[strongSwan] Error using Radius
Andreas Steffen
andreas.steffen at strongswan.org
Fri Aug 26 06:40:16 CEST 2011
Hello Terry,
the problem is that you implement EAP-TLS client authentication
by starting an second EAP-TLS negotiation after setting up the
EAP-TTLS tunnel, a setup, the strongSwan client cannot cope with:
Aug 25 20:44:59 10[TLS] received TLS ServerHello handshake (38 bytes)
Aug 25 20:44:59 10[TLS] TLS ServerHello not expected in current state
Aug 25 20:44:59 10[TLS] buffering 967 bytes, 967 bytes of 1891 byte TLS
record received
Aug 25 20:44:59 10[TLS] sending fatal TLS alert 'unexpected message'
Aug 25 20:44:59 10[TLS] sending TLS Alert record (2 bytes)
The RADIUS server then somehow chokes on the ALERT message:
[tls] processing EAP-TLS
TLS Length 7
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] >>> Unknown TLS version [length 0002]
TLS Alert write:fatal:protocol version
What you rather should configure on the RADIUS server is EAP-TTLS with
client authentication, which according to the eap.conf file is somehow
possible
# You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
ttls {
# The tunneled EAP session needs a default
I haven't found out yet where exactly to insert this directive in the
eap.conf file of the FreeRADIUS server but I have a similar
"request_peer_auth" option in strongswan.conf when the strongSwan
VPN gateway directly acts as a TNC Server:
charon {
plugins {
eap-ttls {
request_peer_auth = yes
phase2_piggyback = yes
phase2_tnc = yes
}
}
}
As a consequence of the certificate-based EAP-TTLS client
authentication, you can then immediately proceed to EAP-TNC over
the outer EAP-TTLS tunnel.
Best regards
Andreas
On 08/26/2011 04:43 AM, Terry Hennessy wrote:
> Hello, I'm running into a problem using a radius server. I had a
> working environment last month. Somehow it got messed up. I thought I
> had coped the config files correctly, but the ones I'm using apparently
> aren't quite right.
>
> The config is pretty close to the
> tnccs-11-radius (http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/
> ) except that I using EAP-TLS authentication for the client.
>
> This is the ipsec.conf for the client.
> -----------------------------------------------------------------------------------------------
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> strictcrlpolicy=no
> charonstart=yes
> plutostart=no
> charondebug="lib 2,cfg 2,net 2,ike 2, enc 1, chd 2, mgr 2, dmn 2
> tls 2"
>
> # Add connections here.
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> conn home
> left=%any
> leftauth=eap
> leftcert=/etc/ipsec.d/certs/nodeBRsa.crt
> leftid="Node B"
> leftfirewall=yes
> right=9.5.46.51
> rightid="Node A"
> rightauth=pubkey
> auto=start
> aaa_identity="CN=MINN Radius, O=IBM, OU=MINN TEAM, L=Rochester,
> S=Minnesota, C=US"
> ----------------------------------------------------------------------------------------------
>
> This is the ipsec.conf for the gateway
> ------------------------------------------------------------------------------------------
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> strictcrlpolicy=no
> plutostart=no
> charonstart=yes
> charondebug="lib 2,cfg 2, net 2, ike 3, enc 2, chd 2, mgr 2, dmn
> 2, tls 2"
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
>
> conn rw-allow
> rightgroups=allow
> also=rw-eap
> auto=add
>
> conn rw-isolate
> rightgroups=isolate
> also=rw-eap
> auto=add
>
> conn rw-eap
> leftcert=rncRsa.crt
> leftid="Node A"
> left=9.5.46.51
> leftauth=pubkey
> rightsendcert=never
> right=%any
> rightauth=eap-radius
> ------------------------------------------------------------------------------------------
>
>
>
> This is a portion of the output from freeradius
>
> ---------------------------------------------------------------------------------------------
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> [ttls] Received TLS ACK
> [ttls] ACK handshake fragment handler
> [ttls] eaptls_verify returned 1
