[strongSwan-dev] [IKE] loading EAP_RADIUS method failed
Andreas Steffen
andreas.steffen at strongswan.org
Fri Sep 7 23:23:30 CEST 2012
Hi Jordan,
here is an xauth-eap example:
http://www.strongswan.org/uml/testresults/ikev1/xauth-rsa-eap-md5-radius/
Please make sure that you enable all the required plugins.
Regards
Andreas
On 09/07/2012 10:33 PM, yordanos beyene wrote:
> Thank you Andreas. I have successful IKEv2 remote vpn connection from
> Win7 machine with eap-radius.
>
> But I am having some difficulty getting IKEv1 xauth to work with Radius.
>
> Is there a similar example for IKEv1 + psk/cert + xauth with Radius?
>
> When I configure connection as follows, it works for xauth users in
> local - ipsec.secrets. It doesn't attempt external radius.
>
> conn rw-ikev1
> keyexchange=ikev1
> left=172.16.20.2
> leftid=local.net <http://local.net>
> leftsubnet=172.16.40.0/24 <http://172.16.40.0/24>
> rightid=remote.net <http://remote.net>
> right=%any
> authby=xauthpsk
> xauth=server
> rightsourceip=192.16.80.10/24 <http://192.16.80.10/24>
> auto=add
>
> When I use the configuration below, I get the an error :
> Sep 8 02:57:40 02[CFG] no XAuth method found named 'eap'
>
> conn rw-ikev1
> keyexchange=ikev1
> aggressive=yes
> left=172.16.20.2
> leftid=local.net <http://local.net>
> leftsubnet=172.16.40.0/24 <http://172.16.40.0/24>
> rightid=remote.net <http://remote.net>
> right=%any
> leftauth=psk
> rightauth=psk
> rightauth2=xauth-eap
> rightsourceip=192.16.80.10/24 <http://192.16.80.10/24>
> auto=add
>
> I appreciate any help.
>
> Thanks!
>
> Jordan
>
> I am now trying
> leftauth=psk
> rightauth=psk
> rightauth2=xauth-eap
>
>
>
> On Thu, Sep 6, 2012 at 10:06 AM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
> Hi,
>
> the configuration of the EAP RADIUS interface goes into
> /etc/strongswan.conf. Please have a look at our detailed HOWTO
>
> http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
>
> or the simple example
>
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-id-radius/moon.strongswan.conf
>
> Best regards
>
> Andreas
>
> On 09/05/2012 06:01 AM, yordanos beyene wrote:
> > Hi Again,
> >
> > In fact I see eap-radius configuration in strongswan.conf in not
> picked up.
> > Sep 5 10:42:01 00[CFG] loaded 0 RADIUS server
> configurations
> >
> > See the log below when I just started ipsec. I appreciate any
> tips why
> > Radius server configuration is not loaded.
> >
> > Sep 5 10:42:01 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0,
> > Linux 2.6.34, x86_64)
> > Sep 5 10:42:01 00[KNL] listening on interfaces:
> > Sep 5 10:42:01 00[KNL] fpn0
> > Sep 5 10:42:01 00[KNL] fe80::200:46ff:fe50:4e00
> > Sep 5 10:42:01 00[KNL] ethernet1
> > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b96
> > Sep 5 10:42:01 00[KNL] ethernet2
> > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b97
> > Sep 5 10:42:01 00[KNL] ethernet3
> > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b98
> > Sep 5 10:42:01 00[KNL] ethernet4
> > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b99
> > Sep 5 10:42:01 00[KNL] ethernet5
> > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b9a
> > Sep 5 10:42:01 00[KNL] ethernet6
> > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b9b
> > Sep 5 10:42:01 00[KNL] ethernet7
> > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b9c
> > Sep 5 10:42:01 00[KNL] ethernet8
> > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b9d
> > Sep 5 10:42:01 00[CFG] loaded 0 RADIUS server configurations
> > Sep 5 10:42:01 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> > Sep 5 10:42:01 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> > Sep 5 10:42:01 00[CFG] loading ocsp signer certificates from
> > '/etc/ipsec.d/ocspcerts'
> > Sep 5 10:42:01 00[CFG] loading attribute certificates from
> > '/etc/ipsec.d/acerts'
> > Sep 5 10:42:01 00[CFG] loading crls from '/etc/ipsec.d/crls'
> > Sep 5 10:42:01 00[CFG] loading secrets from '/etc/ipsec.secrets'
> > ....
> > Thanks!
> > Jordan.
> > On Tue, Sep 4, 2012 at 11:03 AM, yordanos beyene
> <yordanosb at gmail.com <mailto:yordanosb at gmail.com>
> > <mailto:yordanosb at gmail.com <mailto:yordanosb at gmail.com>>> wrote:
> >
> > Hi SS team,
> >
> > I finally resolved the SS5 kernel error with Martin tips, and
> charon
> > is up and running. I can establish site-to-site tunnels with
> IKEv1
> > and IKev2. Remote vpn works with users authenticated locally.
> But I
> > can't get users to authenticate via eap-radius.
> >
> > Here is the error message:
> > Sep 5 01:11:47 15[IKE] received EAP identity 'jordan'
> > Sep 5 01:11:47 15[IKE] loading EAP_RADIUS method failed
> >
> > Can you please provide me any tips? Did I miss any plugins?
