[strongSwan] Error using Radius
Terry Hennessy
trense at us.ibm.com
Fri Aug 26 04:43:54 CEST 2011
Hello, I'm running into a problem using a radius server. I had a working
environment last month. Somehow it got messed up. I thought I had coped
the config files correctly, but the ones I'm using apparently aren't quite
right.
The config is pretty close to the tnccs-11-radius (
http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/ ) except
that I using EAP-TLS authentication for the client.
This is the ipsec.conf for the client.
-----------------------------------------------------------------------------------------------
# ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
charonstart=yes
plutostart=no
charondebug="lib 2,cfg 2,net 2,ike 2, enc 1, chd 2, mgr 2, dmn 2 tls
2"
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=%any
leftauth=eap
leftcert=/etc/ipsec.d/certs/nodeBRsa.crt
leftid="Node B"
leftfirewall=yes
right=9.5.46.51
rightid="Node A"
rightauth=pubkey
auto=start
aaa_identity="CN=MINN Radius, O=IBM, OU=MINN TEAM, L=Rochester,
S=Minnesota, C=US"
----------------------------------------------------------------------------------------------
This is the ipsec.conf for the gateway
------------------------------------------------------------------------------------------
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
charonstart=yes
charondebug="lib 2,cfg 2, net 2, ike 3, enc 2, chd 2, mgr 2, dmn 2,
tls 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-allow
rightgroups=allow
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
also=rw-eap
auto=add
conn rw-eap
leftcert=rncRsa.crt
leftid="Node A"
left=9.5.46.51
leftauth=pubkey
rightsendcert=never
right=%any
rightauth=eap-radius
------------------------------------------------------------------------------------------
This is a portion of the output from freeradius
---------------------------------------------------------------------------------------------
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 78 to 9.5.46.51 port 45040
EAP-Message =
0x01080069158000000455467c6bc39327cac128fa941c858874f244dfc34b113848437afa690db2b47ac12ed17acd67f922bea754a35ed155c71f2c24c1320a3fa823bbdda31c5bfd5841017471816ead5f7000be962360bc89c9fdea2f2b0a57a4845c3641fa631524
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9f074c24980f5906538646d64966975d
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 9.5.46.51 port 45040, id=79,
length=163
User-Name = "Node B"
EAP-Message =
0x0208004f1580000000451703010040ef7387c87977d629c289077701c7e8ed7e655e4edf6b0b0f75e70ce5555905278b4803e0bf09daf81d9f750b447ffbda76e31fa8204a2d4ca5102e530f2b7031
NAS-Port-Type = Virtual
NAS-Identifier = "strongSwan"
State = 0x9f074c24980f5906538646d64966975d
Message-Authenticator = 0x55ecc1b78874439e3e44ffcbfd646a7d
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "Node B", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "Node B"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 8 length 79
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 69
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x020200110d80000000071503030002020a
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x020200110d80000000071503030002020a
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "Node B"
State = 0x19df77af18dd7a9e17d7edc55b90d0c1
server inner-tunnel {
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
[suffix] No '@' in User-Name = "Node B", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "Node B"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry Node B at line 94
++[files] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 7
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] >>> Unknown TLS version [length 0002]
TLS Alert write:fatal:protocol version
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (TLS Alert write:fatal:protocol version): [Node B/<via
Auth-Type = EAP>] (from client Node A port 0 via TLS tunnel)
} # server inner-tunnel
[ttls] Got tunneled reply code 3
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user Node B
----------------------------------------------------------------------------------------------------------------
The charon.log on the gateway doesn't tell me too much
--------------------------------------------------------------------------
Aug 25 21:44:59 06[CFG] sending RADIUS Access-Request to 9.5.46.51[1812]