> [ttls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 78 to 9.5.46.51 port 45040
> EAP-Message =
> 0x01080069158000000455467c6bc39327cac128fa941c858874f244dfc34b113848437afa690db2b47ac12ed17acd67f922bea754a35ed155c71f2c24c1320a3fa823bbdda31c5bfd5841017471816ead5f7000be962360bc89c9fdea2f2b0a57a4845c3641fa631524
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x9f074c24980f5906538646d64966975d
> Finished request 7.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 9.5.46.51 port 45040, id=79,
> length=163
> User-Name = "Node B"
> EAP-Message =
> 0x0208004f1580000000451703010040ef7387c87977d629c289077701c7e8ed7e655e4edf6b0b0f75e70ce5555905278b4803e0bf09daf81d9f750b447ffbda76e31fa8204a2d4ca5102e530f2b7031
> NAS-Port-Type = Virtual
> NAS-Identifier = "strongSwan"
> State = 0x9f074c24980f5906538646d64966975d
> Message-Authenticator = 0x55ecc1b78874439e3e44ffcbfd646a7d
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [suffix] No '@' in User-Name = "Node B", looking up realm NULL
> [suffix] Found realm "NULL"
> [suffix] Adding Stripped-User-Name = "Node B"
> [suffix] Adding Realm = "NULL"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] returns ok
> [eap] EAP packet type response id 8 length 79
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> TLS Length 69
> [ttls] Length Included
> [ttls] eaptls_verify returned 11
> [ttls] eaptls_process returned 7
> [ttls] Session established. Proceeding to decode tunneled attributes.
> [ttls] Got tunneled request
> EAP-Message = 0x020200110d80000000071503030002020a
> FreeRADIUS-Proxied-To = 127.0.0.1
> [ttls] Sending tunneled request
> EAP-Message = 0x020200110d80000000071503030002020a
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "Node B"
> State = 0x19df77af18dd7a9e17d7edc55b90d0c1
> server inner-tunnel {
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> +- entering group authorize {...}
> [suffix] No '@' in User-Name = "Node B", looking up realm NULL
> [suffix] Found realm "NULL"
> [suffix] Adding Stripped-User-Name = "Node B"
> [suffix] Adding Realm = "NULL"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] returns ok
> [eap] EAP packet type response id 2 length 17
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry Node B at line 94
> ++[files] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/tls
> [eap] processing type tls
> [tls] Authenticate
> [tls] processing EAP-TLS
> TLS Length 7
> [tls] Length Included
> [tls] eaptls_verify returned 11
> [tls] >>> Unknown TLS version [length 0002]
> TLS Alert write:fatal:protocol version
> [tls] TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number
> SSL: SSL_read failed in a system call (-1), TLS session fails.
> TLS receive handshake failed during operation
> [tls] eaptls_process returned 4
> [eap] Handler failed in EAP/tls
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect (TLS Alert write:fatal:protocol version): [Node B/<via
> Auth-Type = EAP>] (from client Node A port 0 via TLS tunnel)
> } # server inner-tunnel
> [ttls] Got tunneled reply code 3
> EAP-Message = 0x04020004
> Message-Authenticator = 0x00000000000000000000000000000000
> [ttls] Got tunneled Access-Reject
> [eap] Handler failed in EAP/ttls
> rlm_eap_ttls: Freeing handler for user Node B
> ----------------------------------------------------------------------------------------------------------------
>
> The charon.log on the gateway doesn't tell me too much
> --------------------------------------------------------------------------
> Aug 25 21:44:59 06[CFG] sending RADIUS Access-Request to 9.5.46.51[1812]
> Aug 25 21:44:59 06[CFG] received RADIUS Access-Challenge from
> 9.5.46.51[1812]
> Aug 25 21:44:59 06[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
> Aug 25 21:44:59 06[NET] sending packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 21:44:59 07[NET] received packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 21:44:59 07[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
> Aug 25 21:44:59 07[CFG] sending RADIUS Access-Request to 9.5.46.51[1812]
