<div dir="ltr"><div>Good day! Can you help?<br></div><div>I want configure Strongswan IKEv2 with OpenLdap authentication. Is it real?</div><div>I configure freeradius + LDAP, try radtest with ldap user adam, test OK:</div><div><br></div><div><div><b>radtest adam password1234 myip 10 password1234</b></div><div><br></div><div>Sent Access-Request Id 142 from <a href="http://0.0.0.0:46701" target="_blank">0.0.0.0:46701</a> to myip:1812 length 74</div><div><span class="gmail-m_4174948342380701813gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>User-Name = "adam"</div><div><span class="gmail-m_4174948342380701813gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>User-Password = "password1234"</div><div><span class="gmail-m_4174948342380701813gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>NAS-IP-Address = 127.0.1.1</div><div><span class="gmail-m_4174948342380701813gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>NAS-Port = 10</div><div><span class="gmail-m_4174948342380701813gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>Message-Authenticator = 0x00</div><div><span class="gmail-m_4174948342380701813gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>Cleartext-Password = "password1234"</div><div>Received <b>Access-Accept</b> Id 142 from myip:1812 to <a href="http://0.0.0.0:0" target="_blank">0.0.0.0:0</a> length 20</div></div><div><br></div><div><b>Log from radius server: </b></div><div>radius_1 | Fri Dec 23 08:54:02 2016 : Info: rlm_ldap (ldap): Opening additional connection (38)<br></div><div>Log from ldap server:</div><div><div>585ce62a conn=1206 op=0 BIND dn="cn=admin,dc=***,dc=***" method=128 </div><div>585ce62a conn=1206 op=0 BIND dn="cn=admin,dc=***,dc=***" mech=SIMPLE ssf=0 </div><div>585ce62a conn=1206 op=0 RESULT tag=97 err=0 text= </div><div>585ce62a conn=1206 op=1 MOD dn="uid=adam,dc=***,dc=***" </div><div>585ce62a conn=1206 op=1 MOD attr=description </div><div>585ce62a conn=1206 op=1 RESULT tag=103 err=0 text= </div></div><div><br></div><div><br></div><div><div>Then I connect android strongswan client with strongswan server and received response from ldap:</div></div><div><br></div><div>radius log: radius_1 | Fri Dec 23 09:01:46 2016 : Info: rlm_ldap (ldap): Opening additional connection (42)</div><div>ldap log: </div><div><div>585ce821 conn=1211 fd=17 ACCEPT from IP=<a href="http://78.46.192.19:46089" target="_blank">*.*.*.*:46089</a> (IP=<a href="http://0.0.0.0:389" target="_blank">0.0.0.0:389</a>) </div><div>585ce821 conn=1211 op=0 BIND dn="cn=admin,dc=***,dc=***" method=128 </div><div>585ce821 conn=1211 op=0 BIND dn="cn=dn="cn=admin,dc=***,dc=***" mech=SIMPLE ssf=0 </div><div>585ce821 conn=1211 op=0 RESULT tag=97 err=0 text= </div></div><div><br></div><div><b>Strongswan client log:</b></div><div><pre class="gmail-aLF-aPX-K0-aPE gmail-aLF-aPX-aLK-ayr-auR">Dec 23 12:04:23 12[NET] sending packet: from 192.168.88.18[37418] to *** [4500] (3612 bytes)
Dec 23 12:04:23 13[NET] received packet: from *** [4500] to 192.168.88.18[37418] (1196 bytes)
Dec 23 12:04:23 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 23 12:04:23 13[IKE] received end entity cert "C=CA, O=Example, CN=<a href="http://nagios.by">nagios.by</a>"
Dec 23 12:04:23 13[CFG] using certificate "C=CA, O=Example, CN=<a href="http://nagios.by">nagios.by</a>"
Dec 23 12:04:23 13[CFG] using trusted ca certificate "C=CA, O=Example, CN=ExampleCA"
Dec 23 12:04:23 13[CFG] reached self-signed root ca with a path length of 0
Dec 23 12:04:23 13[IKE] <font color="#0000ff">authentication of '*.*' with RSA signature successful</font>
