<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV> </DIV>
<DIV>Hello.</DIV>
<DIV> </DIV>
<DIV>I am novice here.</DIV>
<DIV>I am a Korean , </DIV>
<DIV>I am clumsy in English, so forgive me if I make misstyping.</DIV>
<DIV> </DIV>
<DIV>I have installed IKEv2 server on debian jessie. (<SPAN lang=EN-US
style='FONT-FAMILY: ; mso-hansi-font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-ansi-language: en-us; mso-fareast-language: ko; mso-bidi-language: ar-sa; mso-bidi-font-size: 12.0pt'><FONT
style="face: ¹ÙÅÁ"><FONT
style="FONT-SIZE: 10pt">strongswan-5.5.1)</FONT></FONT></SPAN></DIV>
<DIV><SPAN lang=EN-US
style='FONT-FAMILY: ; mso-hansi-font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-ansi-language: en-us; mso-fareast-language: ko; mso-bidi-language: ar-sa; mso-bidi-font-size: 12.0pt'><FONT
style="size: 2" face=¹ÙÅÁ></FONT></SPAN> </DIV>
<DIV><SPAN lang=EN-US
style='FONT-FAMILY: ; mso-hansi-font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-ansi-language: en-us; mso-fareast-language: ko; mso-bidi-language: ar-sa; mso-bidi-font-size: 12.0pt'><FONT
style="size: 2" face=¹ÙÅÁ>I have complied as belows</FONT></SPAN></DIV>
<DIV><SPAN lang=EN-US
style='FONT-FAMILY: ; mso-hansi-font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-ansi-language: en-us; mso-fareast-language: ko; mso-bidi-language: ar-sa; mso-bidi-font-size: 12.0pt'><FONT
style="size: 2" face=¹ÙÅÁ></FONT></SPAN> </DIV>
<DIV>./configure --prefix=/usr --sysconfdir=/etc --enable-openssl \</DIV>
<DIV>--disable-mysql --disable-ldap \</DIV>
<DIV>--disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 \</DIV>
<DIV>--enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc \</DIV>
<DIV>--enable-eap-identity --enable-eap-md5 --enable-eap-peap \</DIV>
<DIV>--enable-eap-radius --enable-eap-sim --enable-eap-sim-file \</DIV>
<DIV>--enable-eap-simaka-pseudonym --enable-eap-simaka-reauth \</DIV>
<DIV>--enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc
--enable-eap-ttls</DIV>
<DIV><SPAN lang=EN-US
style='FONT-FAMILY: ; mso-hansi-font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-ansi-language: en-us; mso-fareast-language: ko; mso-bidi-language: ar-sa; mso-bidi-font-size: 12.0pt'></SPAN><SPAN
lang=EN-US
style='FONT-FAMILY: ; mso-hansi-font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-ansi-language: en-us; mso-fareast-language: ko; mso-bidi-language: ar-sa; mso-bidi-font-size: 12.0pt'><FONT
style="size: 2" face=¹ÙÅÁ></FONT></SPAN> </DIV>
<DIV><SPAN lang=EN-US
style='FONT-FAMILY: ; mso-hansi-font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-ansi-language: en-us; mso-fareast-language: ko; mso-bidi-language: ar-sa; mso-bidi-font-size: 12.0pt'><FONT
style="size: 2" face=¹ÙÅÁ></FONT></SPAN> </DIV>
<DIV>I can connect to my ikev2 server from Windows and IPad using
ipsec.secrets.(eap-mschapv2)</DIV>
<DIV> </DIV>
<DIV>1) ipsec.conf</DIV>
<DIV> </DIV>
<DIV>config setup</DIV>
<DIV> charondebug="ike 2, cfg 2"</DIV>
<DIV> strictcrlpolicy=no</DIV>
<DIV> uniqueids = no</DIV>
<DIV> </DIV>
<DIV>conn %default</DIV>
<DIV> mobike=yes</DIV>
<DIV> dpdaction=restart</DIV>
<DIV> closeaction=restart</DIV>
<DIV> dpddelay=40s</DIV>
<DIV> dpdtimeout=160s</DIV>
<DIV> fragmentation=yes</DIV>
<DIV> rekey=no</DIV>
<DIV> reauth=yes</DIV>
<DIV> keyexchange=ikev2</DIV>
<DIV> auto=add</DIV>
<DIV> </DIV>
<DIV>conn window</DIV>
<DIV> forceencaps=yes</DIV>
<DIV> #left=%any</DIV>
<DIV> left=ibex.coreavpn.net</DIV>
<DIV> leftsubnet=0.0.0.0/0</DIV>