> Aug 25 21:44:59 07[CFG] received RADIUS Access-Challenge from
> 9.5.46.51[1812]
> Aug 25 21:44:59 07[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
> Aug 25 21:44:59 07[NET] sending packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 21:44:59 01[NET] received packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 21:44:59 01[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
> Aug 25 21:44:59 01[CFG] sending RADIUS Access-Request to 9.5.46.51[1812]
> Aug 25 21:44:59 01[CFG] received RADIUS Access-Challenge from
> 9.5.46.51[1812]
> Aug 25 21:44:59 01[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
> Aug 25 21:44:59 01[NET] sending packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 21:44:59 10[NET] received packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 21:44:59 10[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
> Aug 25 21:44:59 10[CFG] sending RADIUS Access-Request to 9.5.46.51[1812]
> Aug 25 21:44:59 10[CFG] received RADIUS Access-Challenge from
> 9.5.46.51[1812]
> Aug 25 21:44:59 10[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
> Aug 25 21:44:59 10[NET] sending packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 21:44:59 09[NET] received packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 21:44:59 09[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
> Aug 25 21:44:59 09[CFG] sending RADIUS Access-Request to 9.5.46.51[1812]
> Aug 25 21:45:00 09[CFG] received RADIUS Access-Reject from 9.5.46.51[1812]
> Aug 25 21:45:00 09[IKE] RADIUS authentication of 'Node B' failed
> Aug 25 21:45:00 09[IKE] EAP method EAP_TTLS failed for peer Node B
> Aug 25 21:45:00 09[ENC] generating IKE_AUTH response 9 [ EAP/FAIL ]
> Aug 25 21:45:00 09[NET] sending packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> -------------------------------------------------------------------------------------------------------
>
> The charon.log on the client is a little more interesting but I can't
> tell what the problem is from there either
> ----------------------------------------------------------------------------------
> Aug 25 20:44:59 15[LIB] size of DH secret exponent: 1020 bits
> Aug 25 20:44:59 15[TLS] processing TLS Handshake record (4 bytes)
> Aug 25 20:44:59 15[TLS] received TLS ServerHelloDone handshake (0 bytes)
> Aug 25 20:44:59 15[TLS] sending TLS ClientKeyExchange handshake (130 bytes)
> Aug 25 20:44:59 15[TLS] sending TLS Handshake record (134 bytes)
> Aug 25 20:44:59 15[TLS] sending TLS ChangeCipherSpec record (1 bytes)
> Aug 25 20:44:59 15[TLS] sending TLS Finished handshake (12 bytes)
> Aug 25 20:44:59 15[TLS] sending TLS Handshake record (48 bytes)
> Aug 25 20:44:59 15[TLS] sending EAP_TTLS packet (198 bytes)
> Aug 25 20:44:59 15[IKE] reinitiating already active tasks
> Aug 25 20:44:59 15[IKE] IKE_AUTHENTICATE task
> Aug 25 20:44:59 15[ENC] added payload of type EXTENSIBLE_AUTHENTICATION
> to message
> Aug 25 20:44:59 15[ENC] added payload of type EXTENSIBLE_AUTHENTICATION
> to message
> Aug 25 20:44:59 15[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
> Aug 25 20:44:59 15[ENC] insert payload EXTENSIBLE_AUTHENTICATION to
> encryption payload
> Aug 25 20:44:59 15[ENC] generating payload of type HEADER
> Aug 25 20:44:59 15[ENC] generating HEADER payload finished
> Aug 25 20:44:59 15[ENC] generating payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 15[ENC] generating EXTENSIBLE_AUTHENTICATION payload
> finished
> Aug 25 20:44:59 15[ENC] generated content in encryption payload
> Aug 25 20:44:59 15[ENC] generating payload of type ENCRYPTED
> Aug 25 20:44:59 15[ENC] generating ENCRYPTED payload finished
> Aug 25 20:44:59 15[NET] sending packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 20:44:59 05[NET] sending packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 20:44:59 01[JOB] next event in 3s 902ms, waiting
> Aug 25 20:44:59 15[MGR] checkin IKE_SA home[1]
> Aug 25 20:44:59 15[MGR] check-in of IKE_SA successful.
