<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px"><div id="yui_3_16_0_1_1456501419487_14812" class="">Hi, Noel</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18752" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">Thanks.</div><div id="yui_3_16_0_1_1456501419487_14812" class="">I complied again to isolate this problem.</div><div id="yui_3_16_0_1_1456501419487_14812" class="">The reason why no item about certificates was shown by "ipsec listall" came from that I imported incorrect certificate from FreeRadius.</div><div id="yui_3_16_0_1_1456501419487_14812" class="">Now I could get the item about CA by "ipsec install".</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18759" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">But I get the same error yet.</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18763" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">What does "access denied" mean?</div><div id="yui_3_16_0_1_1456501419487_14812" class="">This is for TLS 1.2 but, it means:</div><div id="yui_3_16_0_1_1456501419487_14812" class="">   access_denied</div><div id="yui_3_16_0_1_1456501419487_14812" class="">      A valid certificate was received, but when access control was</div><div id="yui_3_16_0_1_1456501419487_14812" class="">      applied, the sender decided not to proceed with negotiation.  This</div><div id="yui_3_16_0_1_1456501419487_14812" class="">      message is always fatal.</div><div id="yui_3_16_0_1_1456501419487_14812" class="">   from rfc5246</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18773" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">Access control?</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18777" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">I complied like this:</div><div id="yui_3_16_0_1_1456501419487_14812" class="">./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --enable-eap-identity --enable-eap-tls --enable-eap-peap --enable-eap-ttls --enable-eap-mschapv2 --enable-eap-md5</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18782" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">Regards,</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18786" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18789" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">///</div><div id="yui_3_16_0_1_1456501419487_14812" class="">/// debug of StrongSwan.</div><div id="yui_3_16_0_1_1456501419487_14812" class="">///</div><div id="yui_3_16_0_1_1456501419487_14812" class="">Sun Feb 28 10:28:54 2016 : Info: [ttls] <<< TLS 1.0 Alert [length 0002], fatal access_denied</div><div id="yui_3_16_0_1_1456501419487_14812" class="">Sun Feb 28 10:28:54 2016 : Error: TLS Alert read:fatal:access denied</div><div id="yui_3_16_0_1_1456501419487_14812" class="">Sun Feb 28 10:28:54 2016 : Error:     TLS_accept: failed in SSLv3 read client certificate A</div><div id="yui_3_16_0_1_1456501419487_14812" class="">Sun Feb 28 10:28:54 2016 : Error: rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied</div><div id="yui_3_16_0_1_1456501419487_14812" class="">Sun Feb 28 10:28:54 2016 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.</div><div id="yui_3_16_0_1_1456501419487_14812" class="">Sun Feb 28 10:28:54 2016 : Debug: TLS receive handshake failed during operation</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18801" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18804" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">///</div><div id="yui_3_16_0_1_1456501419487_14812" class="">/// config of ipsec.conf</div><div id="yui_3_16_0_1_1456501419487_14812" class="">///</div><div id="yui_3_16_0_1_1456501419487_14812" class="">root@eNB-3:/usr/local/etc# cat ipsec.conf</div><div id="yui_3_16_0_1_1456501419487_14812" class=""># /etc/ipsec.conf - strongSwan IPsec configuration file</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18812" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">config setup</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        charondebug="tls 4, ike 4, lib 4"</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18817" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">conn %default</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        ikelifetime=60m</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        keylife=20m</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        rekeymargin=3m</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        keyingtries=1</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        keyexchange=ikev2</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18826" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">conn eap-ttls-rad1</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        left=192.168.31.10</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        leftsourceip=%config</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        leftid=test1@test</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        leftauth=eap</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        #leftauth2=md5</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        right=192.168.120.254</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        #rightcert=/usr/local/etc/ipsec.d/certs/Radius-1_Svr_cert</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        rightid=Radius-1@test</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        rightsubnet=2.0.0.1/32</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        rightauth=pubkey</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        #rightauth2=md5</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        aaa_identity="C=JP, O=XXX, CN=Radius-1_svr@test"</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        auto=add</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18843" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18846" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">///</div><div id="yui_3_16_0_1_1456501419487_14812" class="">/// output of "ipsec listall"</div><div id="yui_3_16_0_1_1456501419487_14812" class="">///</div><div id="yui_3_16_0_1_1456501419487_14812" class="">root@eNB-3:/usr/local/etc# ipsec listall</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18853" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">List of X.509 CA Certificates:</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18857" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">  subject:  "C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA@XXX.com, E=yukou.katori@XXX.com"</div><div id="yui_3_16_0_1_1456501419487_14812" class="">  issuer:   "C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA@XXX.com, E=yukou.katori@XXX.com"</div><div id="yui_3_16_0_1_1456501419487_14812" class="">  serial:    91:72:72:2d:af:3f:7c:73</div><div id="yui_3_16_0_1_1456501419487_14812" class="">  validity:  not before Feb 28 01:02:24 2016, ok</div><div id="yui_3_16_0_1_1456501419487_14812" class="">             not after  Feb 27 01:02:24 2017, ok</div><div id="yui_3_16_0_1_1456501419487_14812" class="">  pubkey:    RSA 2048 bits</div><div id="yui_3_16_0_1_1456501419487_14812" class="">  keyid:     e5:a7:66:c8:00:8f:8a:3a:72:7a:b3:af:ef:6c:e5:a4:3f:bb:51:16</div><div id="yui_3_16_0_1_1456501419487_14812" class="">  subjkey:   52:f7:97:13:61:a5:c5:0c:df:ae:cf:96:95:7f:a3:23:39:d0:b3:53</div><div id="yui_3_16_0_1_1456501419487_14812" class="">  authkey:   52:f7:97:13:61:a5:c5:0c:df:ae:cf:96:95:7f:a3:23:39:d0:b3:53</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18869" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">List of registered IKE algorithms:</div><div id="yui_3_16_0_1_1456501419487_14812" class="">(snip)</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18874" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18877" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">Just for info, user configuration of FreeRadius is fine.</div><div id="yui_3_16_0_1_1456501419487_14812" class="">///</div><div id="yui_3_16_0_1_1456501419487_14812" class="">/// about Server's certificate</div><div id="yui_3_16_0_1_1456501419487_14812" class="">/// CN=Radius-1_svr@tes was issued by CN=Radius-1_SA</div><div id="yui_3_16_0_1_1456501419487_14812" class="">///</div><div id="yui_3_16_0_1_1456501419487_14812" class="">root@Radius-1:/usr/lib/ssl/misc#  openssl x509 -text -noout -in Radius-1_Svr_cert</div><div id="yui_3_16_0_1_1456501419487_14812" class="">Certificate:</div><div id="yui_3_16_0_1_1456501419487_14812" class="">    Data:</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        Version: 3 (0x2)</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        Serial Number: 0 (0x0)</div><div id="yui_3_16_0_1_1456501419487_14812" class="">    Signature Algorithm: sha256WithRSAEncryption</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        Issuer: C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA@test/emailAddress=yukou.katori@test</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        Validity</div><div id="yui_3_16_0_1_1456501419487_14812" class="">            Not Before: Feb 27 16:18:46 2016 GMT</div><div id="yui_3_16_0_1_1456501419487_14812" class="">            Not After : Feb 26 16:18:46 2017 GMT</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        Subject: C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_svr@test/emailAddress=yukou.katori@test</div><div id="yui_3_16_0_1_1456501419487_14812" class="">        Subject Public Key Info:</div><div id="yui_3_16_0_1_1456501419487_14812" class="">            Public Key Algorithm: rsaEncryption</div><div id="yui_3_16_0_1_1456501419487_14812" class="">                Public-Key: (2048 bit)</div><div id="yui_3_16_0_1_1456501419487_14812" class="">                Modulus:</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18900" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">///</div><div id="yui_3_16_0_1_1456501419487_14812" class="">/// users</div><div id="yui_3_16_0_1_1456501419487_14812" class="">/// user configuration seems fine...