> >
> > I have included vpn logs and configuration details below.
> >
> > Thanks as always for your help.
> >
> > Jordan.
> > vpn.log:
> >
> > Sep 5 01:11:36 00[DMN] loaded plugins: charon random nonce x509
> > revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem xcbc
> cmac
> > hmac attr kernel-netlink resolve socket-default stroke updown
> > xauth-generic xauth-eap openssl eap-identity sha1 fips-prf
> > eap-mschapv2 eap-radius eap-md5 eap-aka eap-aka-3gpp2
> > eap-simaka-pseudonym eap-simaka-reauth
> > Sep 5 01:11:36 00[JOB] spawning 16 worker threads
> > Sep 5 01:11:36 14[CFG] received stroke: add connection
> 'rw-ikev2'
> > Sep 5 01:11:36 14[CFG] loaded certificate "C=US, ST=CA, O=RS,
> > OU=SPG, CN=zeus.test.com <http://zeus.test.com>
> <http://zeus.test.com>, E=zeus at test.com <mailto:zeus at test.com>
> > <mailto:zeus at test.com <mailto:zeus at test.com>>" from 'zeus2.pem'
> > Sep 5 01:11:36 14[CFG] added configuration 'rw-ikev2'
> > Sep 5 01:11:36 14[CFG] adding virtual IP address pool
> 'rw-ikev2':
> > 192.16.80.10/24 <http://192.16.80.10/24> <http://192.16.80.10/24>
> > Sep 5 01:11:47 12[NET] received packet: from
> 172.16.50.20[500] to
> > 172.16.20.2[500]
> > Sep 5 01:11:47 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> > N(NATD_S_IP) N(NATD_D_IP) ]
> > Sep 5 01:11:47 12[IKE] 172.16.50.20 is initiating an IKE_SA
> > Sep 5 01:11:47 12[ENC] generating IKE_SA_INIT response 0 [
> SA KE No
> > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> > Sep 5 01:11:47 12[NET] sending packet: from 172.16.20.2[500] to
> > 172.16.50.20[500]
> > Sep 5 01:11:47 10[NET] received packet: from
> 172.16.50.20[4500] to
> > 172.16.20.2[4500]
> > Sep 5 01:11:47 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ
> > N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ]
> > Sep 5 01:11:47 10[IKE] received 34 cert requests for an
> unknown ca
> > Sep 5 01:11:47 10[CFG] looking for peer configs matching
> > 172.16.20.2[%any]...172.16.50.20[172.16.50.20]
> > Sep 5 01:11:47 10[CFG] selected peer config 'rw-ikev2'
> > Sep 5 01:11:47 10[IKE] initiating EAP_IDENTITY method (id 0x00)
> > Sep 5 01:11:47 10[IKE] peer supports MOBIKE, but disabled in
> config
> > Sep 5 01:11:47 10[IKE] authentication of 'zeus.hp.com
> <http://zeus.hp.com>
> > <http://zeus.hp.com>' (myself) with RSA signature successful
> > Sep 5 01:11:47 10[IKE] sending end entity cert "C=US, ST=CA,
> O=RS,
> > OU=SPG, CN=zeus.test.com <http://zeus.test.com>
> <http://zeus.test.com>, E=zeus at test.com <mailto:zeus at test.com>
> > <mailto:zeus at test.com <mailto:zeus at test.com>>"
> > Sep 5 01:11:47 10[ENC] generating IKE_AUTH response 1 [ IDr CERT
> > AUTH EAP/REQ/ID ]
> > Sep 5 01:11:47 10[NET] sending packet: from 172.16.20.2[4500] to
> > 172.16.50.20[4500]
> > Sep 5 01:11:47 15[NET] received packet: from
> 172.16.50.20[4500] to
> > 172.16.20.2[4500]
> > Sep 5 01:11:47 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
> > Sep 5 01:11:47 15[IKE] received EAP identity 'jordan'
> > Sep 5 01:11:47 15[IKE] loading EAP_RADIUS method failed
> > Sep 5 01:11:47 15[ENC] generating IKE_AUTH response 2 [
> EAP/FAIL ]
> > Sep 5 01:11:47 15[NET] sending packet: from 172.16.20.2[4500] to
> > 172.16.50.20[4500]
> >
> > ipsec.conf
> >
> > # /etc/ipsec.conf - strongSwan IPsec configuration file
> >
> > config setup
> >
> > conn %default
> > ikelifetime=60m
> > keylife=20m
> > rekeymargin=3m
> > keyingtries=1
> > authby=secret
> > mobike=no
> >
> > conn rw-ikev2
> > keyexchange=ikev2
> > left=172.16.20.2
> > leftcert=zeus2.pem
> > leftid=@zeus.test.com <http://zeus.test.com>
> <http://zeus.test.com>
> > leftauth=pubkey
> > leftsubnet=172.16.40.0/24 <http://172.16.40.0/24>
> <http://172.16.40.0/24>
> > right=%any
> > rightsourceip=192.16.80.10/24
> <http://192.16.80.10/24> <http://192.16.80.10/24>
> > rightauth=eap-radius
> > eap_identity=%any
> > auto=add
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Dev
mailing list