> Aug 25 20:44:59 06[NET] received packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 20:44:59 06[ENC] parsing header of message
> Aug 25 20:44:59 06[ENC] parsing HEADER payload, 140 bytes left
> Aug 25 20:44:59 06[ENC] parsing HEADER payload finished
> Aug 25 20:44:59 06[ENC] parsed a IKE_AUTH response
> Aug 25 20:44:59 06[NET] waiting for data on sockets
> Aug 25 20:44:59 16[MGR] checkout IKE_SA by message
> Aug 25 20:44:59 16[MGR] IKE_SA home[1] successfully checked out
> Aug 25 20:44:59 16[NET] received packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 20:44:59 16[ENC] parsing body of message, first payload is ENCRYPTED
> Aug 25 20:44:59 16[ENC] starting parsing a ENCRYPTED payload
> Aug 25 20:44:59 16[ENC] parsing ENCRYPTED payload, 112 bytes left
> Aug 25 20:44:59 16[ENC] parsing ENCRYPTED payload finished
> Aug 25 20:44:59 16[ENC] verifying payload of type ENCRYPTED
> Aug 25 20:44:59 16[ENC] ENCRYPTED payload verified. Adding to payload list
> Aug 25 20:44:59 16[ENC] ENCRYPTED payload found. Stop parsing
> Aug 25 20:44:59 16[ENC] process payload of type ENCRYPTED
> Aug 25 20:44:59 16[ENC] found an encryption payload
> Aug 25 20:44:59 16[ENC] parsing EXTENSIBLE_AUTHENTICATION payload, 73
> bytes left
> Aug 25 20:44:59 16[ENC] parsing EXTENSIBLE_AUTHENTICATION payload finished
> Aug 25 20:44:59 16[ENC] parsed content of encryption payload
> Aug 25 20:44:59 16[ENC] insert decrypted payload of type
> EXTENSIBLE_AUTHENTICATION at end of list
> Aug 25 20:44:59 16[ENC] process payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 16[ENC] verifying message structure
> Aug 25 20:44:59 16[ENC] found payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 16[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
> Aug 25 20:44:59 16[TLS] processing TLS ChangeCipherSpec record (1 bytes)
> Aug 25 20:44:59 16[TLS] processing TLS Handshake record (48 bytes)
> Aug 25 20:44:59 16[TLS] received TLS Finished handshake (12 bytes)
> Aug 25 20:44:59 16[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
> Aug 25 20:44:59 16[TLS] sending TLS ApplicationData record (48 bytes)
> Aug 25 20:44:59 16[TLS] sending EAP_TTLS packet (53 bytes)
> Aug 25 20:44:59 16[IKE] reinitiating already active tasks
> Aug 25 20:44:59 16[IKE] IKE_AUTHENTICATE task
> Aug 25 20:44:59 16[ENC] added payload of type EXTENSIBLE_AUTHENTICATION
> to message
> Aug 25 20:44:59 16[ENC] added payload of type EXTENSIBLE_AUTHENTICATION
> to message
> Aug 25 20:44:59 16[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
> Aug 25 20:44:59 16[ENC] insert payload EXTENSIBLE_AUTHENTICATION to
> encryption payload
> Aug 25 20:44:59 16[ENC] generating payload of type HEADER
> Aug 25 20:44:59 16[ENC] generating HEADER payload finished
> Aug 25 20:44:59 16[ENC] generating payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 16[ENC] generating EXTENSIBLE_AUTHENTICATION payload
> finished
> Aug 25 20:44:59 16[ENC] generated content in encryption payload
> Aug 25 20:44:59 16[ENC] generating payload of type ENCRYPTED
> Aug 25 20:44:59 16[ENC] generating ENCRYPTED payload finished
> Aug 25 20:44:59 16[NET] sending packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 20:44:59 05[NET] sending packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 20:44:59 01[JOB] next event in 3s 895ms, waiting
> Aug 25 20:44:59 16[MGR] checkin IKE_SA home[1]
> Aug 25 20:44:59 16[MGR] check-in of IKE_SA successful.
