[strongSwan-dev] [IKE] loading EAP_RADIUS method failed

yordanos beyene yordanosb at gmail.com
Sat Sep 8 01:45:46 CEST 2012


I got it to work using the following syntax. xauth-eap plugin was not
loaded.

conn rw-ikev1
        keyexchange=ikev1
        aggressive=yes
        left=172.16.20.2
        leftid=local.net
        leftsubnet=172.16.40.0/24
        rightid=remote.net
        right=%any
        leftauth=psk
        rightauth=psk
        rightauth2=xauth-eap
        rightsourceip=192.16.80.10/24
        auto=add
Thanks!
Jordan.


On Fri, Sep 7, 2012 at 2:23 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Jordan,
>
> here is an xauth-eap example:
>
> http://www.strongswan.org/uml/**testresults/ikev1/xauth-rsa-**
> eap-md5-radius/<http://www.strongswan.org/uml/testresults/ikev1/xauth-rsa-eap-md5-radius/>
>
> Please make sure that you enable all the required plugins.
>
> Regards
>
> Andreas
>
>
> On 09/07/2012 10:33 PM, yordanos beyene wrote:
>
>> Thank you Andreas. I have successful IKEv2 remote vpn connection from
>> Win7 machine with eap-radius.
>>
>> But I am having some difficulty getting IKEv1 xauth to work with Radius.
>>
>> Is there a similar example for IKEv1 + psk/cert + xauth  with Radius?
>>
>> When I configure connection as follows, it works for xauth users in
>> local - ipsec.secrets. It doesn't attempt external radius.
>>
>> conn rw-ikev1
>>          keyexchange=ikev1
>>          left=172.16.20.2
>>          leftid=local.net <http://local.net>
>>          leftsubnet=172.16.40.0/24 <http://172.16.40.0/24>
>>          rightid=remote.net <http://remote.net>
>>          right=%any
>> authby=xauthpsk
>>          xauth=server
>>          rightsourceip=192.16.80.10/24 <http://192.16.80.10/24>
>>
>>          auto=add
>>
>> When I use the configuration below, I  get the an error :
>>   Sep  8 02:57:40 02[CFG] no XAuth method found named 'eap'
>>
>> conn rw-ikev1
>>          keyexchange=ikev1
>>          aggressive=yes
>>          left=172.16.20.2
>>          leftid=local.net <http://local.net>
>>          leftsubnet=172.16.40.0/24 <http://172.16.40.0/24>
>>          rightid=remote.net <http://remote.net>
>>          right=%any
>> leftauth=psk
>>          rightauth=psk
>>          rightauth2=xauth-eap
>>          rightsourceip=192.16.80.10/24 <http://192.16.80.10/24>
>>
>>          auto=add
>>
>> I appreciate any help.
>>
>> Thanks!
>>
>> Jordan
>>
>> I am now trying
>>          leftauth=psk
>>          rightauth=psk
>>          rightauth2=xauth-eap
>>
>>
>>
>> On Thu, Sep 6, 2012 at 10:06 AM, Andreas Steffen
>> <andreas.steffen at strongswan.**org <andreas.steffen at strongswan.org><mailto:
>> andreas.steffen@**strongswan.org <andreas.steffen at strongswan.org>>>
>>
>> wrote:
>>
>>     Hi,
>>
>>     the configuration of the EAP RADIUS interface goes into
>>     /etc/strongswan.conf. Please have a look at our detailed HOWTO
>>
>>     http://wiki.strongswan.org/**projects/strongswan/wiki/**EapRadius<http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius>
>>
>>     or the simple example
>>
>>     http://www.strongswan.org/uml/**testresults/ikev2/rw-eap-md5-**
>> id-radius/moon.strongswan.conf<http://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-id-radius/moon.strongswan.conf>
>>
>>     Best regards
>>
>>     Andreas
>>
>>     On 09/05/2012 06:01 AM, yordanos beyene wrote:
>>      > Hi Again,
>>      >
>>      > In fact I see eap-radius configuration in strongswan.conf in not
>>     picked up.
>>      >           Sep  5 10:42:01 00[CFG] loaded 0 RADIUS server
>>     configurations
>>      >
>>      > See the log below when I just started ipsec. I appreciate any
>>     tips why
>>      > Radius server configuration is not loaded.
>>      >
>>      > Sep  5 10:42:01 00[DMN] Starting IKE charon daemon (strongSwan
>> 5.0.0,
>>      > Linux 2.6.34, x86_64)
>>      > Sep  5 10:42:01 00[KNL] listening on interfaces:
>>      > Sep  5 10:42:01 00[KNL]   fpn0
>>      > Sep  5 10:42:01 00[KNL]     fe80::200:46ff:fe50:4e00
>>      > Sep  5 10:42:01 00[KNL]   ethernet1
>>      > Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b96
>>      > Sep  5 10:42:01 00[KNL]   ethernet2
>>      > Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b97
>>      > Sep  5 10:42:01 00[KNL]   ethernet3
>>      > Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b98
>>      > Sep  5 10:42:01 00[KNL]   ethernet4
>>      > Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b99
>>      > Sep  5 10:42:01 00[KNL]   ethernet5
>>      > Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9a
>>      > Sep  5 10:42:01 00[KNL]   ethernet6
>>      > Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9b
>>      > Sep  5 10:42:01 00[KNL]   ethernet7
>>      > Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9c
>>      > Sep  5 10:42:01 00[KNL]   ethernet8
>>      > Sep  5 10:42:01 00[KNL]     fe80::210:f3ff:fe24:5b9d
>>      > Sep  5 10:42:01 00[CFG] loaded 0 RADIUS server configurations
>>      > Sep  5 10:42:01 00[CFG] loading ca certificates from
>>     '/etc/ipsec.d/cacerts'
>>      > Sep  5 10:42:01 00[CFG] loading aa certificates from
>>     '/etc/ipsec.d/aacerts'
>>      > Sep  5 10:42:01 00[CFG] loading ocsp signer certificates from
>>      > '/etc/ipsec.d/ocspcerts'
>>      > Sep  5 10:42:01 00[CFG] loading attribute certificates from
>>      > '/etc/ipsec.d/acerts'
>>      > Sep  5 10:42:01 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>      > Sep  5 10:42:01 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>      > ....
>>      > Thanks!
>>      > Jordan.
>>      > On Tue, Sep 4, 2012 at 11:03 AM, yordanos beyene
>>     <yordanosb at gmail.com <mailto:yordanosb at gmail.com>
>>      > <mailto:yordanosb at gmail.com <mailto:yordanosb at gmail.com>>> wrote:
>>      >
>>      >     Hi SS team,
>>      >
>>      >     I finally resolved the SS5 kernel error with Martin tips, and
>>     charon
>>      >     is up and running. I can establish site-to-site tunnels with
>>     IKEv1
>>      >     and IKev2. Remote vpn works with users authenticated locally.
>>     But I
>>      >     can't get users to authenticate via eap-radius.
>>      >
>>      >     Here is the error message:
>>      >     Sep  5 01:11:47 15[IKE] received EAP identity 'jordan'
>>      >     Sep  5 01:11:47 15[IKE] loading EAP_RADIUS method failed
>>      >
>>      >     Can you please provide me any tips? Did I miss any plugins?
>>      >
>>      >     I have included vpn logs and configuration details below.
>>      >
>>      >     Thanks as always for your help.
>>      >
>>      >     Jordan.
>>      >     vpn.log:
>>      >
>>      >     Sep  5 01:11:36 00[DMN] loaded plugins: charon random nonce
>> x509
>>      >     revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem xcbc
>>     cmac
>>      >     hmac attr kernel-netlink resolve socket-default stroke updown
>>      >     xauth-generic xauth-eap openssl eap-identity sha1 fips-prf
>>      >     eap-mschapv2 eap-radius eap-md5 eap-aka eap-aka-3gpp2
>>      >     eap-simaka-pseudonym eap-simaka-reauth
>>      >     Sep  5 01:11:36 00[JOB] spawning 16 worker threads
>>      >     Sep  5 01:11:36 14[CFG] received stroke: add connection
>>     'rw-ikev2'
>>      >     Sep  5 01:11:36 14[CFG]   loaded certificate "C=US, ST=CA,
>> O=RS,
>>      >     OU=SPG, CN=zeus.test.com <http://zeus.test.com>
>>     <http://zeus.test.com>, E=zeus at test.com <mailto:zeus at test.com>
>>      >     <mailto:zeus at test.com <mailto:zeus at test.com>>" from
>> 'zeus2.pem'
>>
>>      >     Sep  5 01:11:36 14[CFG] added configuration 'rw-ikev2'
>>      >     Sep  5 01:11:36 14[CFG] adding virtual IP address pool
>>     'rw-ikev2':
>>      > 192.16.80.10/24 <http://192.16.80.10/24> <http://192.16.80.10/24>
>>
>>      >     Sep  5 01:11:47 12[NET] received packet: from