<DIV> leftauth=pubkey</DIV>
<DIV>
leftcert=/etc/ssl/private/vpn-server.crt</DIV>
<DIV> leftsendcert=always</DIV>
<DIV> right=%any</DIV>
<DIV>
rightsourceip=172.25.2.0/16</DIV>
<DIV>
rightauth=eap-mschapv2 </DIV>
<DIV> rightsendcert=never</DIV>
<DIV>
rightdns=168.126.63.1,203.248.252.2</DIV>
<DIV> eap_identity=%any</DIV>
<DIV>
leftupdown=/etc/strongswan.d/proxyndp.updown</DIV>
<DIV> </DIV>
<DIV>conn ios</DIV>
<DIV> left=%any</DIV>
<DIV> leftsubnet=0.0.0.0/0</DIV>
<DIV> leftauth=psk</DIV>
<DIV>
leftid=ibex.coreavpn.server</DIV>
<DIV> right=%any</DIV>
<DIV>
rightsourceip=172.25.10.0/24</DIV>
<DIV> rightauth=eap-mschapv2</DIV>
<DIV> rightid=%any</DIV>
<DIV> eap_identity=%any</DIV>
<DIV> </DIV>
<DIV>2. ipsec.secrets</DIV>
<DIV> </DIV>
<DIV>include /var/lib/strongswan/ipsec.secrets.inc</DIV>
<DIV> </DIV>
<DIV>%any %any : PSK "korea"</DIV>
<DIV> </DIV>
<DIV># startssl key</DIV>
<DIV>: RSA /etc/ipsec.d/private/privatekey.pem</DIV>
<DIV> </DIV>
<DIV>churl : EAP "eunsol001"</DIV>
<DIV>churl2 : EAP "eunsol001"</DIV>
<DIV> </DIV>
<DIV>-------------------------------------------------</DIV>
<DIV>But because I want to service ikev2 to many, </DIV>
<DIV>I am trying to use freeradius server to authorize users.</DIV>
<DIV> </DIV>
<DIV>I have installed freeradius-3.0.14</DIV>
<DIV> </DIV>
<DIV>and when I test radius , it is ok.</DIV>
<DIV> </DIV>
<DIV><B style="mso-bidi-font-weight: normal"><SPAN lang=EN
style='FONT-FAMILY: ; mso-hansi-font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-ansi-language: en; mso-fareast-language: ko; mso-bidi-language: ar-sa'><FONT
style="face: ¹ÙÅÁ"><FONT style="FONT-SIZE: 11pt">/usr/bin/radtest -t mschap -4
churl eunsol001 127.0.0.1 10 Korea</FONT></FONT></SPAN></B></DIV>
<DIV><B style="mso-bidi-font-weight: normal"><SPAN lang=EN
style='FONT-FAMILY: ; mso-hansi-font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-ansi-language: en; mso-fareast-language: ko; mso-bidi-language: ar-sa'><FONT
style="face: ¹ÙÅÁ"></FONT></SPAN></B> </DIV>
<DIV><B style="mso-bidi-font-weight: normal"><SPAN lang=EN
style='FONT-FAMILY: ; mso-hansi-font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-ansi-language: en; mso-fareast-language: ko; mso-bidi-language: ar-sa'><FONT
style="face: ¹ÙÅÁ"></FONT></SPAN></B> </DIV>
<DIV>Sent Access-Request Id 121 from 0.0.0.0:36605 to 127.0.0.1:1812 length
131</DIV>
<DIV> User-Name = "churl"</DIV>
<DIV> MS-CHAP-Password =
"eunsol001"</DIV>
<DIV> NAS-IP-Address =
192.168.0.200</DIV>
<DIV> NAS-Port = 10</DIV>
<DIV> Message-Authenticator =
0x00</DIV>
<DIV> Cleartext-Password =
"eunsol001"</DIV>
<DIV> MS-CHAP-Challenge =
0xf3d8c2f26a62a9de</DIV>
<DIV> MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000a934</DIV>
<DIV>ba3b3497d80246c74a769837ad615db380220677bcaa</DIV>
<DIV>Received Access-Accept Id 121 from 127.0.0.1:1812 to 0.0.0.0:0 length
84</DIV>
<DIV> MS-CHAP-MPPE-Keys =
0xa73cfdd5b6b82abd9519ba2ab1528f24767f2c03b64941ae</DIV>
<DIV> MS-MPPE-Encryption-Policy =
Encryption-Allowed</DIV>
<DIV> MS-MPPE-Encryption-Types =
RC4-40or128-bit-Allowed</DIV>
<DIV> </DIV>
<DIV>So I changed ipsec.conf</DIV>
<DIV> </DIV>
<DIV>rightauth=eap-mschapv2 ->
rightauth=eap-radius</DIV>
<DIV> </DIV>
<DIV>3) strongswan.conf</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>plugins {</DIV>
<DIV>
include strongswan.d/charon/*.conf</DIV>
<DIV> </DIV>
<DIV>
eap-radius {</DIV>
<DIV>
class_group = yes</DIV>
<DIV>
eap_start = yes</DIV>
<DIV>
servers {</DIV>
<DIV>
primary {</DIV>
<DIV>
