[strongSwan] EAP-SIM authentication failing for strongswan4.6.1

Deepika Agarwal deepi7.agarwal at gmail.com
Thu Dec 8 07:58:59 CET 2011 

Hello experts,

I'm using Strongswan version 4.6.1 for establishing an ipsec tunnel with
the EAP-SIM authentication method.
I have strored the triplets.dat file on the client at*/etc/ipsec.d/triplets.dat
*
while on the radius server it is stored in */etc/raddb/triplets.dat
*

The contents of triplets.dat on both client and free radius
are:228060123456001,30000000000000000000000000000000,30112233,305566778899AABB228060123456001,31000000000000000000000000000000,31112233,315566778899AABB228060123456001,32000000000000000000000000000000,32112233,325566778899AABB

The ipsec client side configs are:

conn android
    left=192.168.1.8
    leftid=192.168.1.8
    leftauth=eap
    eap_identity=deepika
    right=192.168.1.154
    rightid=192.168.1.154
    rightauth=pubkey
    auto=start

The ipsec server side configs are:

conn android
left=192.168.1.154
leftid=192.168.1.154
leftcert=moonCert.oem
leftauth=pubkey
right=%any
rightid=192.168.1.8
rightsourceip=10.0.5.0/24
rightauth=eap-radius
rightsendcert=never
eap_identity=%any
auto=add

However, on establishing the tunnel by using free radius server, I'm
getting the following *error logs on ipsec client:*

root at ubuntu5-desktop:/usr/local/etc# ipsec up android
initiating IKE_SA android[3] to 192.168.1.154
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.8[500] to 192.168.1.154[500]
received packet: from 192.168.1.154[500] to 192.168.1.8[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
sending cert request for "C=UK, CN=nits"
establishing CHILD_SA android
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi
TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.8[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "C=UK, CN=nits"
  using certificate "C=UK, CN=nits"
  using trusted ca certificate "C=UK, CN=nits"
checking certificate status of "C=UK, CN=nits"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of '192.168.1.154' with RSA signature successful
server requested EAP_IDENTITY (id 0x00), sending 'deepika'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.8[4500]
parsed IKE_AUTH response 2 [ EAP/FAIL ]
received EAP_FAILURE, EAP authentication failed
root at ubuntu5-desktop:/usr/local/etc#


*Error logs on free radius server:*

Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
  * can not initiate sim, no RAND1 attribute*
[eap] Default EAP type sim failed in initiate
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> deepika
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 42 to 127.0.0.1 port 39620
        EAP-Message = 0x04000004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 3 ID 42 with timestamp +71279
Ready to process requests.

I'm suspecting that it has something to do with the error message : "
can not initiate sim, no RAND1 attribute".
Please let me know if the format and location of triplets.dat file is
correct or
if I'm missing something in the configs which is leading to this error .

Thanks in advance
Deepika


*


*





-- 
If you think you can or if you think you can't, you are right.
-Henry Ford
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111208/fd063d4c/attachment.html>

More information about the Users mailing list