Aug 25 21:44:59 06[CFG] received RADIUS Access-Challenge from 9.5.46.51
[1812]
Aug 25 21:44:59 06[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Aug 25 21:44:59 06[NET] sending packet: from 9.5.46.51[4500] to 9.10.109.43
[4500]
Aug 25 21:44:59 07[NET] received packet: from 9.10.109.43[4500] to
9.5.46.51[4500]
Aug 25 21:44:59 07[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
Aug 25 21:44:59 07[CFG] sending RADIUS Access-Request to 9.5.46.51[1812]
Aug 25 21:44:59 07[CFG] received RADIUS Access-Challenge from 9.5.46.51
[1812]
Aug 25 21:44:59 07[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Aug 25 21:44:59 07[NET] sending packet: from 9.5.46.51[4500] to 9.10.109.43
[4500]
Aug 25 21:44:59 01[NET] received packet: from 9.10.109.43[4500] to
9.5.46.51[4500]
Aug 25 21:44:59 01[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
Aug 25 21:44:59 01[CFG] sending RADIUS Access-Request to 9.5.46.51[1812]
Aug 25 21:44:59 01[CFG] received RADIUS Access-Challenge from 9.5.46.51
[1812]
Aug 25 21:44:59 01[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Aug 25 21:44:59 01[NET] sending packet: from 9.5.46.51[4500] to 9.10.109.43
[4500]
Aug 25 21:44:59 10[NET] received packet: from 9.10.109.43[4500] to
9.5.46.51[4500]
Aug 25 21:44:59 10[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
Aug 25 21:44:59 10[CFG] sending RADIUS Access-Request to 9.5.46.51[1812]
Aug 25 21:44:59 10[CFG] received RADIUS Access-Challenge from 9.5.46.51
[1812]
Aug 25 21:44:59 10[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Aug 25 21:44:59 10[NET] sending packet: from 9.5.46.51[4500] to 9.10.109.43
[4500]
Aug 25 21:44:59 09[NET] received packet: from 9.10.109.43[4500] to
9.5.46.51[4500]
Aug 25 21:44:59 09[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
Aug 25 21:44:59 09[CFG] sending RADIUS Access-Request to 9.5.46.51[1812]
Aug 25 21:45:00 09[CFG] received RADIUS Access-Reject from 9.5.46.51[1812]
Aug 25 21:45:00 09[IKE] RADIUS authentication of 'Node B' failed
Aug 25 21:45:00 09[IKE] EAP method EAP_TTLS failed for peer Node B
Aug 25 21:45:00 09[ENC] generating IKE_AUTH response 9 [ EAP/FAIL ]
Aug 25 21:45:00 09[NET] sending packet: from 9.5.46.51[4500] to 9.10.109.43
[4500]
-------------------------------------------------------------------------------------------------------
The charon.log on the client is a little more interesting but I can't tell
what the problem is from there either
----------------------------------------------------------------------------------
Aug 25 20:44:59 15[LIB] size of DH secret exponent: 1020 bits
Aug 25 20:44:59 15[TLS] processing TLS Handshake record (4 bytes)
Aug 25 20:44:59 15[TLS] received TLS ServerHelloDone handshake (0 bytes)
Aug 25 20:44:59 15[TLS] sending TLS ClientKeyExchange handshake (130 bytes)
Aug 25 20:44:59 15[TLS] sending TLS Handshake record (134 bytes)
Aug 25 20:44:59 15[TLS] sending TLS ChangeCipherSpec record (1 bytes)
Aug 25 20:44:59 15[TLS] sending TLS Finished handshake (12 bytes)
Aug 25 20:44:59 15[TLS] sending TLS Handshake record (48 bytes)
Aug 25 20:44:59 15[TLS] sending EAP_TTLS packet (198 bytes)
Aug 25 20:44:59 15[IKE] reinitiating already active tasks
Aug 25 20:44:59 15[IKE] IKE_AUTHENTICATE task
Aug 25 20:44:59 15[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to
message
Aug 25 20:44:59 15[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to
message
Aug 25 20:44:59 15[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
Aug 25 20:44:59 15[ENC] insert payload EXTENSIBLE_AUTHENTICATION to
encryption payload
Aug 25 20:44:59 15[ENC] generating payload of type HEADER
Aug 25 20:44:59 15[ENC] generating HEADER payload finished
Aug 25 20:44:59 15[ENC] generating payload of type
EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 15[ENC] generating EXTENSIBLE_AUTHENTICATION payload
finished
Aug 25 20:44:59 15[ENC] generated content in encryption payload
Aug 25 20:44:59 15[ENC] generating payload of type ENCRYPTED
Aug 25 20:44:59 15[ENC] generating ENCRYPTED payload finished
Aug 25 20:44:59 15[NET] sending packet: from 9.10.109.43[4500] to 9.5.46.51
[4500]
Aug 25 20:44:59 05[NET] sending packet: from 9.10.109.43[4500] to 9.5.46.51
[4500]
Aug 25 20:44:59 01[JOB] next event in 3s 902ms, waiting
Aug 25 20:44:59 15[MGR] checkin IKE_SA home[1]
Aug 25 20:44:59 15[MGR] check-in of IKE_SA successful.
