[strongSwan] eap-mschapv2 NetworkManager

Peter Winterer winterer at informatik.uni-freiburg.de
Tue Oct 12 11:52:04 CEST 2010 

Hi Tobias,
I made some further checks:
First, I always install the packages  directly from the ubuntu
repository (i.e. not selfmade).
1.) With ubuntu 10.04 and below, I can succesfully establish a vpn
connection with our gateway (EAP and certificate authentication)

2.) However, with an ubuntu 10.10 box, with the new stable packages, I
can not establish a connection.
I think something is broken (both, EAP and certificate authentication).
Can someone please confirm this?

3.) It seems not to be a network problem (see tcpdump below), also in
the same network it works with a 10.04 box.

Any hints would be helpful

Peter


tcpdump:

    10.205.4.96.500 > 10.1.0.2.500: isakmp 2.0 msgid 00000000: parent_sa
ikev2_init[I]:
    10.1.0.2.500 > 10.205.4.96.500: isakmp 2.0 msgid 00000000: parent_sa
ikev2_init[R]:
    10.205.4.96.500 > 10.1.0.2.500: isakmp 2.0 msgid 00000000: parent_sa
ikev2_init[I]:
    10.1.0.2.500 > 10.205.4.96.500: isakmp 2.0 msgid 00000000: parent_sa
ikev2_init[R]:
    10.205.4.96.500 > 10.1.0.2.500: isakmp 2.0 msgid 00000000: parent_sa
ikev2_init[I]:
    10.1.0.2.500 > 10.205.4.96.500: isakmp 2.0 msgid 00000000: parent_sa
ikev2_init[R]:
    10.205.4.96.500 > 10.1.0.2.500: isakmp 2.0 msgid 00000000: parent_sa
ikev2_init[I]:
    10.1.0.2.500 > 10.205.4.96.500: isakmp 2.0 msgid 00000000: parent_sa
ikev2_init[R]:

NetworkManager Client:
Oct 12 17:19:13 user-laptop charon: 00[DMN] loaded plugins: curl ldap
aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl
fips-prf xcbc hmac agent gmp attr kernel-netlink socket-default
socket-raw socket-dynamic farp eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 nm dhcp resolve
Oct 12 17:19:13 user-laptop charon: 00[JOB] spawning 16 worker threads
Oct 12 17:19:13 user-laptop NetworkManager[1043]: <info> VPN service
'org.freedesktop.NetworkManager.strongswan' appeared, activating connections
Oct 12 17:19:17 user-laptop charon: 07[CFG] received initiate for
NetworkManager connection EAP
Oct 12 17:19:17 user-laptop charon: 07[CFG] using gateway certificate,
identity 'C=DE, O=MoPo WLAN Uni Freiburg, CN=vpn-mopo.vpn.uni-freiburg.de'
Oct 12 17:19:17 user-laptop charon: 07[IKE] initiating IKE_SA EAP[1] to
10.1.0.2
Oct 12 17:19:17 user-laptop NetworkManager[1043]: <info> VPN plugin
state changed: 3
Oct 12 17:19:17 user-laptop charon: 07[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 12 17:19:17 user-laptop charon: 07[NET] sending packet: from
10.205.4.96[500] to 10.1.0.2[500]
Oct 12 17:19:17 user-laptop NetworkManager[1043]: <info> VPN connection
'EAP' (Connect) reply received.
Oct 12 17:19:21 user-laptop charon: 15[IKE] retransmit 1 of request with
message ID 0
Oct 12 17:19:21 user-laptop charon: 15[NET] sending packet: from
10.205.4.96[500] to 10.1.0.2[500]
Oct 12 17:19:28 user-laptop charon: 01[IKE] retransmit 2 of request with
message ID 0
Oct 12 17:19:28 user-laptop charon: 01[NET] sending packet: from
10.205.4.96[500] to 10.1.0.2[500]
Oct 12 17:19:41 user-laptop charon: 08[IKE] retransmit 3 of request with
message ID 0
Oct 12 17:19:41 user-laptop charon: 08[NET] sending packet: from
10.205.4.96[500] to 10.1.0.2[500]
Oct 12 17:19:57 user-laptop NetworkManager[1043]: <warn> VPN connection
'EAP' (IP Config Get) timeout exceeded.
Oct 12 17:19:57 user-laptop charon: 10[IKE] destroying IKE_SA in state
CONNECTING without notification
Oct 12 17:20:07 user-laptop charon: 00[DMN] signal of type SIGTERM
received. Shutting down

