[strongSwan] strongswan network manager client using eap-radius

Claude Tompers claude.tompers at restena.lu
Thu Jun 3 08:53:26 CEST 2010 

Hi,

I'm trying to connect an Ubuntu client with the strongswan networkmanager-plugin to my strongswan VPN server, using the same configuration as for a Windows 7 client.
The server is authenticated via certificate, the client is authenticated via eap-radius module.
The Windows 7 client works fine, the Ubuntu not so much.


/etc/ipsec.conf :

conn %default
        ike=aes256-sha1-modp1536,aes256-sha1-modp1024!
        esp=aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekeymargin=3m
        keyingtries=1
        leftcert=vpncert.pem
        leftsubnet=0.0.0.0/0
        leftid="C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu"
        leftfirewall=yes
        right=%any
        auto=add

conn ikev2
        keyexchange=ikev2
        left=%any
        leftauth=pubkey
        eap_identity=%any
        rightauth=eap-radius
        rightsourceip=192.168.120.192/26


For the Ubuntu client :

Address : vpn6-pub.restena.lu
Certificate: The server's certificate

Authentication : EAP
Username : ctompers

As options, I checked only "Request an inner IP address"


Error Log :

Jun  3 08:21:38 vpn6-test charon: 04[CFG] switching to peer config 'ikev2'
Jun  3 08:21:38 vpn6-test charon: 04[IKE] initiating EAP-Identity request
Jun  3 08:21:38 vpn6-test charon: 04[IKE] peer supports MOBIKE
Jun  3 08:21:38 vpn6-test charon: 04[IKE] authentication of 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu' (myself) with RSA signature successful
Jun  3 08:21:38 vpn6-test charon: 04[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
Jun  3 08:21:38 vpn6-test charon: 04[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500]
Jun  3 08:21:38 vpn6-test charon: 13[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500]
Jun  3 08:21:38 vpn6-test charon: 13[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jun  3 08:21:38 vpn6-test charon: 13[IKE] received EAP identity 'ctompers'
Jun  3 08:21:38 vpn6-test charon: 13[IKE] initiating EAP_RADIUS method
Jun  3 08:21:38 vpn6-test charon: 13[ENC] generating IKE_AUTH response 2 [ EAP/REQ/(25) ]
Jun  3 08:21:38 vpn6-test charon: 13[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500]
Jun  3 08:21:38 vpn6-test charon: 10[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500]
Jun  3 08:21:38 vpn6-test charon: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
Jun  3 08:21:38 vpn6-test charon: 10[IKE] received EAP_NAK, sending EAP_FAILURE
Jun  3 08:21:38 vpn6-test charon: 10[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ]
Jun  3 08:21:38 vpn6-test charon: 10[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500]


Thanks a lot for all suggestions.

kind regards
Claude

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100603/3441a8ee/attachment.pgp>

More information about the Users mailing list