[strongSwan-dev] [IKE] loading EAP_RADIUS method failed

Andreas Steffen andreas.steffen at strongswan.org
Thu Sep 6 19:06:18 CEST 2012 

Hi,

the configuration of the EAP RADIUS interface goes into
/etc/strongswan.conf. Please have a look at our detailed HOWTO

http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius

or the simple example

http://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-id-radius/moon.strongswan.conf

Best regards

Andreas

On 09/05/2012 06:01 AM, yordanos beyene wrote:
> Hi Again,
> 
> In fact I see eap-radius configuration in strongswan.conf in not picked up.
>           Sep  5 10:42:01 00[CFG] loaded 0 RADIUS server configurations
> 
> See the log below when I just started ipsec. I appreciate any tips why
> Radius server configuration is not loaded.
> 
> Sep  5 10:42:01 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0,
> Linux 2.6.34, x86_64)
> Sep  5 10:42:01 00[KNL] listening on interfaces:
> Sep  5 10:42:01 00[KNL]   fpn0
> Sep  5 10:42:01 00[KNL]     fe80::200:46ff:fe50:4e00
> Sep  5 10:42:01 00[KNL]   ethernet1
> Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b96
> Sep  5 10:42:01 00[KNL]   ethernet2
> Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b97
> Sep  5 10:42:01 00[KNL]   ethernet3
> Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b98
> Sep  5 10:42:01 00[KNL]   ethernet4
> Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b99
> Sep  5 10:42:01 00[KNL]   ethernet5
> Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9a
> Sep  5 10:42:01 00[KNL]   ethernet6
> Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9b
> Sep  5 10:42:01 00[KNL]   ethernet7
> Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9c
> Sep  5 10:42:01 00[KNL]   ethernet8
> Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9d
> Sep  5 10:42:01 00[CFG] loaded 0 RADIUS server configurations
> Sep  5 10:42:01 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Sep  5 10:42:01 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Sep  5 10:42:01 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> Sep  5 10:42:01 00[CFG] loading attribute certificates from
> '/etc/ipsec.d/acerts'
> Sep  5 10:42:01 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Sep  5 10:42:01 00[CFG] loading secrets from '/etc/ipsec.secrets'
> ....
> Thanks!
> Jordan.
> On Tue, Sep 4, 2012 at 11:03 AM, yordanos beyene <yordanosb at gmail.com
> <mailto:yordanosb at gmail.com>> wrote:
> 
>     Hi SS team,
> 
>     I finally resolved the SS5 kernel error with Martin tips, and charon
>     is up and running. I can establish site-to-site tunnels with IKEv1
>     and IKev2. Remote vpn works with users authenticated locally. But I
>     can't get users to authenticate via eap-radius.
> 
>     Here is the error message:
>     Sep  5 01:11:47 15[IKE] received EAP identity 'jordan'
>     Sep  5 01:11:47 15[IKE] loading EAP_RADIUS method failed
> 
>     Can you please provide me any tips? Did I miss any plugins?
> 
>     I have included vpn logs and configuration details below.
> 
>     Thanks as always for your help.
> 
>     Jordan.
>     vpn.log:
> 
>     Sep  5 01:11:36 00[DMN] loaded plugins: charon random nonce x509
>     revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem xcbc cmac
>     hmac attr kernel-netlink resolve socket-default stroke updown
>     xauth-generic xauth-eap openssl eap-identity sha1 fips-prf
>     eap-mschapv2 eap-radius eap-md5 eap-aka eap-aka-3gpp2
>     eap-simaka-pseudonym eap-simaka-reauth
>     Sep  5 01:11:36 00[JOB] spawning 16 worker threads
>     Sep  5 01:11:36 14[CFG] received stroke: add connection 'rw-ikev2'
>     Sep  5 01:11:36 14[CFG]   loaded certificate "C=US, ST=CA, O=RS,
>     OU=SPG, CN=zeus.test.com <http://zeus.test.com>, E=zeus at test.com
>     <mailto:zeus at test.com>" from 'zeus2.pem'
>     Sep  5 01:11:36 14[CFG] added configuration 'rw-ikev2'
>     Sep  5 01:11:36 14[CFG] adding virtual IP address pool 'rw-ikev2':
>     192.16.80.10/24 <http://192.16.80.10/24>
>     Sep  5 01:11:47 12[NET] received packet: from 172.16.50.20[500] to
>     172.16.20.2[500]
>     Sep  5 01:11:47 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
>     N(NATD_S_IP) N(NATD_D_IP) ]
>     Sep  5 01:11:47 12[IKE] 172.16.50.20 is initiating an IKE_SA
>     Sep  5 01:11:47 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No
>     N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>     Sep  5 01:11:47 12[NET] sending packet: from 172.16.20.2[500] to
>     172.16.50.20[500]
>     Sep  5 01:11:47 10[NET] received packet: from 172.16.50.20[4500] to
>     172.16.20.2[4500]
>     Sep  5 01:11:47 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ
>     N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ]
>     Sep  5 01:11:47 10[IKE] received 34 cert requests for an unknown ca
>     Sep  5 01:11:47 10[CFG] looking for peer configs matching
>     172.16.20.2[%any]...172.16.50.20[172.16.50.20]
>     Sep  5 01:11:47 10[CFG] selected peer config 'rw-ikev2'
>     Sep  5 01:11:47 10[IKE] initiating EAP_IDENTITY method (id 0x00)
>     Sep  5 01:11:47 10[IKE] peer supports MOBIKE, but disabled in config
>     Sep  5 01:11:47 10[IKE] authentication of 'zeus.hp.com
>     <http://zeus.hp.com>' (myself) with RSA signature successful
>     Sep  5 01:11:47 10[IKE] sending end entity cert "C=US, ST=CA, O=RS,
>     OU=SPG, CN=zeus.test.com <http://zeus.test.com>, E=zeus at test.com
>     <mailto:zeus at test.com>"
>     Sep  5 01:11:47 10[ENC] generating IKE_AUTH response 1 [ IDr CERT
>     AUTH EAP/REQ/ID ]
>     Sep  5 01:11:47 10[NET] sending packet: from 172.16.20.2[4500] to
>     172.16.50.20[4500]
>     Sep  5 01:11:47 15[NET] received packet: from 172.16.50.20[4500] to
>     172.16.20.2[4500]
>     Sep  5 01:11:47 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
>     Sep  5 01:11:47 15[IKE] received EAP identity 'jordan'
>     Sep  5 01:11:47 15[IKE] loading EAP_RADIUS method failed
>     Sep  5 01:11:47 15[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
>     Sep  5 01:11:47 15[NET] sending packet: from 172.16.20.2[4500] to
>     172.16.50.20[4500]
> 
>     ipsec.conf
> 
>     # /etc/ipsec.conf - strongSwan IPsec configuration file
> 
>     config setup
> 
>     conn %default
>             ikelifetime=60m
>             keylife=20m
>             rekeymargin=3m
>             keyingtries=1
>             authby=secret
>             mobike=no
> 
>     conn rw-ikev2
>             keyexchange=ikev2
>             left=172.16.20.2
>             leftcert=zeus2.pem
>             leftid=@zeus.test.com <http://zeus.test.com>
>             leftauth=pubkey
>             leftsubnet=172.16.40.0/24 <http://172.16.40.0/24>
>             right=%any
>             rightsourceip=192.16.80.10/24 <http://192.16.80.10/24>
>             rightauth=eap-radius
>             eap_identity=%any
>             auto=add

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Dev mailing list