> Aug 25 20:44:59 06[NET] received packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 20:44:59 06[ENC] parsing header of message
> Aug 25 20:44:59 06[ENC] parsing HEADER payload, 140 bytes left
> Aug 25 20:44:59 06[ENC] parsing HEADER payload finished
> Aug 25 20:44:59 06[ENC] parsed a IKE_AUTH response
> Aug 25 20:44:59 06[NET] waiting for data on sockets
> Aug 25 20:44:59 08[MGR] checkout IKE_SA by message
> Aug 25 20:44:59 08[MGR] IKE_SA home[1] successfully checked out
> Aug 25 20:44:59 08[NET] received packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 20:44:59 08[ENC] parsing body of message, first payload is ENCRYPTED
> Aug 25 20:44:59 08[ENC] starting parsing a ENCRYPTED payload
> Aug 25 20:44:59 08[ENC] parsing ENCRYPTED payload, 112 bytes left
> Aug 25 20:44:59 08[ENC] parsing ENCRYPTED payload finished
> Aug 25 20:44:59 08[ENC] verifying payload of type ENCRYPTED
> Aug 25 20:44:59 08[ENC] ENCRYPTED payload verified. Adding to payload list
> Aug 25 20:44:59 08[ENC] ENCRYPTED payload found. Stop parsing
> Aug 25 20:44:59 08[ENC] process payload of type ENCRYPTED
> Aug 25 20:44:59 08[ENC] found an encryption payload
> Aug 25 20:44:59 08[ENC] parsing EXTENSIBLE_AUTHENTICATION payload, 67
> bytes left
> Aug 25 20:44:59 08[ENC] parsing EXTENSIBLE_AUTHENTICATION payload finished
> Aug 25 20:44:59 08[ENC] parsed content of encryption payload
> Aug 25 20:44:59 08[ENC] insert decrypted payload of type
> EXTENSIBLE_AUTHENTICATION at end of list
> Aug 25 20:44:59 08[ENC] process payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 08[ENC] verifying message structure
> Aug 25 20:44:59 08[ENC] found payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 08[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
> Aug 25 20:44:59 08[TLS] processing TLS ApplicationData record (48 bytes)
> Aug 25 20:44:59 08[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TLS]
> Aug 25 20:44:59 08[IKE] server requested EAP_TLS authentication
> Aug 25 20:44:59 08[TLS] disabling ECDSA suites, no backend found
> Aug 25 20:44:59 08[TLS] 13 supported TLS cipher suites:
> Aug 25 20:44:59 08[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> Aug 25 20:44:59 08[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> Aug 25 20:44:59 08[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> Aug 25 20:44:59 08[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> Aug 25 20:44:59 08[TLS] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_AES_128_CBC_SHA
> Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_AES_128_CBC_SHA256
> Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_AES_256_CBC_SHA
> Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_AES_256_CBC_SHA256
> Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_3DES_EDE_CBC_SHA
> Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_NULL_SHA
> Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_NULL_SHA256
> Aug 25 20:44:59 08[TLS] TLS_RSA_WITH_NULL_MD5
> Aug 25 20:44:59 08[TLS] sending TLS ClientHello handshake (83 bytes)
> Aug 25 20:44:59 08[TLS] sending TLS Handshake record (87 bytes)
> Aug 25 20:44:59 08[TLS] sending EAP_TLS packet (92 bytes)
> Aug 25 20:44:59 08[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TLS]
> Aug 25 20:44:59 08[TLS] sending TLS ApplicationData record (144 bytes)
> Aug 25 20:44:59 08[TLS] sending EAP_TTLS packet (149 bytes)
> Aug 25 20:44:59 08[IKE] reinitiating already active tasks
> Aug 25 20:44:59 08[IKE] IKE_AUTHENTICATE task
> Aug 25 20:44:59 08[ENC] added payload of type EXTENSIBLE_AUTHENTICATION
> to message
> Aug 25 20:44:59 08[ENC] added payload of type EXTENSIBLE_AUTHENTICATION
> to message
> Aug 25 20:44:59 08[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
> Aug 25 20:44:59 08[ENC] insert payload EXTENSIBLE_AUTHENTICATION to
> encryption payload
> Aug 25 20:44:59 08[ENC] generating payload of type HEADER
> Aug 25 20:44:59 08[ENC] generating HEADER payload finished
> Aug 25 20:44:59 08[ENC] generating payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 08[ENC] generating EXTENSIBLE_AUTHENTICATION payload
> finished
> Aug 25 20:44:59 08[ENC] generated content in encryption payload
> Aug 25 20:44:59 08[ENC] generating payload of type ENCRYPTED
> Aug 25 20:44:59 08[ENC] generating ENCRYPTED payload finished
> Aug 25 20:44:59 08[NET] sending packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 20:44:59 05[NET] sending packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 20:44:59 08[MGR] checkin IKE_SA home[1]
> Aug 25 20:44:59 01[JOB] next event in 3s 889ms, waiting
> Aug 25 20:44:59 08[MGR] check-in of IKE_SA successful.
