[strongSwan] eap-mschapv2 NetworkManager

Peter Winterer winterer at informatik.uni-freiburg.de
Thu Oct 7 16:38:49 CEST 2010 

Hi all,

I just setup the following on a strongswan gateway version 4.4.1:
"EAP_MSCHAPv2 authentication with EAP identity"
(for detailed config, see below)

The configuration is working with Windows7 and MS's Agile VPN client.
However, when I try to connect on a Ubuntu 10.04 Box with
NetworkManager config as a client, it doesn't work. I'm getting the
following errors.

Any ideas for this issue?
thanks

peter


*NetworManager logs*:

14:54:57 lralap05 charon: 00[DMN] loaded plugins: curl ldap aes des sha1
sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc
hmac agent gmp attr kernel-netlink socket-default socket-raw
socket-dynamic farp eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 nm
dhcp resolve
14:54:57 charon: 00[JOB] spawning 16 worker threads
14:54:57 NetworkManager[2418]: <info> VPN plugin state changed: 1
14:54:57 charon: 09[CFG] received initiate for NetworkManager connection
mopo eap
14:54:57 NetworkManager[2418]: <info> VPN plugin state changed: 3
14:54:57 charon: 09[CFG] using gateway certificate, identity 'C=DE,
O=MoPo WLAN Uni Freiburg, CN=vpn-mopo.vpn.uni-freiburg.de'
14:54:57 charon: 09[IKE] initiating IKE_SA mopo eap[1] to 10.1.0.2
14:54:57 charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]

14:54:57 charon: 09[NET] sending packet: from 10.1.0.100[500] to
10.1.0.2[500]

14:54:57 NetworkManager[2418]: <info> VPN connection 'mopo eap'
(Connect) reply received.

14:55:01 charon: 08[IKE] retransmit 1 of request with message ID 0


14:55:01 charon: 08[NET] sending packet: from 10.1.0.100[500] to
10.1.0.2[500]

14:55:08 charon: 10[IKE] retransmit 2 of request with message ID 0


14:55:08 charon: 10[NET] sending packet: from 10.1.0.100[500] to
10.1.0.2[500]

14:55:21 charon: 12[IKE] retransmit 3 of request with message ID 0


14:55:21 charon: 12[NET] sending packet: from 10.1.0.100[500] to
10.1.0.2[500]

14:55:38 NetworkManager[2418]: <warn> VPN connection 'mopo eap' (IP
Config Get) timeout exceeded.

14:55:38 charon: 14[IKE] destroying IKE_SA in state CONNECTING without
notification

14:55:38 NetworkManager[2418]: <info> (eth0): writing resolv.conf to
/sbin/resolvconf

14:55:38 NetworkManager[2418]: <info> Policy set 'Neue kabelgebundene
Verbindung' (eth0) as default for IPv4 routing and DNS.

14:55:48 charon: 00[DMN] signal of type SIGTERM received. Shutting down

*strongSwan gateway*:

14:55:16 11[NET] received packet: from 10.1.0.100[500] to 10.1.0.2[500]
14:55:16 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
14:55:16 11[CFG] looking for an ike config for 10.1.0.2...10.1.0.100
14:55:16 11[CFG]   candidate: 10.1.0.2...%any, prio 5
14:55:16 11[CFG] found matching ike config: 10.1.0.2...%any with prio 5
14:55:16 11[IKE] 10.1.0.100 is initiating an IKE_SA
14:55:16 11[IKE] IKE_SA (unnamed)[1] state change: CREATED =>  CONNECTING
14:55:16 11[CFG] selecting proposal:
14:55:16 11[CFG]   proposal matches
14:55:16 11[CFG] received proposals:
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
14:55:16 11[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
14:55:16 11[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
14:55:16 11[IKE] sending cert request for "C=DE, O=MoPo WLAN Uni
Freiburg, CN=MoPo Root-CA"
14:55:16 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
14:55:16 11[NET] sending packet: from 10.1.0.2[500] to 10.1.0.100[500]
14:55:20 12[NET] received packet: from 10.1.0.100[500] to 10.1.0.2[500]
14:55:20 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
14:55:20 12[IKE] received retransmit of request with ID 0,
retransmitting response
14:55:20 12[NET] sending packet: from 10.1.0.2[500] to 10.1.0.100[500]
14:55:27 13[NET] received packet: from 10.1.0.100[500] to 10.1.0.2[500]
14:55:27 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
14:55:27 13[IKE] received retransmit of request with ID 0,
retransmitting response
14:55:27 13[NET] sending packet: from 10.1.0.2[500] to 10.1.0.100[500]
14:55:40 14[NET] received packet: from 10.1.0.100[500] to 10.1.0.2[500]
14:55:40 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
14:55:40 14[IKE] received retransmit of request with ID 0,
retransmitting response
14:55:40 14[NET] sending packet: from 10.1.0.2[500] to 10.1.0.100[500]
14:55:46 15[JOB] deleting half open IKE_SA after timeout
14:55:46 15[IKE] IKE_SA (unnamed)[1] state change: CONNECTING =>  DESTROYING


  strongSwan gateway-config:
..
conn eap-intern
     ike=aes256-sha1-modp1024!
     esp=aes256-sha1!
     # rekey=no
     left=10.1.0.2
     leftsubnet=0.0.0.0/0
     leftauth=pubkey
     leftcert=cert.pem
     leftid=root at host.domain
     right=%any
     rightauth=eap-mschapv2
     #rightauth=eap-radius
     rightsendcert=never
     eap_identity=%any
     auto=add
..

More information about the Users mailing list