 radSer charon: 14[CFG] selected peer config 'rw-eap'</div><div><span style="background-color:rgb(255,0,0)">Aug 19 13:22:36 radSer charon: 14[IKE] loading EAP_RADIUS method failed</span></div><div>Aug 19 13:22:36 radSer charon: 14[IKE] peer supports MOBIKE</div><div>Aug 19 13:22:36 radSer charon: 14[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]</div><div>Aug 19 13:22:36 radSer charon: 14[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.2[4500] (156 bytes)</div></div><div><br></div><div><br></div><div><br></div><div><div style="font-size:14px"><b><font size="4"><G/W2 configuration></font></b></div><div style="font-size:14px"><br></div><div><div><div style="font-size:14px"><font size="4">1) ipsec.conf</font></div><div style="font-size:14px"><font size="4"><br></font></div><div><div>config setup</div><div># charondebug="lib 3,cfg 3,net 3,ike 3, enc 3, chd 3, mgr 3, dmn 3"</div><div><br></div><div>conn %default</div><div> ikelifetime=60m</div><div> keylife=20m</div><div> rekeymargin=3m</div><div> keyingtries=1</div><div> keyexchange=ikev2</div><div><br></div><div>conn home</div><div> left=192.168.0.2</div><div> leftid=strongswan sun</div><div> leftauth=eap</div><div> leftfirewall=yes</div><div> right=192.168.0.1</div><div> rightid=strongswan moon</div><div> rightsubnet=<a href="http://129.254.73.0/24">129.254.73.0/24</a></div><div> rightauth=pubkey</div><div> rightcert=moon.pem</div><div> auto=add</div></div></div><div><br></div><div style="font-size:14px"><span style="font-size:large">2) strongswan.conf</span><font size="4"><br></font></div><div><div>charon {</div><div> load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown</div><div><br></div><div>plugins{</div><div> eap-radius {</div><div> secret = testing123</div><div> address = 129.254.72.87</div><div> }</div><div> }</div></div><div><font size="4"><br></font></div><div style="font-size:14px"><span style="font-size:large">3) ipsec.secrets</span><span style="font-size:large"><br></span></div><div style="font-size:14px"><span style="font-size:large"><br></span></div><div><div>: RSA sun.key "1p2p3p"</div><div>: RSA moon.key "1p2p3p"</div><div>strongswan sun : EAP "testing123"</div></div><div><br></div><div style="font-size:14px"><span style="font-size:large">4) ipsec statusall</span><span style="font-size:large"><br></span></div><div style="font-size:14px"><span style="font-size:large"><br></span></div><div><div>Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.13.0-57-generic, x86_64):</div><div> uptime: 62 minutes, since Aug 19 12:23:22 2015</div><div> malloc: sbrk 405504, mmap 0, used 344912, free 60592</div><div> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0</div><div> loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown</div><div>Listening IP addresses:</div><div> 192.168.0.55</div><div> 192.168.0.2</div><div> 129.254.73.188</div><div>Connections:</div><div> home: 192.168.0.2...192.168.0.1 IKEv2</div><div> home: local: [strongswan sun] uses EAP authentication</div><div> home: remote: [C=KR, ST=Some-State, O=Etri, CN=strongswan moon] uses public key authentication</div><div> home: cert: "C=KR, ST=Some-State, O=Etri, CN=strongswan moon"</div><div> home: child: dynamic === <a href="http://129.254.73.0/24">129.254.73.0/24</a> TUNNEL</div><div>Security Associations (0 up, 0 connecting):</div><div> none</div></div><div><br></div><div style="font-size:small"><span style="font-size:large">5) </span><font size="4">tail -f /var/log/syslog /var/log/auth.log</font><span style="font-size:large"><br></span></div><div style="font-size:14px"><font size="4"><br></font></div><div><div>root@radClient:~# tail -f /var/log/syslog /var/log/auth.log</div><div>==> /var/log/syslog <==</div><div>Aug 19 13:24:57 radClient avahi-daemon[843]: Invalid response packet from host fe80::fe15:b4ff:fe78:6dc3.