Dec 23 12:04:23 13[IKE] server requested EAP_IDENTITY (id 0x00), sending 'adam'
Dec 23 12:04:23 13[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Dec 23 12:04:23 13[NET] sending packet: from 192.168.88.18[37418] to *.*.*.*[4500] (76 bytes)
Dec 23 12:04:23 14[NET] received packet: from *.*.*.*[4500] to 192.168.88.18[37418] (92 bytes)
Dec 23 12:04:23 14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]
Dec 23 12:04:23 14[IKE] server requested EAP_MD5 authentication (id 0x01)
Dec 23 12:04:23 14[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ]
Dec 23 12:04:23 14[NET] sending packet: from 192.168.88.18[37418] to *.*.*.*[4500] (92 bytes)
Dec 23 12:04:24 15[NET] received packet: from *.*.*.* [4500] to 192.168.88.18[37418] (76 bytes)
Dec 23 12:04:24 15[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]
Dec 23 12:04:24 15[IKE] <b><font color="#cc0000">received EAP_FAILURE, EAP authentication failed</font></b>
Dec 23 12:04:24 15[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
Dec 23 12:04:24 15[NET] sending packet: from 192.168.88.18[37418] to *.*.*.* [4500] (76 bytes)</pre></div><div><br></div><div><b><br></b></div><div><b>SYSTEM INFORMATION:</b></div><div><b><br></b></div><div><div><b>uname -a</b></div><div>Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux</div></div><div><b><br></b></div><div><b>ipsec --version</b><br><div><b><br></b></div><div>Linux strongSwan U5.2.1/K3.16.0-4-amd64</div></div><div><br></div><div><div><b>ipsec listplugins | grep EAP</b></div><div><b><br></b></div><div> EAP_SERVER:ID</div><div> EAP_CLIENT:ID</div><div> EAP_SERVER:AKA</div><div> EAP_CLIENT:AKA</div><div> EAP_SERVER:MD5</div><div> EAP_CLIENT:MD5</div><div> EAP_SERVER:GTC</div><div> EAP_CLIENT:GTC</div><div> EAP_SERVER:MSCHAPV2</div><div> EAP_CLIENT:MSCHAPV2</div><div> EAP_SERVER:RAD</div><div> EAP_SERVER:TLS</div><div> EAP_CLIENT:TLS</div><div> EAP_SERVER:TTLS</div><div> EAP_SERVER:ID</div><div> EAP_CLIENT:TTLS</div><div> EAP_CLIENT:ID</div><div> EAP_SERVER:TNC</div><div> EAP_SERVER:TTLS</div><div> EAP_CLIENT:TNC</div><div> EAP_CLIENT:TTLS</div><div> EAP_SERVER:PT</div><div> EAP_SERVER:TTLS</div><div> EAP_CLIENT:PT</div><div> EAP_CLIENT:TTLS</div></div><div><br></div><div><div><b>ipsec statusall</b></div><div><b><br></b></div><div>Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64):</div><div> uptime: 2 days, since Dec 20 19:40:27 2016</div><div> malloc: sbrk 2555904, mmap 0, used 421888, free 2134016</div><div> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0</div><div> loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs</div><div>7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve</div><div> socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls e</div><div>ap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrb</div><div>lock unity</div><div>Virtual IP pools (size/online/offline):</div><div> <a href="http://10.9.0.0/24">10.9.0.0/24</a>: 254/0/0</div><div>Listening IP addresses:</div><div> *.*.*.*</div><div> *.*.*.*</div><div>Connections:</div><div> client: %any...%any IKEv2, dpddelay=30s</div><div> client: local: [*.*] uses public key authentication</div><div> client: cert: "C=CA, O=Example, CN=*.*"</div><div> client: remote: uses EAP_RADIUS authentication with EAP identity '%any'</div><div> client: child: <a href="http://0.0.0.0/0">0.0.0.0/0</a> === dynamic TUNNEL, dpdaction=clear</div><div>Security Associations (0 up, 0 connecting):</div><div> none</div></div><div><br></div><div><br></div><div><b>Thank you!</b></div></div>