Aug 25 20:44:59 06[NET] received packet: from 9.5.46.51[4500] to
9.10.109.43[4500]
Aug 25 20:44:59 06[ENC] parsing header of message
Aug 25 20:44:59 06[ENC] parsing HEADER payload, 140 bytes left
Aug 25 20:44:59 06[ENC] parsing HEADER payload finished
Aug 25 20:44:59 06[ENC] parsed a IKE_AUTH response
Aug 25 20:44:59 06[NET] waiting for data on sockets
Aug 25 20:44:59 16[MGR] checkout IKE_SA by message
Aug 25 20:44:59 16[MGR] IKE_SA home[1] successfully checked out
Aug 25 20:44:59 16[NET] received packet: from 9.5.46.51[4500] to
9.10.109.43[4500]
Aug 25 20:44:59 16[ENC] parsing body of message, first payload is ENCRYPTED
Aug 25 20:44:59 16[ENC] starting parsing a ENCRYPTED payload
Aug 25 20:44:59 16[ENC] parsing ENCRYPTED payload, 112 bytes left
Aug 25 20:44:59 16[ENC] parsing ENCRYPTED payload finished
Aug 25 20:44:59 16[ENC] verifying payload of type ENCRYPTED
Aug 25 20:44:59 16[ENC] ENCRYPTED payload verified. Adding to payload list
Aug 25 20:44:59 16[ENC] ENCRYPTED payload found. Stop parsing
Aug 25 20:44:59 16[ENC] process payload of type ENCRYPTED
Aug 25 20:44:59 16[ENC] found an encryption payload
Aug 25 20:44:59 16[ENC] parsing EXTENSIBLE_AUTHENTICATION payload, 73 bytes
left
Aug 25 20:44:59 16[ENC] parsing EXTENSIBLE_AUTHENTICATION payload finished
Aug 25 20:44:59 16[ENC] parsed content of encryption payload
Aug 25 20:44:59 16[ENC] insert decrypted payload of type
EXTENSIBLE_AUTHENTICATION at end of list
Aug 25 20:44:59 16[ENC] process payload of type EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 16[ENC] verifying message structure
Aug 25 20:44:59 16[ENC] found payload of type EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 16[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Aug 25 20:44:59 16[TLS] processing TLS ChangeCipherSpec record (1 bytes)
Aug 25 20:44:59 16[TLS] processing TLS Handshake record (48 bytes)
Aug 25 20:44:59 16[TLS] received TLS Finished handshake (12 bytes)
Aug 25 20:44:59 16[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
Aug 25 20:44:59 16[TLS] sending TLS ApplicationData record (48 bytes)
Aug 25 20:44:59 16[TLS] sending EAP_TTLS packet (53 bytes)
Aug 25 20:44:59 16[IKE] reinitiating already active tasks
Aug 25 20:44:59 16[IKE] IKE_AUTHENTICATE task
Aug 25 20:44:59 16[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to
message
Aug 25 20:44:59 16[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to
message
Aug 25 20:44:59 16[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
Aug 25 20:44:59 16[ENC] insert payload EXTENSIBLE_AUTHENTICATION to
encryption payload
Aug 25 20:44:59 16[ENC] generating payload of type HEADER
Aug 25 20:44:59 16[ENC] generating HEADER payload finished
Aug 25 20:44:59 16[ENC] generating payload of type
EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 16[ENC] generating EXTENSIBLE_AUTHENTICATION payload
finished
Aug 25 20:44:59 16[ENC] generated content in encryption payload
Aug 25 20:44:59 16[ENC] generating payload of type ENCRYPTED
Aug 25 20:44:59 16[ENC] generating ENCRYPTED payload finished
Aug 25 20:44:59 16[NET] sending packet: from 9.10.109.43[4500] to 9.5.46.51
[4500]
Aug 25 20:44:59 05[NET] sending packet: from 9.10.109.43[4500] to 9.5.46.51
[4500]
Aug 25 20:44:59 01[JOB] next event in 3s 895ms, waiting
Aug 25 20:44:59 16[MGR] checkin IKE_SA home[1]
Aug 25 20:44:59 16[MGR] check-in of IKE_SA successful.