> Aug 25 20:44:59 06[NET] received packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 20:44:59 06[ENC] parsing header of message
> Aug 25 20:44:59 06[ENC] parsing HEADER payload, 1100 bytes left
> Aug 25 20:44:59 06[ENC] parsing HEADER payload finished
> Aug 25 20:44:59 06[ENC] parsed a IKE_AUTH response
> Aug 25 20:44:59 07[MGR] checkout IKE_SA by message
> Aug 25 20:44:59 07[MGR] IKE_SA home[1] successfully checked out
> Aug 25 20:44:59 07[NET] received packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 20:44:59 07[ENC] parsing body of message, first payload is ENCRYPTED
> Aug 25 20:44:59 07[ENC] starting parsing a ENCRYPTED payload
> Aug 25 20:44:59 07[ENC] parsing ENCRYPTED payload, 1072 bytes left
> Aug 25 20:44:59 07[ENC] parsing ENCRYPTED payload finished
> Aug 25 20:44:59 07[ENC] verifying payload of type ENCRYPTED
> Aug 25 20:44:59 07[ENC] ENCRYPTED payload verified. Adding to payload list
> Aug 25 20:44:59 07[ENC] ENCRYPTED payload found. Stop parsing
> Aug 25 20:44:59 07[ENC] process payload of type ENCRYPTED
> Aug 25 20:44:59 07[ENC] found an encryption payload
> Aug 25 20:44:59 07[ENC] parsing EXTENSIBLE_AUTHENTICATION payload, 1028
> bytes left
> Aug 25 20:44:59 07[ENC] parsing EXTENSIBLE_AUTHENTICATION payload finished
> Aug 25 20:44:59 07[ENC] parsed content of encryption payload
> Aug 25 20:44:59 07[ENC] insert decrypted payload of type
> EXTENSIBLE_AUTHENTICATION at end of list
> Aug 25 20:44:59 07[ENC] process payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 07[ENC] verifying message structure
> Aug 25 20:44:59 07[ENC] found payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 07[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
> Aug 25 20:44:59 07[TLS] buffering 1014 bytes, 1014 bytes of 1109 byte
> TLS record received
> Aug 25 20:44:59 07[TLS] sending EAP_TTLS acknowledgement packet
> Aug 25 20:44:59 07[IKE] reinitiating already active tasks
> Aug 25 20:44:59 07[IKE] IKE_AUTHENTICATE task
> Aug 25 20:44:59 07[ENC] added payload of type EXTENSIBLE_AUTHENTICATION
> to message
> Aug 25 20:44:59 07[ENC] added payload of type EXTENSIBLE_AUTHENTICATION
> to message
> Aug 25 20:44:59 06[NET] waiting for data on sockets
> Aug 25 20:44:59 07[ENC] generating IKE_AUTH request 8 [ EAP/RES/TTLS ]
> Aug 25 20:44:59 07[ENC] insert payload EXTENSIBLE_AUTHENTICATION to
> encryption payload
> Aug 25 20:44:59 07[ENC] generating payload of type HEADER
> Aug 25 20:44:59 07[ENC] generating HEADER payload finished
> Aug 25 20:44:59 07[ENC] generating payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 07[ENC] generating ENCRYPTED payload finished
> Aug 25 20:44:59 07[NET] sending packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 20:44:59 05[NET] sending packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 20:44:59 07[MGR] checkin IKE_SA home[1]
> Aug 25 20:44:59 07[MGR] check-in of IKE_SA successful.