address = 127.0.0.1</DIV>
<DIV>
secret = Corea</DIV>
<DIV>
nas_identifer = ipsec-gateway</DIV>
<DIV>
sockets = 20</DIV>
<DIV>
preference = 99</DIV>
<DIV>
}</DIV>
<DIV>
}</DIV>
<DIV>
}</DIV>
<DIV> </DIV>
<DIV> }</DIV>
<DIV> </DIV>
<DIV>4) /etc/freeradius/users</DIV>
<DIV> </DIV>
<DIV> churl Cleartext-Password := "eunsol001"</DIV>
<DIV> </DIV>
<DIV>5) /etc/freeradius/clients.conf</DIV>
<DIV> </DIV>
<DIV> ipaddr = 127.0.0.1</DIV>
<DIV>secret = Corea</DIV>
<DIV> </DIV>
<DIV>After changing, I can not connect Ike server from both windows and
ios.</DIV>
<DIV> </DIV>
<DIV>Below is error log.</DIV>
<DIV> </DIV>
<DIV>1. ike server log</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>-----</DIV>
<DIV>Mar 24 09:52:27 lynx charon: 11[CFG] RADIUS server 'primary' is candidate:
199</DIV>
<DIV>Mar 24 09:52:27 lynx charon: 11[CFG] sending RADIUS Access-Request to
server 'primary'</DIV>
<DIV>Mar 24 09:52:29 lynx charon: 11[CFG] retransmit 1 of RADIUS Access-Request
(timeout:</DIV>
<DIV>2.8s)</DIV>
<DIV>Mar 24 09:52:30 lynx charon: 14[MGR] ignoring request with ID 2, already
processing</DIV>
<DIV>Mar 24 09:52:32 lynx charon: 11[CFG] retransmit 2 of RADIUS Access-Request
(timeout:</DIV>
<DIV>3.9s)</DIV>
<DIV>Mar 24 09:52:33 lynx charon: 05[MGR] ignoring request with ID 2, already
processing</DIV>
<DIV>Mar 24 09:52:35 lynx charon: 11[CFG] retransmit 3 of RADIUS Access-Request
(timeout:</DIV>
<DIV>5.5s)</DIV>
<DIV>Mar 24 09:52:36 lynx charon: 07[MGR] ignoring request with ID 2, already
processing</DIV>
<DIV>Mar 24 09:52:41 lynx charon: 11[CFG] RADIUS Access-Request timed out after
4 attempts</DIV>
<DIV>Mar 24 09:52:41 lynx charon: 11[IKE] initiating EAP_RADIUS method
failed</DIV>
<DIV>Mar 24 09:52:41 lynx charon: 11[ENC] generating IKE_AUTH response 2 [
EAP/FAIL ]</DIV>
<DIV>Mar 24 09:52:41 lynx charon: 11[NET] sending packet: from
220.93.109.90[4500] to 14.4</DIV>
<DIV>0.64.197[4500] (68 bytes)</DIV>
<DIV>Mar 24 09:52:41 lynx charon: 11[IKE] IKE_SA ios[5] state change: CONNECTING
=> DESTRO</DIV>
<DIV>YING</DIV>
<DIV> </DIV>
<DIV></DIV>
<DIV>2. radius.log</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Fri Mar 24 08:55:37 2017 : Info: Dropping packet without response because
of error: P</DIV>
<DIV>ossible DoS attack from host 127.0.0.1: Too many attributes in request
(received 201,</DIV>
<DIV>max 200 are allowed).</DIV>
<DIV>Fri Mar 24 08:55:39 2017 : Info: Dropping packet without response because
of error: P</DIV>
<DIV>ossible DoS attack from host 127.0.0.1: Too many attributes in request
(received 201,</DIV>
<DIV>max 200 are allowed).</DIV>
<DIV>Fri Mar 24 08:55:42 2017 : Info: Dropping packet without response because
of error: P</DIV>
<DIV>ossible DoS attack from host 127.0.0.1: Too many attributes in request
(received 201,</DIV>
<DIV>max 200 are allowed).</DIV>
<DIV>Fri Mar 24 08:55:45 2017 : Info: Dropping packet without response because
of error: P</DIV>
<DIV>ossible DoS attack from host 127.0.0.1: Too many attributes in request
(received 201,</DIV>
<DIV>max 200 are allowed).</DIV>
<DIV> </DIV>
<DIV>What is wrong?</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">-----------------------------<BR>(ÁÖ)¸®´ª½º·¦(LinuxLab
Inc.)<BR>´ëÇ¥ÀÌ»ç ¹èö¼ö(CEO, Bae Cheolsu)<BR>ceo@linuxlab.kr,
http://ceo.linuxlab.kr<BR><BR>ÁÖ¼Ò : ¼¿ï ±¤Áø±¸ ÀÚ¾ç1µ¿ ¿µ¼ºôµù 307È£<BR>Çѱ¹ ÀüÈ :
02-456-4551<BR>Áß±¹ ÀüÈ : 0532)6685-3964<BR>http://linuxlab.kr,
http://pptp.kr<BR>================================================<BR></DIV></DIV></DIV></BODY></HTML>