</div><div id="yui_3_16_0_1_1456501419487_14812" class="">///</div><div id="yui_3_16_0_1_1456501419487_14812" class="">test1@test Cleartext-Password := "test1@test"</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18908" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18911" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">/etc/freeradius/wpa_supplicant-2.5/wpa_supplicant# ./eapol_test -c eap-ttls.conf -s testing123 -a 127.0.0.1</div><div id="yui_3_16_0_1_1456501419487_14812" class="">Reading configuration file 'eap-ttls.conf'</div><div id="yui_3_16_0_1_1456501419487_14812" class="">eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00</div><div id="yui_3_16_0_1_1456501419487_14812" class="">identity - hexdump_ascii(len=15):</div><div id="yui_3_16_0_1_1456501419487_14812" class="">     74 65 73 74 31 40 6e 6f 6b 69 61 2e 63 6f 6d      test1@test</div><div id="yui_3_16_0_1_1456501419487_14812" class="">password - hexdump_ascii(len=15):</div><div id="yui_3_16_0_1_1456501419487_14812" class="">     74 65 73 74 31 40 6e 6f 6b 69 61 2e 63 6f 6d      test1@test</div><div id="yui_3_16_0_1_1456501419487_14812" class="">phase2 - hexdump_ascii(len=8):</div><div id="yui_3_16_0_1_1456501419487_14812" class="">     61 75 74 68 3d 4d 44 35                           auth=MD5</div><div id="yui_3_16_0_1_1456501419487_14812" class="">Priority group 0</div><div id="yui_3_16_0_1_1456501419487_14812" class="">   id=0 ssid=''</div><div id="yui_3_16_0_1_1456501419487_14812" class="">(snip)</div><div id="yui_3_16_0_1_1456501419487_14812" class=""><br id="yui_3_16_0_1_1456501419487_18926" class=""></div><div id="yui_3_16_0_1_1456501419487_14812" class="">MPPE keys OK: 1  mismatch: 0</div><div id="yui_3_16_0_1_1456501419487_14812"></div><div id="yui_3_16_0_1_1456501419487_14812" class="">SUCCESS</div><div dir="ltr" id="yui_3_16_0_1_1456501419487_18930" class=""><br id="yui_3_16_0_1_1456501419487_18932" class=""></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Friday, 26 February 2016, 0:38, Noel Kuntze <noel@familie-kuntze.de> wrote:<br></font></div>  <br><br> <div class="y_msg_container">Hello Yukou,<br clear="none"><br clear="none">> Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius Server(Freeradius2.1.12)<br clear="none">>> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=AAA, O=OOO, CN=TEST'<br clear="none">What does your config look like? Obviously, the RADIUS server only authenticates itself, not the authenticator.<br clear="none"><br clear="none">>I installed certification of the server:<br clear="none">>ipsec.d/certs/<br clear="none">Where is that exactly? Are you aware that the location of ipsec.d changes, depending on the compile time<br clear="none">sysconfdir and prefix settings?<br clear="none"><br clear="none">> When I checked by "ipsec listall", no item about "List of X.509 End Entity Certificates" is listed up.<br clear="none">Make sure you understand where charon things ipsec.d is actually.<br clear="none"><br clear="none"><br clear="none"><div class="yqt1993556077" id="yqtfd85685"><br clear="none">On 25.02.2016 08:51, yukou katori wrote:<br clear="none">> Hi,<br clear="none">><br clear="none">> I'm setting up EAP-TTLS-Radius client on StrongSwan5.3.5.<br clear="none">><br clear="none">> Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius Server(Freeradius2.1.12)<br clear="none">><br clear="none">> I got the following error when the Client tries to connect.<br clear="none">> > Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=AAA, O=OOO, CN=TEST'<br clear="none">><br clear="none">> I installed certification of the server:<br clear="none">> ipsec.d/certs/<br clear="none">><br clear="none">> /usr/local/etc/ipsec.d# ls certs/<br clear="none">> server.pem<br clear="none">><br clear="none">> When I checked by "ipsec listall", no item about "List of X.509 End Entity Certificates" is listed up.<br clear="none">><br clear="none">> Is it wrong about the way to store certificate?<br clear="none">> Or another reason? (e.g. plugin is not enough)<br clear="none">><br clear="none">> Regards,<br clear="none">><br clear="none">> Log:<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] negotiated TLS 1.0 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] processing TLS Handshake record (708 bytes)<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] received TLS Certificate handshake (704 bytes)<br clear="none">> Feb 25 14:41:13 tester charon: 05[LIB] signature verification:<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=ES, O=ACCV, CN=ACCVRAIZ1'<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] buffering 254 bytes, 254 bytes of 530 byte TLS record received<br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] sending fatal TLS alert 'access denied'</div><br clear="none"><br clear="none"><br clear="none">-- <br clear="none"><br clear="none">Mit freundlichen Grüßen/Kind Regards,<br clear="none">Noel Kuntze<br clear="none"><br clear="none">GPG Key ID: 0x63EC6658<br clear="none">Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<div class="yqt1993556077" id="yqtfd67359"><br clear="none"><br clear="none"></div><br><br></div>  </div> </div>  </div></div></body></html>