Aug 25 20:44:59 06[NET] received packet: from 9.5.46.51[4500] to
9.10.109.43[4500]
Aug 25 20:44:59 06[ENC] parsing header of message
Aug 25 20:44:59 06[ENC] parsing HEADER payload, 140 bytes left
Aug 25 20:44:59 06[ENC] parsing HEADER payload finished
Aug 25 20:44:59 06[ENC] parsed a IKE_AUTH response
Aug 25 20:44:59 06[NET] waiting for data on sockets
Aug 25 20:44:59 08[MGR] checkout IKE_SA by message
Aug 25 20:44:59 08[MGR] IKE_SA home[1] successfully checked out
Aug 25 20:44:59 08[NET] received packet: from 9.5.46.51[4500] to
9.10.109.43[4500]
Aug 25 20:44:59 08[ENC] parsing body of message, first payload is ENCRYPTED
Aug 25 20:44:59 08[ENC] starting parsing a ENCRYPTED payload
Aug 25 20:44:59 08[ENC] parsing ENCRYPTED payload, 112 bytes left
Aug 25 20:44:59 08[ENC] parsing ENCRYPTED payload finished
Aug 25 20:44:59 08[ENC] verifying payload of type ENCRYPTED
Aug 25 20:44:59 08[ENC] ENCRYPTED payload verified. Adding to payload list
Aug 25 20:44:59 08[ENC] ENCRYPTED payload found. Stop parsing
Aug 25 20:44:59 08[ENC] process payload of type ENCRYPTED
Aug 25 20:44:59 08[ENC] found an encryption payload
Aug 25 20:44:59 08[ENC] parsing EXTENSIBLE_AUTHENTICATION payload, 67 bytes
left
Aug 25 20:44:59 08[ENC] parsing EXTENSIBLE_AUTHENTICATION payload finished
Aug 25 20:44:59 08[ENC] parsed content of encryption payload
Aug 25 20:44:59 08[ENC] insert decrypted payload of type
EXTENSIBLE_AUTHENTICATION at end of list
Aug 25 20:44:59 08[ENC] process payload of type EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 08[ENC] verifying message structure
Aug 25 20:44:59 08[ENC] found payload of type EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 08[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Aug 25 20:44:59 08[TLS] processing TLS ApplicationData record (48 bytes)
Aug 25 20:44:59 08[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TLS]
Aug 25 20:44:59 08[IKE] server requested EAP_TLS authentication
Aug 25 20:44:59 08[TLS] disabling ECDSA suites, no backend found
Aug 25 20:44:59 08[TLS] 13 supported TLS cipher suites:
Aug 25 20:44:59 08[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Aug 25 20:44:59 08[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Aug 25 20:44:59 08[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Aug 25 20:44:59 08[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Aug 25 20:44:59 08[TLS] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_AES_128_CBC_SHA
Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_AES_128_CBC_SHA256
Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_AES_256_CBC_SHA
Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_AES_256_CBC_SHA256
Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_3DES_EDE_CBC_SHA
Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_NULL_SHA
Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_NULL_SHA256
Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_NULL_MD5
Aug 25 20:44:59 08[TLS] sending TLS ClientHello handshake (83 bytes)
Aug 25 20:44:59 08[TLS] sending TLS Handshake record (87 bytes)
Aug 25 20:44:59 08[TLS] sending EAP_TLS packet (92 bytes)
Aug 25 20:44:59 08[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TLS]
Aug 25 20:44:59 08[TLS] sending TLS ApplicationData record (144 bytes)
Aug 25 20:44:59 08[TLS] sending EAP_TTLS packet (149 bytes)
Aug 25 20:44:59 08[IKE] reinitiating already active tasks
Aug 25 20:44:59 08[IKE] IKE_AUTHENTICATE task
Aug 25 20:44:59 08[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to
message
Aug 25 20:44:59 08[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to
message
Aug 25 20:44:59 08[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
Aug 25 20:44:59 08[ENC] insert payload EXTENSIBLE_AUTHENTICATION to
encryption payload
Aug 25 20:44:59 08[ENC] generating payload of type HEADER
Aug 25 20:44:59 08[ENC] generating HEADER payload finished
Aug 25 20:44:59 08[ENC] generating payload of type
EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 08[ENC] generating EXTENSIBLE_AUTHENTICATION payload
finished
Aug 25 20:44:59 08[ENC] generated content in encryption payload
Aug 25 20:44:59 08[ENC] generating payload of type ENCRYPTED
Aug 25 20:44:59 08[ENC] generating ENCRYPTED payload finished
Aug 25 20:44:59 08[NET] sending packet: from 9.10.109.43[4500] to 9.5.46.51
[4500]
Aug 25 20:44:59 05[NET] sending packet: from 9.10.109.43[4500] to 9.5.46.51
[4500]
Aug 25 20:44:59 08[MGR] checkin IKE_SA home[1]
Aug 25 20:44:59 01[JOB] next event in 3s 889ms, waiting
Aug 25 20:44:59 08[MGR] check-in of IKE_SA successful.