> Aug 25 20:44:59 01[JOB] next event in 3s 873ms, waiting
> Aug 25 20:44:59 06[NET] received packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 20:44:59 06[ENC] parsing header of message
> Aug 25 20:44:59 06[ENC] parsing HEADER payload, 172 bytes left
> Aug 25 20:44:59 06[ENC] parsing HEADER payload finished
> Aug 25 20:44:59 06[ENC] parsed a IKE_AUTH response
> Aug 25 20:44:59 06[NET] waiting for data on sockets
> Aug 25 20:44:59 10[MGR] checkout IKE_SA by message
> Aug 25 20:44:59 10[MGR] IKE_SA home[1] successfully checked out
> Aug 25 20:44:59 10[NET] received packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 20:44:59 10[ENC] parsing body of message, first payload is ENCRYPTED
> Aug 25 20:44:59 10[ENC] starting parsing a ENCRYPTED payload
> Aug 25 20:44:59 10[ENC] parsing ENCRYPTED payload, 144 bytes left
> Aug 25 20:44:59 10[ENC] parsing ENCRYPTED payload finished
> Aug 25 20:44:59 10[ENC] verifying payload of type ENCRYPTED
> Aug 25 20:44:59 10[ENC] ENCRYPTED payload verified. Adding to payload list
> Aug 25 20:44:59 10[ENC] ENCRYPTED payload found. Stop parsing
> Aug 25 20:44:59 10[ENC] process payload of type ENCRYPTED
> Aug 25 20:44:59 10[ENC] found an encryption payload
> Aug 25 20:44:59 10[ENC] parsing EXTENSIBLE_AUTHENTICATION payload, 109
> bytes left
> Aug 25 20:44:59 10[ENC] parsing EXTENSIBLE_AUTHENTICATION payload finished
> Aug 25 20:44:59 10[ENC] parsed content of encryption payload
> Aug 25 20:44:59 10[ENC] insert decrypted payload of type
> EXTENSIBLE_AUTHENTICATION at end of list
> Aug 25 20:44:59 10[ENC] process payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 10[ENC] verifying message structure
> Aug 25 20:44:59 10[ENC] found payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 10[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TTLS ]
> Aug 25 20:44:59 10[TLS] buffering 95 bytes, 1109 bytes of 1109 byte TLS
> record received
> Aug 25 20:44:59 10[TLS] processing buffered TLS ApplicationData record
> (1104 bytes)
> Aug 25 20:44:59 10[IKE] received tunneled EAP-TTLS AVPs [EAP/REQ/TLS]
> Aug 25 20:44:59 10[IKE] server requested EAP_TLS authentication
> Aug 25 20:44:59 10[TLS] disabling ECDSA suites, no backend found
> Aug 25 20:44:59 10[TLS] 13 supported TLS cipher suites:
> Aug 25 20:44:59 10[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> Aug 25 20:44:59 10[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> Aug 25 20:44:59 10[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> Aug 25 20:44:59 10[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> Aug 25 20:44:59 10[TLS] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_AES_128_CBC_SHA
> Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_AES_128_CBC_SHA256
> Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_AES_256_CBC_SHA
> Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_AES_256_CBC_SHA256
> Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_3DES_EDE_CBC_SHA
> Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_NULL_SHA
> Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_NULL_SHA256
> Aug 25 20:44:59 10[TLS] TLS_RSA_WITH_NULL_MD5
> Aug 25 20:44:59 10[TLS] processing TLS Handshake record (42 bytes)
>
> Aug 25 20:44:59 10[TLS] received TLS ServerHello handshake (38 bytes)
> Aug 25 20:44:59 10[TLS] TLS ServerHello not expected in current state
> Aug 25 20:44:59 10[TLS] buffering 967 bytes, 967 bytes of 1891 byte TLS
> record received
> Aug 25 20:44:59 10[TLS] sending fatal TLS alert 'unexpected message'
> Aug 25 20:44:59 10[TLS] sending TLS Alert record (2 bytes)
>
> Aug 25 20:44:59 10[TLS] sending EAP_TLS packet (7 bytes)
> Aug 25 20:44:59 10[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TLS]
> Aug 25 20:44:59 10[TLS] sending TLS ApplicationData record (64 bytes)
> Aug 25 20:44:59 10[TLS] sending EAP_TTLS packet (69 bytes)
> Aug 25 20:44:59 10[IKE] reinitiating already active tasks
> Aug 25 20:44:59 10[IKE] IKE_AUTHENTICATE task
> Aug 25 20:44:59 10[ENC] added payload of type EXTENSIBLE_AUTHENTICATION
> to message
> Aug 25 20:44:59 10[ENC] added payload of type EXTENSIBLE_AUTHENTICATION
> to message
> Aug 25 20:44:59 10[ENC] generating IKE_AUTH request 9 [ EAP/RES/TTLS ]
> Aug 25 20:44:59 10[ENC] insert payload EXTENSIBLE_AUTHENTICATION to
> encryption payload
> Aug 25 20:44:59 10[ENC] generating payload of type HEADER
> Aug 25 20:44:59 10[ENC] generating HEADER payload finished
> Aug 25 20:44:59 10[ENC] generating payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:44:59 10[ENC] generating EXTENSIBLE_AUTHENTICATION payload
> finished
> Aug 25 20:44:59 10[ENC] generated content in encryption payload
> Aug 25 20:44:59 10[ENC] generating payload of type ENCRYPTED
> Aug 25 20:44:59 10[ENC] generating ENCRYPTED payload finished
> Aug 25 20:44:59 10[NET] sending packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 20:44:59 01[JOB] next event in 3s 865ms, waiting
> Aug 25 20:44:59 05[NET] sending packet: from 9.10.109.43[4500] to
> 9.5.46.51[4500]
> Aug 25 20:44:59 10[MGR] checkin IKE_SA home[1]
> Aug 25 20:44:59 10[MGR] check-in of IKE_SA successful.