Gateway:
Oct 12 11:21:47 vpn-mopo charon: 10[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 12 11:21:47 vpn-mopo charon: 10[NET] sending packet: from
10.1.0.2[500] to 10.205.4.96[500]
Oct 12 11:21:51 vpn-mopo charon: 13[NET] received packet: from
10.205.4.96[500] to 10.1.0.2[500]
Oct 12 11:21:51 vpn-mopo charon: 13[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 12 11:21:51 vpn-mopo charon: 13[IKE] received retransmit of request
with ID 0, retransmitting response
Oct 12 11:21:51 vpn-mopo charon: 13[NET] sending packet: from
10.1.0.2[500] to 10.205.4.96[500]
Oct 12 11:21:58 vpn-mopo charon: 04[NET] received packet: from
10.205.4.96[500] to 10.1.0.2[500]
Oct 12 11:21:58 vpn-mopo charon: 04[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 12 11:21:58 vpn-mopo charon: 04[IKE] received retransmit of request
with ID 0, retransmitting response
Oct 12 11:21:58 vpn-mopo charon: 04[NET] sending packet: from
10.1.0.2[500] to 10.205.4.96[500]
Oct 12 11:22:11 vpn-mopo charon: 14[NET] received packet: from
10.205.4.96[500] to 10.1.0.2[500]
Oct 12 11:22:11 vpn-mopo charon: 14[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 12 11:22:11 vpn-mopo charon: 14[IKE] received retransmit of request
with ID 0, retransmitting response
Oct 12 11:22:11 vpn-mopo charon: 14[NET] sending packet: from
10.1.0.2[500] to 10.205.4.96[500]
Oct 12 11:22:17 vpn-mopo charon: 12[JOB] deleting half open IKE_SA after
timeout
Oct 12 11:22:17 vpn-mopo charon: 12[IKE] IKE_SA (unnamed)[27] state
change: CONNECTING => DESTROYING








Am 07.10.2010 18:22, schrieb Tobias Brunner:
> Hi Peter,
> 
> Considering the following parts of the logs...
> 
>> *NetworManager logs*:
>>
>> 14:54:57 charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No
>> N(NATD_S_IP) N(NATD_D_IP) ]
>> 14:54:57 charon: 09[NET] sending packet: from 10.1.0.100[500] to
>> 10.1.0.2[500]
>> 14:55:01 charon: 08[IKE] retransmit 1 of request with message ID 0
>> 14:55:01 charon: 08[NET] sending packet: from 10.1.0.100[500] to
>> 10.1.0.2[500]
>>
>> *strongSwan gateway*:
>>
>> 14:55:16 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No
>> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> 14:55:16 11[NET] sending packet: from 10.1.0.2[500] to 10.1.0.100[500]
>> 14:55:20 12[NET] received packet: from 10.1.0.100[500] to 10.1.0.2[500]
>> 14:55:20 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) ]
>> 14:55:20 12[IKE] received retransmit of request with ID 0,
>> retransmitting response
>> 14:55:20 12[NET] sending packet: from 10.1.0.2[500] to 10.1.0.100[500]
> 
> ...it seems that the IKE_SA_INIT response sent by the gateway never
> reaches the client.  Could you try running tcpdump or wireshark on the
> client to see if the host actually receives the response.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6264 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101012/11e1c7a0/attachment.bin>

More information about the Users mailing list