</div><div>Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from host fe80::3664:a9ff:fe69:ad9b.</div><div>Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from host 129.254.194.88.</div><div>Aug 19 13:24:58 radClient avahi-daemon[843]: server.c: Packet too short or invalid while reading known answer record. (Maybe a UTF-8 problem?)</div><div>Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from host 129.254.172.139.</div><div>Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from host fe80::6e3b:e5ff:fe06:ad82.</div><div>Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from host 129.254.72.230.</div><div>Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from host fe80::a2b3:ccff:fe9b:4b2e.</div><div>Aug 19 13:24:59 radClient avahi-daemon[843]: Invalid response packet from host fe80::a65d:36ff:fe62:e868.</div><div>Aug 19 13:24:59 radClient avahi-daemon[843]: Invalid response packet from host 129.254.190.77.</div><div><br></div><div>==> /var/log/auth.log <==</div><div>Aug 19 12:23:21 radClient ipsec_starter[10575]: !! <a href="http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad">http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad</a></div><div>Aug 19 12:23:21 radClient ipsec_starter[10596]: charon (10597) started after 20 ms</div><div>Aug 19 12:23:39 radClient charon: 12[IKE] initiating IKE_SA home[1] to 192.168.0.1</div><div>Aug 19 12:23:39 radClient charon: 13[IKE] establishing CHILD_SA home</div><div>Aug 19 12:23:50 radClient charon: 07[IKE] initiating IKE_SA home[2] to 192.168.0.1</div><div>Aug 19 12:23:50 radClient charon: 08[IKE] establishing CHILD_SA home</div><div>Aug 19 13:17:01 radClient CRON[10644]: pam_unix(cron:session): session opened for user root by (uid=0)</div><div>Aug 19 13:17:01 radClient CRON[10644]: pam_unix(cron:session): session closed for user root</div><div>Aug 19 13:23:53 radClient charon: 08[IKE] initiating IKE_SA home[3] to 192.168.0.1</div><div>Aug 19 13:23:53 radClient charon: 09[IKE] establishing CHILD_SA home</div><div><br></div><div>==> /var/log/syslog <==</div><div>Aug 19 13:25:46 radClient charon: 05[NET] received packet: from 192.168.0.1[500] to 192.168.0.2[500] (692 bytes)</div><div><br></div><div>==> /var/log/auth.log <==</div><div>Aug 19 13:25:46 radClient charon: 05[IKE] 192.168.0.1 is initiating an IKE_SA</div><div><br></div><div>==> /var/log/syslog <==</div><div>Aug 19 13:25:46 radClient charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div><div>Aug 19 13:25:46 radClient charon: 05[IKE] 192.168.0.1 is initiating an IKE_SA</div><div>Aug 19 13:25:46 radClient charon: 05[IKE] sending cert request for "C=KR, ST=Some-State, O=Etri, CN=strongswan1"</div><div>Aug 19 13:25:46 radClient charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]</div><div>Aug 19 13:25:46 radClient charon: 05[NET] sending packet: from 192.168.0.2[500] to 192.168.0.1[500] (465 bytes)</div><div>Aug 19 13:25:46 radClient charon: 07[NET] received packet: from 192.168.0.1[4500] to 192.168.0.2[4500] (1228 bytes)</div><div>Aug 19 13:25:46 radClient charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]</div><div>Aug 19 13:25:46 radClient charon: 07[IKE] received end entity cert "C=KR, ST=Some-State, O=Etri, CN=strongswan moon"</div><div>Aug 19 13:25:46 radClient charon: 07[CFG] looking for peer configs matching 192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri, CN=strongswan moon]</div><div>Aug 19 13:25:46 radClient charon: 07[CFG] selected peer config 'home'</div><div>Aug 19 13:25:46 radClient charon: 07[CFG] using trusted ca certificate "C=KR, ST=Some-State, O=Etri, CN=strongswan1"</div><div>Aug 19 13:25:46 radClient charon: 07[CFG] checking certificate status of "C=KR, ST=Some-State, O=Etri, CN=strongswan moon"</div><div>Aug 19 13:25:46 radClient charon: 07[CFG] certificate