<div dir="ltr">Hallo Michael,<div><br></div><div><br></div><div>Thanks for your reply. Indeed I should have checked the radius log. It seems the shared secret is incorrect, but there do match in configs as pasted below. </div><div>Where else could the secret have been used that I have missed? Thanks</div><div><br></div><div><b><font face="monospace, monospace">vim /var/log/freeradius/radius.log</font></b></div><div><font face="monospace, monospace"><br></font></div><div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to database "radius"</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server <default></font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see raddb/mods-available/README.rst)</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:50 2017 : Info: Ready to process requests</font></div><div><font face="monospace, monospace">Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.)</font></div></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><b>vim /etc/strongswan.conf</b><br></font></div><div><font face="monospace, monospace"><br></font></div><div><div><font face="monospace, monospace">charon {</font></div><div><font face="monospace, monospace"> load_modular = yes</font></div><div><font face="monospace, monospace"> compress = yes</font></div><div><font face="monospace, monospace"> plugins {</font></div><div><font face="monospace, monospace"> include strongswan.d/charon/*.conf</font></div><div><font face="monospace, monospace"> eap-radius {</font></div><div><font face="monospace, monospace"> servers {</font></div><div><font face="monospace, monospace"> server-a {</font></div><div><font face="monospace, monospace"> accounting = yes</font></div><div><font face="monospace, monospace"> secret = 123456</font></div><div><font face="monospace, monospace"> address = 127.0.0.1</font></div><div><font face="monospace, monospace"> auth_port = 1812</font></div><div><font face="monospace, monospace"> acct_port = 1813</font></div><div><font face="monospace, monospace"> }</font></div><div><font face="monospace, monospace"> }</font></div><div><font face="monospace, monospace"> }</font></div><div><font face="monospace, monospace"> }</font></div><div><font face="monospace, monospace"> include strongswan.d/*.conf</font></div><div><font face="monospace, monospace">}</font></div></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><b>vim /etc/freeradius/clients.conf</b><br></font></div><div><font face="monospace, monospace"><br></font></div><div><div><font face="monospace, monospace">client 0.0.0.0 {</font></div><div><font face="monospace, monospace"> secret = 123456</font></div><div><font face="monospace, monospace"> nas_type = other</font></div><div><font face="monospace, monospace"> shortname = 0.0.0.0</font></div><div><font face="monospace, monospace"> require_message_authenticator = no</font></div><div><font face="monospace, monospace">}</font></div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <span dir="ltr"><<a href="mailto:ms@sys4.de" target="_blank">ms@sys4.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">Am 15.11.2017 um 08:24 schrieb Houman:<br>
> Hi,<br>
><br>
> I'm new to the concept of EAP and might be misunderstanding something.<br>
> Apologies up front.<br>
><br>
> I have finally been able to install FreeRadius and enable the SQL module.<br>
> I have created a user in the database and was hoping to establish a VPN<br>
> connection via that user.<br>
><br>
> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES<br>
> ('houman','Cleartext-Password'<wbr>,':=','test123');<br>
><br>
><br>
> When I try to connect from my MacBook into the StrongSwan server I get this<br>
> log. It looks promising but eventually, it says initiating EAP_RADIUS<br>
> method failed.<br>
><br>
> I'm not quite sure if this has failed due a bad configuration on my side or<br>
> it is for other reasons that I don't quite understand how EAP should work.<br>
><br>
> Please be so kind and advise,<br>
> Thanks,<br>
> Houman<br>
><br>
><br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from<br>
> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT request 0<br>
> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is initiating<br>
> an IKE_SA<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,<br>
> sending keep alives<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT<br>
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from<br>
> 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from<br>
> 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type (25)<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 [<br>
> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6<br>
> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs<br>
> matching 172.31.9.51[<a href="http://vpn2.t.com" rel="noreferrer" target="_blank">vpn2.t.com</a>]...88.<wbr>98.201.107[<a href="http://vpn2.t.com" rel="noreferrer" target="_blank">vpn2.t.com</a>]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config<br>
> 'roadwarrior'<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY<br>
> method (id 0x00)<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received<br>
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of '<a href="http://vpn2.t.com" rel="noreferrer" target="_blank">vpn2.t.com</a>'<br>
> (myself) with RSA signature successful<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert "CN=<br>
> <a href="http://vpn2.t.com" rel="noreferrer" target="_blank">vpn2.t.com</a>"<br>
</div></div><div><div class="h5">> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US,<br>
> O=Let's Encrypt, CN=Let's Encrypt Authority X3"<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response<br>
> 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with<br>
> length of 3334 bytes into 7 fragments<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response<br>
> 1 [ EF(1/7) ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response<br>
> 1 [ EF(2/7) ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response<br>
> 1 [ EF(3/7) ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response<br>
> 1 [ EF(4/7) ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response<br>
> 1 [ EF(5/7) ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response<br>
> 1 [ EF(6/7) ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response<br>
> 1 [ EF(7/7) ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from<br>
> 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ 14[NET]<br>
> sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from<br>
> 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes)<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from<br>
> 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes)<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2 [<br>
> EAP/RES/ID ]<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity<br>
> 'houman'<br>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS<br>
> Access-Request to server 'server-a'<br>
> Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS<br>
> Access-Request (timeout: 2.8s)<br>
> Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID 2,<br>
> already processing<br>
> Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS<br>
> Access-Request (timeout: 3.9s)<br>
> Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID 2,<br>
> already processing<br>
> Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS<br>
> Access-Request (timeout: 5.5s)<br>
> Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID 2,<br>
> already processing<br>
> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[CFG] RADIUS Access-Request timed<br>
> out after 4 attempts<br>
> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[IKE] initiating EAP_RADIUS method<br>
> failed<br>
> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[ENC] generating IKE_AUTH response<br>
> 2 [ EAP/FAIL ]<br>
> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[NET] sending packet: from<br>
> 172.31.9.51[4500] to 88.98.201.107[51248] (65 bytes)<br>
><br>
</div></div>It seems that your RADIUS server does not behave properly.<br>
<br>
Is the server online?<br>
<br>
Is the RADIUS service running?<br>
<br>
What are the logs of the RADIUS server, or in other words, what is the<br>
output of freeradius -X?<br>
<br>
<br>
Mit freundlichen Grüßen,<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
<br>
[*] sys4 AG<br>
<br>
<a href="https://sys4.de" rel="noreferrer" target="_blank">https://sys4.de</a>, <a href="tel:%2B49%20%2889%29%2030%2090%2046%2064" value="+498930904664">+49 (89) 30 90 46 64</a><br>
Schleißheimer Straße 26/MG,80333 München<br>
<br>
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263<br>
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief<br>
Aufsichtsratsvorsitzender: Florian Kirstein<br>
<br>
<br>
</font></span></blockquote></div><br></div>