[strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)

Kerschbaum, Sven sven.kerschbaum at siemens.com
Fri May 7 14:05:55 CEST 2010


Hi Bjarke,

I am not sure about that topic. But I think it is supported by strongSwan. I can remember that I saw a configuration of strongSwan using a remote RADIUS server for doing the authentication work. The configuration should made in your strongSwan.conf file. If I am right, you should have an section like

charon {
 eap-radius {
 	server:
	secret:
 }	
}

I think that is what you intend to do...

I think, it would be a good idea to have a downloadable virtual machine containing an already configured strongSwan. So everybody would be able just to download and get things running in a first step...

Thanks again to all the strongSwan developers! You did/do an excellent work! :)

Mit freundlichem Gruß / Best regards

Sven Kerschbaum

Siemens AG
Industry Sector Industry Automation Division
mailto:sven.kerschbaum at siemens.com
http://www.siemens.com/automation

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme
Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; 
Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt,
Siegfried Russwurm, Peter Y. Solmssen
Registered offices: Berlin and Munich; 
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684
WEEE-Reg.-No. DE 23691322



-----Ursprüngliche Nachricht-----
Von: Bjarke Istrup Pedersen [mailto:gurli at gurlinet.dk] 
Gesendet: Freitag, 7. Mai 2010 13:57
An: Kerschbaum, Sven
Cc: Tobias Brunner; Martin Willi; users at lists.strongswan.org
Betreff: Re: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)

Hey,

I'm about to use the same configuration that you are setting up.
I was wondering if it is possible to get strogswan to read the
usernames and passwords from something else than the ipsec.secrets
file? (Like using RADIUS to read the values from a Windows AD)

Best regards,
Bjarke

2010/5/7 Kerschbaum, Sven <sven.kerschbaum at siemens.com>:
> Hi Tobias, Hi Martin,
>
> thanks for your replies!
>
> I fixed the issue of the missing md4 plugin. Now md4 is being successfully loaded as plugin during startup of strongSwan:
>
> 01[DMN] loaded plugins: aes des sha1 sha2 md4 md5 fips-prf random x509 pubkey xcbc hmac gmp stroke eap-identity eap-mschapv2
>
> That's true, Tobias, the IKE AUTH gets sent by strongSwan. But I still can't figure out why strongSwan does not include the CERT into the IKE AUTH response (in fact Win 7 sends a CERTREQ to strongSwan):
>
> 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.2)
> 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 01[LIB]   loaded certificate file '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
> 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 01[CFG]   loaded private key file '/usr/local/etc/ipsec.d/private/clientkey.pem'
> 01[CFG]   loaded EAP secret for test
>
> ...
>
> 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
> 07[IKE] received cert request for "O=Siemens, OU=ATS, L=Nuremberg, ST=Bavaria, C=DE, CN=ikeca"
> 07[CFG] looking for peer configs matching 192.168.10.90[%any]...192.168.10.12[192.168.10.12]
> 07[CFG] selected peer config 'host-host'
> 07[IKE] initiating EAP-Identity request
> 07[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere, CN=ikeclient' (myself) with RSA signature successful
> 07[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP ]
> 07[NET] sending packet: from 192.168.10.90[4500] to 192.168.10.12[4500]
>
> Any ideas what´s going wrong? Why does strongSwan not reply with IKE AUTH  [Idr AUTH CERT EAP REQ/ID] as I would expect? Could it be of a misconfiguration of strongSwan? My ipsec.conf looks as follows:
>
> config setup
>     plutostart=no
>
> conn host-host
>     esp = 3des-sha1
>     ike = 3des-sha1-modp1024
>     left=%defaultroute
>     leftsubnet=192.168.2.0/24
>     leftcert=clientcert.pem
>     leftsendcert=never
>     right=192.168.10.12
>     rightsubnet=192.168.3.0/24
>     rightauth=eap-mschapv2
>     eap_identity=%any
>     keyexchange=ikev2
>     auto=add
>
> Thanks for your help!
> Kind Regards,
> Sven
>
>
> Mit freundlichem Gruß / Best regards
>
> Sven Kerschbaum
>
> Siemens AG
> Industry Sector Industry Automation Division
> mailto:sven.kerschbaum at siemens.com
> http://www.siemens.com/automation
>
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme
> Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer;
> Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt,
> Siegfried Russwurm, Peter Y. Solmssen
> Registered offices: Berlin and Munich;
> Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684
> WEEE-Reg.-No. DE 23691322
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Tobias Brunner [mailto:tobias at strongswan.org]
> Gesendet: Freitag, 7. Mai 2010 11:34
> An: Martin Willi
> Cc: Kerschbaum, Sven; users at lists.strongswan.org
> Betreff: Re: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)
>
> Hi Martin, Hi Sven,
>
> the response is just a little bit below:
>
>> 08[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere,
>> CN=ikeclient' (myself) with RSA signature successful
>> 08[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP ]
>> 08[NET] sending packet: from 192.168.10.90[4500] to 192.168.10.12[4500]
>
> Which indicates that the gateway certificate is not sent, which might cause this
> error in Win7.
>
> One other thing, not related to this particular error, but will cause the
> authentication to fail later:
>
>> 01[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
>> pubkey xcbc hmac gmp stroke eap-identity eap-mschapv2
>
> The MD4 plugin is not built/loaded (which is required, if you don't use the
> OpenSSL plugin), therefore the NT-Hashes cannot be generated.
>
> Regards,
> Tobias
>
> --
> ======================================================================
> Tobias Brunner                                   tobias at strongswan.org
> strongSwan - The Linux VPN Solution!         http://www.strongswan.org
> ======================================================================
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>




More information about the Users mailing list