Aug 25 20:44:59 06[NET] received packet: from 9.5.46.51[4500] to
9.10.109.43[4500]
Aug 25 20:44:59 06[ENC] parsing header of message
Aug 25 20:44:59 06[ENC] parsing HEADER payload, 1100 bytes left
Aug 25 20:44:59 06[ENC] parsing HEADER payload finished
Aug 25 20:44:59 06[ENC] parsed a IKE_AUTH response
Aug 25 20:44:59 07[MGR] checkout IKE_SA by message
Aug 25 20:44:59 07[MGR] IKE_SA home[1] successfully checked out
Aug 25 20:44:59 07[NET] received packet: from 9.5.46.51[4500] to
9.10.109.43[4500]
Aug 25 20:44:59 07[ENC] parsing body of message, first payload is ENCRYPTED
Aug 25 20:44:59 07[ENC] starting parsing a ENCRYPTED payload
Aug 25 20:44:59 07[ENC] parsing ENCRYPTED payload, 1072 bytes left
Aug 25 20:44:59 07[ENC] parsing ENCRYPTED payload finished
Aug 25 20:44:59 07[ENC] verifying payload of type ENCRYPTED
Aug 25 20:44:59 07[ENC] ENCRYPTED payload verified. Adding to payload list
Aug 25 20:44:59 07[ENC] ENCRYPTED payload found. Stop parsing
Aug 25 20:44:59 07[ENC] process payload of type ENCRYPTED
Aug 25 20:44:59 07[ENC] found an encryption payload
Aug 25 20:44:59 07[ENC] parsing EXTENSIBLE_AUTHENTICATION payload, 1028
bytes left
Aug 25 20:44:59 07[ENC] parsing EXTENSIBLE_AUTHENTICATION payload finished
Aug 25 20:44:59 07[ENC] parsed content of encryption payload
Aug 25 20:44:59 07[ENC] insert decrypted payload of type
EXTENSIBLE_AUTHENTICATION at end of list
Aug 25 20:44:59 07[ENC] process payload of type EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 07[ENC] verifying message structure
Aug 25 20:44:59 07[ENC] found payload of type EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 07[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Aug 25 20:44:59 07[TLS] buffering 1014 bytes, 1014 bytes of 1109 byte TLS
record received
Aug 25 20:44:59 07[TLS] sending EAP_TTLS acknowledgement packet
Aug 25 20:44:59 07[IKE] reinitiating already active tasks
Aug 25 20:44:59 07[IKE] IKE_AUTHENTICATE task
Aug 25 20:44:59 07[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to
message
Aug 25 20:44:59 07[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to
message
Aug 25 20:44:59 06[NET] waiting for data on sockets
Aug 25 20:44:59 07[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]
Aug 25 20:44:59 07[ENC] insert payload EXTENSIBLE_AUTHENTICATION to
encryption payload
Aug 25 20:44:59 07[ENC] generating payload of type HEADER
Aug 25 20:44:59 07[ENC] generating HEADER payload finished
Aug 25 20:44:59 07[ENC] generating payload of type
EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 07[ENC] generating ENCRYPTED payload finished
Aug 25 20:44:59 07[NET] sending packet: from 9.10.109.43[4500] to 9.5.46.51
[4500]
Aug 25 20:44:59 05[NET] sending packet: from 9.10.109.43[4500] to 9.5.46.51
[4500]
Aug 25 20:44:59 07[MGR] checkin IKE_SA home[1]
Aug 25 20:44:59 07[MGR] check-in of IKE_SA successful.