status is not available</div><div>Aug 19 13:25:46 radClient charon: 07[CFG] reached self-signed root ca with a path length of 0</div><div>Aug 19 13:25:46 radClient charon: 07[CFG] using trusted certificate "C=KR, ST=Some-State, O=Etri, CN=strongswan moon"</div><div>Aug 19 13:25:46 radClient charon: 07[IKE] authentication of 'C=KR, ST=Some-State, O=Etri, CN=strongswan moon' with RSA signature successful</div><div>Aug 19 13:25:46 radClient charon: 07[IKE] peer supports MOBIKE</div><div>Aug 19 13:25:46 radClient charon: 07[IKE] IKE_SA home[4] established between 192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri, CN=strongswan moon]</div><div><br></div><div>==> /var/log/auth.log <==</div><div>Aug 19 13:25:46 radClient charon: 07[IKE] IKE_SA home[4] established between 192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri, CN=strongswan moon]</div><div><br></div><div>==> /var/log/syslog <==</div><div>Aug 19 13:25:46 radClient charon: 07[IKE] scheduling reauthentication in 3316s</div><div>Aug 19 13:25:46 radClient charon: 07[IKE] maximum IKE_SA lifetime 3496s</div><div><br></div><div>==> /var/log/auth.log <==</div><div>Aug 19 13:25:46 radClient charon: 07[IKE] CHILD_SA home{4} established with SPIs cf4d1089_i c47c418e_o and TS <a href="http://192.168.0.2/32">192.168.0.2/32</a> === <a href="http://129.254.73.0/24">129.254.73.0/24</a> </div><div><br></div><div>==> /var/log/syslog <==</div><div>Aug 19 13:25:46 radClient charon: 07[IKE] CHILD_SA home{4} established with SPIs cf4d1089_i c47c418e_o and TS <a href="http://192.168.0.2/32">192.168.0.2/32</a> === <a href="http://129.254.73.0/24">129.254.73.0/24</a> </div><div>Aug 19 13:25:46 radClient vpn: + C=KR, ST=Some-State, O=Etri, CN=strongswan moon <a href="http://129.254.73.0/24">129.254.73.0/24</a> == 192.168.0.1 -- 192.168.0.2</div><div>Aug 19 13:25:46 radClient charon: 07[ENC] generating IKE_AUTH response 1 [ IDr SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]</div><div>Aug 19 13:25:46 radClient charon: 07[NET] sending packet: from 192.168.0.2[4500] to 192.168.0.1[4500] (220 bytes)</div><div>Aug 19 13:25:46 radClient charon: 12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.2[4500] (76 bytes)</div><div>Aug 19 13:25:46 radClient charon: 12[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]</div><div>Aug 19 13:25:46 radClient charon: 12[IKE] received DELETE for IKE_SA home[4]</div><div>Aug 19 13:25:46 radClient charon: 12[IKE] deleting IKE_SA home[4] between 192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri, CN=strongswan moon]</div><div><br></div><div>==> /var/log/auth.log <==</div><div>Aug 19 13:25:46 radClient charon: 12[IKE] deleting IKE_SA home[4] between 192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri, CN=strongswan moon]</div><div><br></div><div>==> /var/log/syslog <==</div><div>Aug 19 13:25:46 radClient charon: 12[IKE] IKE_SA deleted</div><div><br></div><div>==> /var/log/auth.log <==</div><div>Aug 19 13:25:46 radClient charon: 12[IKE] IKE_SA deleted</div><div><br></div><div>==> /var/log/syslog <==</div><div>Aug 19 13:25:46 radClient vpn: - C=KR, ST=Some-State, O=Etri, CN=strongswan moon <a href="http://129.254.73.0/24">129.254.73.0/24</a> == 192.168.0.1 -- 192.168.0.2</div><div>Aug 19 13:25:46 radClient charon: 12[ENC] generating INFORMATIONAL response 2 [ ]</div><div>Aug 19 13:25:46 radClient charon: 12[NET] sending packet: from 192.168.0.2[4500] to 192.168.0.1[4500] (76 bytes)</div><div style="font-size:large"><br></div></div><div><div style="font-size:14px"><b><font size="4"><FreeRADIUS configuration></font></b></div><div style="font-size:14px"><br></div><div><div><div style="font-size:14px"><font size="4">1) radiusd.conf</font></div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"># radiusd.conf -- FreeRADIUS server configuration file.
