<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<meta name="x_Generator" content="Microsoft Word 15 (filtered medium)">
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:x_link, span.x_MsoHyperlink
{color:blue;
text-decoration:underline}
a:x_visited, span.x_MsoHyperlinkFollowed
{color:#954F72;
text-decoration:underline}
.x_MsoChpDefault
{}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.x_WordSection1
{}
-->
</style>
<div lang="EN-US" link="blue" vlink="#954F72">
<div class="x_WordSection1">
<p class="x_MsoNormal">Thanks. Here is swanctl –stats (after a service restart). 2 charon_debug logfiles attached, one with a successful connection (the userid in question at the end of the list) and one with a failed connection (userid in question at the front
of the list).</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Xunil/var/log# swanctl --stats</p>
<p class="x_MsoNormal">uptime: 10 seconds, since Nov 29 11:11:07 2017</p>
<p class="x_MsoNormal">worker threads: 16 total, 11 idle, working: 4/0/1/0</p>
<p class="x_MsoNormal">job queues: 0/0/0/0</p>
<p class="x_MsoNormal">jobs scheduled: 0</p>
<p class="x_MsoNormal">IKE_SAs: 0 total, 0 half-open</p>
<p class="x_MsoNormal">mallinfo: sbrk 2564096, mmap 0, used 401792, free 2162304</p>
<p class="x_MsoNormal">loaded plugins: charon-systemd charon-systemd aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink
resolve socket-default vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-tls xauth-generic</p>
<p class="x_MsoNormal">Xunil/var/log# </p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> </p>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="border:none; padding:0in"><b>From: </b><a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting">Noel Kuntze</a><br>
<b>Sent: </b>Wednesday, November 29, 2017 10:31 AM<br>
<b>To: </b><a href="mailto:bls3427@outlook.com">bls s</a>; <a href="mailto:users@lists.strongswan.org">
users@lists.strongswan.org</a><br>
<b>Subject: </b>Re: [strongSwan] swanctl.conf EAP credential information</p>
</div>
<p class="x_MsoNormal"> </p>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">Hi,<br>
<br>
Please provide a log file created with the logger configuration from the HelpRequests[1] page<br>
and the output of `swanctl --stats`.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests">https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests</a><br>
<br>
On 29.11.2017 19:27, bls s wrote:<br>
><br>
> Curiously, if eap-user1 is at the end of the list, it authenticates correctly, but not if first or second in the list.<br>
><br>
> <br>
><br>
> *From: *bls s <<a href="mailto:bls3427@outlook.com">mailto:bls3427@outlook.com</a>><br>
> *Sent: *Tuesday, November 28, 2017 4:43 PM<br>
> *To: *users@lists.strongswan.org <<a href="mailto:users@lists.strongswan.org">mailto:users@lists.strongswan.org</a>><br>
> *Subject: *[strongSwan] swanctl.conf EAP credential information<br>
><br>
> <br>
><br>
> I’m switching over from using IPsec.conf to charon-systemd. Everything is working for the first user, but I have run into a strange issue (or a dumb user error!) with the ‘secrets’ section when trying to implement multiple eap passwords.<br>
><br>
> <br>
><br>
> If my secrets section has only one eap id/password in it, the client authenticates correctly. But, if the secrets section has more than one eap id/password in it, the MSCHAPv2 authentication fails.<br>
><br>
> <br>
><br>
> Here’s the failing configuration. If I remove the 2^nd and 3^rd entries, user1 works correctly. However, using the full secrets section below, user1 fails to authenticate.<br>
><br>
> <br>
><br>
> connections {<br>
><br>
> <br>
><br>
> ikev2-eap-mschapv2 {<br>
><br>
> version = 2<br>
><br>
> # proposals = aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default<br>
><br>
> proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default<br>
><br>
> rekey_time = 0s<br>
><br>
> pools = primary-pool-ipv4<br>
><br>
> fragmentation = yes<br>
><br>
> dpd_delay = 30s<br>
><br>
> mobike = yes<br>
><br>
> <br>
><br>
> local-1 {<br>
><br>
> certs = strongswanCert.pem<br>
><br>
> id = serverid1<br>
><br>
> auth = psk<br>
><br>
> }<br>
><br>
> <br>
><br>
> remote-1 {<br>
><br>
> auth = eap-mschapv2<br>
><br>
> id = clientid1<br>
><br>
> eap_id = %any<br>
><br>
> }<br>
><br>
> <br>
><br>
> children {<br>
><br>
> ikev2-eap-mschapv2 {<br>
><br>
> local_ts = 0.0.0.0/0<br>
><br>
> rekey_time = 0s<br>
><br>
> dpd_action = clear<br>
><br>
> # esp_proposals = aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default<br>
><br>
> esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default<br>
><br>
> # updown = /libexec/ipsec/_updown iptables<br>
><br>
> }<br>
><br>
> }<br>
><br>
> }<br>
><br>
> ikev2-pubkey {<br>
><br>
> version = 2<br>
><br>
> proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default<br>
><br>
> rekey_time = 0s<br>
><br>
> pools = primary-pool-ipv4<br>
><br>
> fragmentation = yes<br>
><br>
> dpd_delay = 30s<br>
><br>
> <br>
><br>
> local-1 {<br>
><br>
> certs = vpnHostCert.pem<br>
><br>
> id = server1<br>
><br>
> }<br>
><br>
> <br>
><br>
> remote-1 { # defaults are fine<br>
><br>
> }<br>
><br>
> <br>
><br>
> children {<br>
><br>
> ikev2-pubkey {<br>
><br>
> local_ts = 0.0.0.0/0<br>
><br>
> rekey_time = 0s<br>
><br>
> dpd_action = clear<br>
><br>
> esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default<br>
><br>
> }<br>
><br>
> }<br>
><br>
> }<br>
><br>
> }<br>
><br>
> pools {<br>
><br>
> primary-pool-ipv4 {<br>
><br>
> addrs = 10.92.10.0/24<br>
><br>
> dns = 192.168.92.3, 8.8.8.8<br>
><br>
> }<br>
><br>
> }<br>
><br>
> <br>
><br>
> secrets {<br>
><br>
> ike-psk {<br>
><br>
> secret=somepsk<br>
><br>
> }<br>
><br>
> eap-user1@mydomain.com <<a href="mailto:eap-user1@mydomain.com">mailto:eap-user1@mydomain.com</a>> {<br>
><br>
> id = user1@mydomain.com<br>
><br>
> secret=secret1<br>
><br>
> }<br>
><br>
> eap-user2@mydomain.com <<a href="mailto:eap-user2@mydomain.com">mailto:eap-user2@mydomain.com</a>> {<br>
><br>
> id = user2@mydomain.com<br>
><br>
> secret=secret2<br>
><br>
> }<br>
><br>
> eap-user3@mydomain.com <<a href="mailto:eap-user3@mydomain.com">mailto:eap-user3@mydomain.com</a>> {<br>
><br>
> id = user3@mydomain.com<br>
><br>
> secret=secret3<br>
><br>
> }<br>
><br>
> <br>
><br>
> <br>
><br>
</div>
</span></font>
</body>
</html>