Aug 25 20:44:59 01[JOB] next event in 3s 873ms, waiting
Aug 25 20:44:59 06[NET] received packet: from 9.5.46.51[4500] to
9.10.109.43[4500]
Aug 25 20:44:59 06[ENC] parsing header of message
Aug 25 20:44:59 06[ENC] parsing HEADER payload, 172 bytes left
Aug 25 20:44:59 06[ENC] parsing HEADER payload finished
Aug 25 20:44:59 06[ENC] parsed a IKE_AUTH response
Aug 25 20:44:59 06[NET] waiting for data on sockets
Aug 25 20:44:59 10[MGR] checkout IKE_SA by message
Aug 25 20:44:59 10[MGR] IKE_SA home[1] successfully checked out
Aug 25 20:44:59 10[NET] received packet: from 9.5.46.51[4500] to
9.10.109.43[4500]
Aug 25 20:44:59 10[ENC] parsing body of message, first payload is ENCRYPTED
Aug 25 20:44:59 10[ENC] starting parsing a ENCRYPTED payload
Aug 25 20:44:59 10[ENC] parsing ENCRYPTED payload, 144 bytes left
Aug 25 20:44:59 10[ENC] parsing ENCRYPTED payload finished
Aug 25 20:44:59 10[ENC] verifying payload of type ENCRYPTED
Aug 25 20:44:59 10[ENC] ENCRYPTED payload verified. Adding to payload list
Aug 25 20:44:59 10[ENC] ENCRYPTED payload found. Stop parsing
Aug 25 20:44:59 10[ENC] process payload of type ENCRYPTED
Aug 25 20:44:59 10[ENC] found an encryption payload
Aug 25 20:44:59 10[ENC] parsing EXTENSIBLE_AUTHENTICATION payload, 109
bytes left
Aug 25 20:44:59 10[ENC] parsing EXTENSIBLE_AUTHENTICATION payload finished
Aug 25 20:44:59 10[ENC] parsed content of encryption payload
Aug 25 20:44:59 10[ENC] insert decrypted payload of type
EXTENSIBLE_AUTHENTICATION at end of list
Aug 25 20:44:59 10[ENC] process payload of type EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 10[ENC] verifying message structure
Aug 25 20:44:59 10[ENC] found payload of type EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 10[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Aug 25 20:44:59 10[TLS] buffering 95 bytes, 1109 bytes of 1109 byte TLS
record received
Aug 25 20:44:59 10[TLS] processing buffered TLS ApplicationData record
(1104 bytes)
Aug 25 20:44:59 10[IKE] received tunneled EAP-TTLS AVPs [EAP/REQ/TLS]
Aug 25 20:44:59 10[IKE] server requested EAP_TLS authentication
Aug 25 20:44:59 10[TLS] disabling ECDSA suites, no backend found
Aug 25 20:44:59 10[TLS] 13 supported TLS cipher suites:
Aug 25 20:44:59 10[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Aug 25 20:44:59 10[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Aug 25 20:44:59 10[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Aug 25 20:44:59 10[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Aug 25 20:44:59 10[TLS] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_AES_128_CBC_SHA
Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_AES_128_CBC_SHA256
Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_AES_256_CBC_SHA
Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_AES_256_CBC_SHA256
Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_3DES_EDE_CBC_SHA
Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_NULL_SHA
Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_NULL_SHA256
Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_NULL_MD5
Aug 25 20:44:59 10[TLS] processing TLS Handshake record (42 bytes)
Aug 25 20:44:59 10[TLS] received TLS ServerHello handshake (38 bytes)
Aug 25 20:44:59 10[TLS] TLS ServerHello not expected in current state
Aug 25 20:44:59 10[TLS] buffering 967 bytes, 967 bytes of 1891 byte TLS
record received
Aug 25 20:44:59 10[TLS] sending fatal TLS alert 'unexpected message'
Aug 25 20:44:59 10[TLS] sending TLS Alert record (2 bytes)
Aug 25 20:44:59 10[TLS] sending EAP_TLS packet (7 bytes)
Aug 25 20:44:59 10[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TLS]
Aug 25 20:44:59 10[TLS] sending TLS ApplicationData record (64 bytes)
Aug 25 20:44:59 10[TLS] sending EAP_TTLS packet (69 bytes)
Aug 25 20:44:59 10[IKE] reinitiating already active tasks
Aug 25 20:44:59 10[IKE] IKE_AUTHENTICATE task
Aug 25 20:44:59 10[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to
message
Aug 25 20:44:59 10[ENC] added payload of type EXTENSIBLE_AUTHENTICATION to
message
Aug 25 20:44:59 10[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]
Aug 25 20:44:59 10[ENC] insert payload EXTENSIBLE_AUTHENTICATION to
encryption payload
Aug 25 20:44:59 10[ENC] generating payload of type HEADER
Aug 25 20:44:59 10[ENC] generating HEADER payload finished
Aug 25 20:44:59 10[ENC] generating payload of type
EXTENSIBLE_AUTHENTICATION
Aug 25 20:44:59 10[ENC] generating EXTENSIBLE_AUTHENTICATION payload
finished
Aug 25 20:44:59 10[ENC] generated content in encryption payload
Aug 25 20:44:59 10[ENC] generating payload of type ENCRYPTED
Aug 25 20:44:59 10[ENC] generating ENCRYPTED payload finished
Aug 25 20:44:59 10[NET] sending packet: from 9.10.109.43[4500] to 9.5.46.51
[4500]
Aug 25 20:44:59 01[JOB] next event in 3s 865ms, waiting
Aug 25 20:44:59 05[NET] sending packet: from 9.10.109.43[4500] to 9.5.46.51
[4500]
Aug 25 20:44:59 10[MGR] checkin IKE_SA home[1]
Aug 25 20:44:59 10[MGR] check-in of IKE_SA successful.