> Aug 25 20:45:00 06[NET] received packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 20:45:00 06[ENC] parsing header of message
> Aug 25 20:45:00 06[ENC] parsing HEADER payload, 76 bytes left
> Aug 25 20:45:00 06[ENC] parsing HEADER payload finished
> Aug 25 20:45:00 06[ENC] parsed a IKE_AUTH response
> Aug 25 20:45:00 06[NET] waiting for data on sockets
> Aug 25 20:45:00 09[MGR] checkout IKE_SA by message
> Aug 25 20:45:00 09[MGR] IKE_SA home[1] successfully checked out
> Aug 25 20:45:00 09[NET] received packet: from 9.5.46.51[4500] to
> 9.10.109.43[4500]
> Aug 25 20:45:00 09[ENC] parsing body of message, first payload is ENCRYPTED
> Aug 25 20:45:00 09[ENC] starting parsing a ENCRYPTED payload
> Aug 25 20:45:00 09[ENC] parsing ENCRYPTED payload, 48 bytes left
> Aug 25 20:45:00 09[ENC] parsing ENCRYPTED payload finished
> Aug 25 20:45:00 09[ENC] verifying payload of type ENCRYPTED
> Aug 25 20:45:00 09[ENC] ENCRYPTED payload verified. Adding to payload list
> Aug 25 20:45:00 09[ENC] ENCRYPTED payload found. Stop parsing
> Aug 25 20:45:00 09[ENC] process payload of type ENCRYPTED
> Aug 25 20:45:00 09[ENC] found an encryption payload
> Aug 25 20:45:00 09[ENC] parsing EXTENSIBLE_AUTHENTICATION payload, 8
> bytes left
> Aug 25 20:45:00 09[ENC] parsing EXTENSIBLE_AUTHENTICATION payload finished
> Aug 25 20:45:00 09[ENC] parsed content of encryption payload
> Aug 25 20:45:00 09[ENC] insert decrypted payload of type
> EXTENSIBLE_AUTHENTICATION at end of list
> Aug 25 20:45:00 09[ENC] process payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:45:00 09[ENC] verifying message structure
> Aug 25 20:45:00 09[ENC] found payload of type EXTENSIBLE_AUTHENTICATION
> Aug 25 20:45:00 09[ENC] parsed IKE_AUTH response 9 [ EAP/FAIL ]
> Aug 25 20:45:00 09[IKE] received EAP_FAILURE, EAP authentication failed
> Aug 25 20:45:00 09[KNL] deleting SAD entry with SPI c3a35831
> Aug 25 20:45:00 09[KNL] deleted SAD entry with SPI c3a35831
> Aug 25 20:45:00 09[MGR] checkin and destroy IKE_SA home[1]
> Aug 25 20:45:00 09[IKE] IKE_SA home[1] state change: CONNECTING =>
> DESTROYING
> ------------------------------------------------------------------------------------
>
>
> I've seen posts on other forums indicating that the client has a older
> SSL implementation. However, I've rebuilt openssl and strongswan on
> both the client and server (more than once) and I'm still hitting it.
> Any ideas on what I'm doing wrong?
>
>
>
> Terry Hennessy
> Dept MR6 : IBM i Security Development
> IBM Rochester, MN
> (507) 253-4448
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list