[strongSwan-dev] [IKE] loading EAP_RADIUS method failed

yordanos beyene yordanosb at gmail.com
Tue Sep 4 20:03:55 CEST 2012 

Hi SS team,

I finally resolved the SS5 kernel error with Martin tips, and charon is up
and running. I can establish site-to-site tunnels with IKEv1 and IKev2.
Remote vpn works with users authenticated locally. But I can't get users to
authenticate via eap-radius.

Here is the error message:
Sep  5 01:11:47 15[IKE] received EAP identity 'jordan'
Sep  5 01:11:47 15[IKE] loading EAP_RADIUS method failed

Can you please provide me any tips? Did I miss any plugins?

I have included vpn logs and configuration details below.

Thanks as always for your help.

Jordan.
vpn.log:

Sep  5 01:11:36 00[DMN] loaded plugins: charon random nonce x509 revocation
constraints pubkey pkcs1 pkcs8 pgp dnskey pem xcbc cmac hmac attr
kernel-netlink resolve socket-default stroke updown xauth-generic xauth-eap
openssl eap-identity sha1 fips-prf eap-mschapv2 eap-radius eap-md5 eap-aka
eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth
Sep  5 01:11:36 00[JOB] spawning 16 worker threads
Sep  5 01:11:36 14[CFG] received stroke: add connection 'rw-ikev2'
Sep  5 01:11:36 14[CFG]   loaded certificate "C=US, ST=CA, O=RS, OU=SPG, CN=
zeus.test.com, E=zeus at test.com" from 'zeus2.pem'
Sep  5 01:11:36 14[CFG] added configuration 'rw-ikev2'
Sep  5 01:11:36 14[CFG] adding virtual IP address pool 'rw-ikev2':
192.16.80.10/24
Sep  5 01:11:47 12[NET] received packet: from 172.16.50.20[500] to
172.16.20.2[500]
Sep  5 01:11:47 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Sep  5 01:11:47 12[IKE] 172.16.50.20 is initiating an IKE_SA
Sep  5 01:11:47 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sep  5 01:11:47 12[NET] sending packet: from 172.16.20.2[500] to
172.16.50.20[500]
Sep  5 01:11:47 10[NET] received packet: from 172.16.50.20[4500] to
172.16.20.2[4500]
Sep  5 01:11:47 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ
N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ]
Sep  5 01:11:47 10[IKE] received 34 cert requests for an unknown ca
Sep  5 01:11:47 10[CFG] looking for peer configs matching
172.16.20.2[%any]...172.16.50.20[172.16.50.20]
Sep  5 01:11:47 10[CFG] selected peer config 'rw-ikev2'
Sep  5 01:11:47 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Sep  5 01:11:47 10[IKE] peer supports MOBIKE, but disabled in config
Sep  5 01:11:47 10[IKE] authentication of 'zeus.hp.com' (myself) with RSA
signature successful
Sep  5 01:11:47 10[IKE] sending end entity cert "C=US, ST=CA, O=RS, OU=SPG,
CN=zeus.test.com, E=zeus at test.com"
Sep  5 01:11:47 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
EAP/REQ/ID ]
Sep  5 01:11:47 10[NET] sending packet: from 172.16.20.2[4500] to
172.16.50.20[4500]
Sep  5 01:11:47 15[NET] received packet: from 172.16.50.20[4500] to
172.16.20.2[4500]
Sep  5 01:11:47 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Sep  5 01:11:47 15[IKE] received EAP identity 'jordan'
Sep  5 01:11:47 15[IKE] loading EAP_RADIUS method failed
Sep  5 01:11:47 15[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
Sep  5 01:11:47 15[NET] sending packet: from 172.16.20.2[4500] to
172.16.50.20[4500]

ipsec.conf

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        mobike=no

conn rw-ikev2
        keyexchange=ikev2
        left=172.16.20.2
        leftcert=zeus2.pem
        leftid=@zeus.test.com
        leftauth=pubkey
        leftsubnet=172.16.40.0/24
        right=%any
        rightsourceip=192.16.80.10/24
        rightauth=eap-radius
        eap_identity=%any
        auto=add
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120904/4b0e4b9a/attachment.html>

More information about the Dev mailing list