Aug 25 20:45:00 06[NET] received packet: from 9.5.46.51[4500] to
9.10.109.43[4500]
Aug 25 20:45:00 06[ENC] parsing header of message
Aug 25 20:45:00 06[ENC] parsing HEADER payload, 76 bytes left
Aug 25 20:45:00 06[ENC] parsing HEADER payload finished
Aug 25 20:45:00 06[ENC] parsed a IKE_AUTH response
Aug 25 20:45:00 06[NET] waiting for data on sockets
Aug 25 20:45:00 09[MGR] checkout IKE_SA by message
Aug 25 20:45:00 09[MGR] IKE_SA home[1] successfully checked out
Aug 25 20:45:00 09[NET] received packet: from 9.5.46.51[4500] to
9.10.109.43[4500]
Aug 25 20:45:00 09[ENC] parsing body of message, first payload is ENCRYPTED
Aug 25 20:45:00 09[ENC] starting parsing a ENCRYPTED payload
Aug 25 20:45:00 09[ENC] parsing ENCRYPTED payload, 48 bytes left
Aug 25 20:45:00 09[ENC] parsing ENCRYPTED payload finished
Aug 25 20:45:00 09[ENC] verifying payload of type ENCRYPTED
Aug 25 20:45:00 09[ENC] ENCRYPTED payload verified. Adding to payload list
Aug 25 20:45:00 09[ENC] ENCRYPTED payload found. Stop parsing
Aug 25 20:45:00 09[ENC] process payload of type ENCRYPTED
Aug 25 20:45:00 09[ENC] found an encryption payload
Aug 25 20:45:00 09[ENC] parsing EXTENSIBLE_AUTHENTICATION payload, 8 bytes
left
Aug 25 20:45:00 09[ENC] parsing EXTENSIBLE_AUTHENTICATION payload finished
Aug 25 20:45:00 09[ENC] parsed content of encryption payload
Aug 25 20:45:00 09[ENC] insert decrypted payload of type
EXTENSIBLE_AUTHENTICATION at end of list
Aug 25 20:45:00 09[ENC] process payload of type EXTENSIBLE_AUTHENTICATION
Aug 25 20:45:00 09[ENC] verifying message structure
Aug 25 20:45:00 09[ENC] found payload of type EXTENSIBLE_AUTHENTICATION
Aug 25 20:45:00 09[ENC] parsed IKE_AUTH response 9 [ EAP/FAIL ]
Aug 25 20:45:00 09[IKE] received EAP_FAILURE, EAP authentication failed
Aug 25 20:45:00 09[KNL] deleting SAD entry with SPI c3a35831
Aug 25 20:45:00 09[KNL] deleted SAD entry with SPI c3a35831
Aug 25 20:45:00 09[MGR] checkin and destroy IKE_SA home[1]
Aug 25 20:45:00 09[IKE] IKE_SA home[1] state change: CONNECTING =>
DESTROYING
------------------------------------------------------------------------------------
I've seen posts on other forums indicating that the client has a older SSL
implementation. However, I've rebuilt openssl and strongswan on both the
client and server (more than once) and I'm still hitting it. Any ideas on
what I'm doing wrong?
Terry Hennessy
Dept MR6 : IBM i Security Development
IBM Rochester, MN
(507) 253-4448
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110825/ce1db5d4/attachment.html>
More information about the Users
mailing list