[strongSwan-dev] [IKE] loading EAP_RADIUS method failed

yordanos beyene yordanosb at gmail.com
Wed Sep 5 06:01:32 CEST 2012 

Hi Again,

In fact I see eap-radius configuration in strongswan.conf in not picked up.
          Sep  5 10:42:01 00[CFG] loaded 0 RADIUS server configurations

See the log below when I just started ipsec. I appreciate any tips why
Radius server configuration is not loaded.

Sep  5 10:42:01 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux
2.6.34, x86_64)
Sep  5 10:42:01 00[KNL] listening on interfaces:
Sep  5 10:42:01 00[KNL]   fpn0
Sep  5 10:42:01 00[KNL]     fe80::200:46ff:fe50:4e00
Sep  5 10:42:01 00[KNL]   ethernet1
Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b96
Sep  5 10:42:01 00[KNL]   ethernet2
Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b97
Sep  5 10:42:01 00[KNL]   ethernet3
Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b98
Sep  5 10:42:01 00[KNL]   ethernet4
Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b99
Sep  5 10:42:01 00[KNL]   ethernet5
Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9a
Sep  5 10:42:01 00[KNL]   ethernet6
Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9b
Sep  5 10:42:01 00[KNL]   ethernet7
Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9c
Sep  5 10:42:01 00[KNL]   ethernet8
Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9d
Sep  5 10:42:01 00[CFG] loaded 0 RADIUS server configurations
Sep  5 10:42:01 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep  5 10:42:01 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep  5 10:42:01 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Sep  5 10:42:01 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Sep  5 10:42:01 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep  5 10:42:01 00[CFG] loading secrets from '/etc/ipsec.secrets'
....
Thanks!
Jordan.
On Tue, Sep 4, 2012 at 11:03 AM, yordanos beyene <yordanosb at gmail.com>wrote:

> Hi SS team,
>
> I finally resolved the SS5 kernel error with Martin tips, and charon is up
> and running. I can establish site-to-site tunnels with IKEv1 and IKev2.
> Remote vpn works with users authenticated locally. But I can't get users to
> authenticate via eap-radius.
>
> Here is the error message:
> Sep  5 01:11:47 15[IKE] received EAP identity 'jordan'
> Sep  5 01:11:47 15[IKE] loading EAP_RADIUS method failed
>
> Can you please provide me any tips? Did I miss any plugins?
>
> I have included vpn logs and configuration details below.
>
> Thanks as always for your help.
>
> Jordan.
> vpn.log:
>
> Sep  5 01:11:36 00[DMN] loaded plugins: charon random nonce x509
> revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem xcbc cmac hmac
> attr kernel-netlink resolve socket-default stroke updown xauth-generic
> xauth-eap openssl eap-identity sha1 fips-prf eap-mschapv2 eap-radius
> eap-md5 eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth
> Sep  5 01:11:36 00[JOB] spawning 16 worker threads
> Sep  5 01:11:36 14[CFG] received stroke: add connection 'rw-ikev2'
> Sep  5 01:11:36 14[CFG]   loaded certificate "C=US, ST=CA, O=RS, OU=SPG,
> CN=zeus.test.com, E=zeus at test.com" from 'zeus2.pem'
> Sep  5 01:11:36 14[CFG] added configuration 'rw-ikev2'
> Sep  5 01:11:36 14[CFG] adding virtual IP address pool 'rw-ikev2':
> 192.16.80.10/24
> Sep  5 01:11:47 12[NET] received packet: from 172.16.50.20[500] to
> 172.16.20.2[500]
> Sep  5 01:11:47 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
> Sep  5 01:11:47 12[IKE] 172.16.50.20 is initiating an IKE_SA
> Sep  5 01:11:47 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Sep  5 01:11:47 12[NET] sending packet: from 172.16.20.2[500] to
> 172.16.50.20[500]
> Sep  5 01:11:47 10[NET] received packet: from 172.16.50.20[4500] to
> 172.16.20.2[4500]
> Sep  5 01:11:47 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ
> N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ]
> Sep  5 01:11:47 10[IKE] received 34 cert requests for an unknown ca
> Sep  5 01:11:47 10[CFG] looking for peer configs matching
> 172.16.20.2[%any]...172.16.50.20[172.16.50.20]
> Sep  5 01:11:47 10[CFG] selected peer config 'rw-ikev2'
> Sep  5 01:11:47 10[IKE] initiating EAP_IDENTITY method (id 0x00)
> Sep  5 01:11:47 10[IKE] peer supports MOBIKE, but disabled in config
> Sep  5 01:11:47 10[IKE] authentication of 'zeus.hp.com' (myself) with RSA
> signature successful
> Sep  5 01:11:47 10[IKE] sending end entity cert "C=US, ST=CA, O=RS,
> OU=SPG, CN=zeus.test.com, E=zeus at test.com"
> Sep  5 01:11:47 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
> EAP/REQ/ID ]
> Sep  5 01:11:47 10[NET] sending packet: from 172.16.20.2[4500] to
> 172.16.50.20[4500]
> Sep  5 01:11:47 15[NET] received packet: from 172.16.50.20[4500] to
> 172.16.20.2[4500]
> Sep  5 01:11:47 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
> Sep  5 01:11:47 15[IKE] received EAP identity 'jordan'
> Sep  5 01:11:47 15[IKE] loading EAP_RADIUS method failed
> Sep  5 01:11:47 15[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
> Sep  5 01:11:47 15[NET] sending packet: from 172.16.20.2[4500] to
> 172.16.50.20[4500]
>
> ipsec.conf
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         authby=secret
>         mobike=no
>
> conn rw-ikev2
>         keyexchange=ikev2
>         left=172.16.20.2
>         leftcert=zeus2.pem
>         leftid=@zeus.test.com
>         leftauth=pubkey
>         leftsubnet=172.16.40.0/24
>         right=%any
>         rightsourceip=192.16.80.10/24
>         rightauth=eap-radius
>         eap_identity=%any
>         auto=add
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120904/b2c0e1b7/attachment.html>

More information about the Dev mailing list