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/freeradius
raddbdir = ${sysconfdir}/freeradius
radacctdir = ${logdir}/radacct
# name of the running server. See also the "-n" command-line option.
name = freeradius
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}
# libdir: Where to find the rlm_* modules.
libdir = ${exec_prefix}/lib
# pidfile: Where to place the PID of the RADIUS server.
pidfile = ${run_dir}/${name}.pid
# max_request_time: The maximum time (in seconds) to handle a request.
max_request_time = 30
# cleanup_delay: The time to wait (in seconds) before cleaning up
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
max_requests = 1024
# listen: Make the server listen on a particular IP address, and send
listen {
type = auth
ipaddr = 129.254.72.87
port = 0
}
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
type = acct
ipaddr = <span style="font-family:arial,sans-serif">129.254.72.87</span>
port = 0
}
# hostname_lookups: Log the names of clients or just their IP addresses
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
allow_core_dumps = no
# Regular expressions
regular_expressions = yes
extended_expressions = yes
# Logging section. The various "log_*" configuration items
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# Security considerations
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
# PROXY CONFIGURATION
proxy_requests = yes
$INCLUDE proxy.conf
# CLIENTS CONFIGURATION
$INCLUDE clients.conf
# THREAD POOL CONFIGURATION
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
# MODULE CONFIGURATION
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
# Instantiation
instantiate {
exec
expr
expiration
logintime
}
# Policies
$INCLUDE policy.conf
# Include all enabled virtual hosts
$INCLUDE sites-enabled/</pre></div><div style="font-size:14px"><span style="font-size:large">2) eap.conf</span><font size="4"><br></font></div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">eap {
default_eap_type = md5
md5 {
}
}</pre></div><div style="font-size:14px"><span style="font-size:large">3) </span><span style="font-size:large">clients.conf</span></div><div style="font-size:14px"><span style="font-size:large"><br></span></div><div><div>etri1 129.254.73.189 {</div><div> secret = testing123</div><div> shortname = moon</div><div>}</div><div>etri2 129.254.73.188 {</div><div> secret = testing123</div><div> shortname = sun</div><div>}</div><div style="font-size:14px"><br></div></div><div style="font-size:14px"><span style="font-size:large">4) </span><span style="font-size:large">users</span></div><div style="font-size:14px"><span style="font-size:large"><br></span></div><div>sun Cleartext-Password := "testing123"<br></div><div>moon Cleartext-Password := "testing123"<font size="4"><br></font></div><div><br></div><div style="font-size:14px"><span style="font-size:large">5) proxy.conf</span></div><div style="font-size:14px"><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">realm <a href="http://strongswan.org">strongswan.org</a> {
type = radius
authhost = LOCAL
accthost = LOCAL
}</pre></div><div style="font-size:14px"><span style="font-size:large">6) strongswan.conf</span></div><div style="font-size:small"><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"># /etc/strongswan.conf - strongSwan configuration file
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
}
libstrongswan {
dh_exponent_ansi_x9_42 = no