>>     172.16.50.20[500] to
>>      >     172.16.20.2[500]
>>      >     Sep  5 01:11:47 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
>>      >     N(NATD_S_IP) N(NATD_D_IP) ]
>>      >     Sep  5 01:11:47 12[IKE] 172.16.50.20 is initiating an IKE_SA
>>      >     Sep  5 01:11:47 12[ENC] generating IKE_SA_INIT response 0 [
>>     SA KE No
>>      >     N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>>      >     Sep  5 01:11:47 12[NET] sending packet: from 172.16.20.2[500]
>> to
>>      >     172.16.50.20[500]
>>      >     Sep  5 01:11:47 10[NET] received packet: from
>>     172.16.50.20[4500] to
>>      >     172.16.20.2[4500]
>>      >     Sep  5 01:11:47 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ
>>      >     N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ]
>>      >     Sep  5 01:11:47 10[IKE] received 34 cert requests for an
>>     unknown ca
>>      >     Sep  5 01:11:47 10[CFG] looking for peer configs matching
>>      >     172.16.20.2[%any]...172.16.50.**20[172.16.50.20]
>>      >     Sep  5 01:11:47 10[CFG] selected peer config 'rw-ikev2'
>>      >     Sep  5 01:11:47 10[IKE] initiating EAP_IDENTITY method (id
>> 0x00)
>>      >     Sep  5 01:11:47 10[IKE] peer supports MOBIKE, but disabled in
>>     config
>>      >     Sep  5 01:11:47 10[IKE] authentication of 'zeus.hp.com
>>     <http://zeus.hp.com>
>>      >     <http://zeus.hp.com>' (myself) with RSA signature successful
>>      >     Sep  5 01:11:47 10[IKE] sending end entity cert "C=US, ST=CA,
>>     O=RS,
>>      >     OU=SPG, CN=zeus.test.com <http://zeus.test.com>
>>     <http://zeus.test.com>, E=zeus at test.com <mailto:zeus at test.com>
>>      >     <mailto:zeus at test.com <mailto:zeus at test.com>>"
>>
>>      >     Sep  5 01:11:47 10[ENC] generating IKE_AUTH response 1 [ IDr
>> CERT
>>      >     AUTH EAP/REQ/ID ]
>>      >     Sep  5 01:11:47 10[NET] sending packet: from 172.16.20.2[4500]
>> to
>>      >     172.16.50.20[4500]
>>      >     Sep  5 01:11:47 15[NET] received packet: from
>>     172.16.50.20[4500] to
>>      >     172.16.20.2[4500]
>>      >     Sep  5 01:11:47 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID
>> ]
>>      >     Sep  5 01:11:47 15[IKE] received EAP identity 'jordan'
>>      >     Sep  5 01:11:47 15[IKE] loading EAP_RADIUS method failed
>>      >     Sep  5 01:11:47 15[ENC] generating IKE_AUTH response 2 [
>>     EAP/FAIL ]
>>      >     Sep  5 01:11:47 15[NET] sending packet: from 172.16.20.2[4500]
>> to
>>      >     172.16.50.20[4500]
>>      >
>>      >     ipsec.conf
>>      >
>>      >     # /etc/ipsec.conf - strongSwan IPsec configuration file
>>      >
>>      >     config setup
>>      >
>>      >     conn %default
>>      >             ikelifetime=60m
>>      >             keylife=20m
>>      >             rekeymargin=3m
>>      >             keyingtries=1
>>      >             authby=secret
>>      >             mobike=no
>>      >
>>      >     conn rw-ikev2
>>      >             keyexchange=ikev2
>>      >             left=172.16.20.2
>>      >             leftcert=zeus2.pem
>>      >             leftid=@zeus.test.com <http://zeus.test.com>
>>     <http://zeus.test.com>
>>      >             leftauth=pubkey
>>      >             leftsubnet=172.16.40.0/24 <http://172.16.40.0/24>
>>     <http://172.16.40.0/24>
>>      >             right=%any
>>      >             rightsourceip=192.16.80.10/24
>>     <http://192.16.80.10/24> <http://192.16.80.10/24>
>>      >             rightauth=eap-radius
>>      >             eap_identity=%any
>>      >             auto=add
>>
> ==============================**==============================**==========
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ==============================**=============================[**ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120907/bc11be07/attachment.html>


More information about the Dev mailing list