}</pre></div></div></div></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="font-family:Gulim;font-size:13px">------------------------------</span><span style="font-family:Gulim;font-size:13px">------</span><br style="font-family:Gulim;font-size:13px"><span style="font-family:Gulim;font-size:13px">Hyun-jin Kim, Master's course</span><br style="font-family:Gulim;font-size:13px"><span style="font-family:Gulim;font-size:13px">Information Security Laboratory</span><br style="font-family:Gulim;font-size:13px"><span style="font-family:Gulim;font-size:13px">ChungNam National University </span><br style="font-family:Gulim;font-size:13px"><span style="font-family:Gulim;font-size:13px">E: </span><a href="mailto:be.successor@gmail.com" style="color:rgb(17,85,204);font-family:Gulim;font-size:13px" target="_blank">be.successor@gmail.com</a><br style="font-family:Gulim;font-size:13px"><span style="font-family:Gulim;font-size:13px">Tel : +82-10-4410-4292 / +82-42-821-7443</span><br style="font-family:Gulim;font-size:13px"><span style="font-family:Gulim;font-size:13px">------------------------------</span><span style="font-family:Gulim;font-size:13px">------</span><br></div></div></div></div></div></div></div>
<br><div class="gmail_quote">2015-08-19 4:41 GMT+09:00 Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello,<br>
<br>
> *<Server configuration>*<br>
><br>
> 1) ipsec.conf<br>
> [...]<br>
> conn rw-eap<br>
> rightauth=eap-md5<br>
> [...]<br>
<br>
That tells strongSwan to try to authenticate the other side using eap-md5.<br>
This doesn't make sense, if you want to delegate the eap authentication<br>
to a RADIUS server. You need to set that value to eap-radius.<br>
<br>
Judging from your diagram and the configs, you want to authenticate the server<br>
to the client using a cerificate and delegate the EAP authentication,<br>
which happens after the certificate authentication, to a RADIUS server?<br>
<br>
In that case, strongSwan only relays the EAP messages in the IKE exchange to<br>
the RADIUS server and does not do any EAP exchanges with the client.<br>
Therefore you need to tell it to use the eap-radius plugin for authenticating the client.<br>
If you had followed the configuration file[1] for moon correctly, you had seen that:<br>
<br>
> [...]<br>
> conn rw-eap<br>
> rightauth=eap-radius<br>
> [...]<br>
<br>
Also, the auth.log file on the server tells you the problem:<br>
<span class=""><br>
> Aug 18 16:21:23 radSer charon: 06[CFG] selected peer config 'rw-eap'<br>
> Aug 18 16:21:23 radSer charon: 06[IKE] loading EAP_MD5 method failed<br>
> Aug 18 16:21:23 radSer charon: 06[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]<br>
<br>
<br>
<br>
<br>
</span>[1] <a href="https://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-radius/moon.ipsec.conf" rel="noreferrer" target="_blank">https://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-radius/moon.ipsec.conf</a><br>
<br>
- --<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iQIcBAEBCAAGBQJV04pcAAoJEDg5KY9j7GZYT2MP/iJr11MEX4AyiouOqODaW9yD<br>
BnBJeIb+kRInQSs1HW00sX06mwvoXSZRHjBEhwFNiSyangpsrjITeNMEk1BK++Sx<br>
ZQnEP99FwPOUiJz4gKeZQ/5bqbJpI/MX7UHGj24aqGZEjOfUdso/Tk4dA0QuH7oy<br>
vjYLJObaNIxERCMey1Aqwe4/Msja6S3WNqO/CGxaMCdGj7kd3VN5H97r06ZnQRTY<br>
LbruPPeBYqGpcEshu1DuYwdwf2yK0MKEQ/JuKOmRKx/yDVGhKQxVk/MEEKnIQfWx<br>
hIrYLr2gma4guLCFiKgKrrV5dpE5VVffhCJrkg948QQVDNDNpQiVG3q2SkwM0TEV<br>
4CEA6y84V6rcuhBSXjw5QQoaIW/E2zk9T1ItqtRReDRxRt1B9ATR/+3C0fYIgCNn<br>
cJaxjeUaj/9DCC0gq+vlEoEx4D4L2CBRU53qohyiAersRwLZaMRqHuibDWsDOyJF<br>
hLSpRHz+AzvXTgl1xBMx2Amiai/QzasEo175LsC3iro2iNVEd0XnCJfZYy3Kso9E<br>
EGkN/fdv+T+P3E9XIqvLrM2tkdVEiqDvQZ8azPeadC1Bte5g+aeNGjkuzb7aWG41<br>
/QW6oSEf7Ns8QZww6swKFyIVEFPtw1Cqq7pGE8ay3MXAhPsAVqKL22a+vYcVNTC2<br>
5nMt6eS37EXmDUzAkdH8<br>
=fzqJ<br>
-----END PGP SIGNATURE-----<br>
<br>
<br>
</blockquote></div><br></div>