[strongSwan] ikev2_and_eap-sim

einstein at smtp.ru einstein at smtp.ru
Tue Jul 5 18:59:38 CEST 2011 

Hello, Alan
Thank you for your reply.

I've tried various configurations and got different results, but neither 
result was not desirable.
ipsec.conf:

config setup
        strictcrlpolicy=no
        plutostart=no

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2

conn rw-eap
        left=83.149.6.20
        leftsubnet=10.0.0.0/24
        #leftid=@moon.strongswan.org
        #leftcert=moonCert.pem
        #leftauth=pubkey
        leftfirewall=yes
        #rightid=*@strongswan.org
        rightauth=eap-radius
        #eap_identity=%any
        rightsendcert=never
        right=%any
        auto=add
strongswan.conf:

charon {
  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation 
hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius 
eap-identity updown
  plugins {
    eap-radius {
      secret = secret
      server = 10.255.2.70
    }
  }
    filelog {
        /usr/local/strongswan/logs/charon.log {
            # add a timestamp prefix
            time_format = %b %e %T
            # loggers to files also accept the append option to open 
files in
            # append mode at startup (default is yes)
            append = no
            # the default loglevel for all daemon subsystems (defaults 
to 1).
            default = 4
            # flush each line to disk
            flush_line = yes
        }
   }
}
With this configuration Strongswan sends packets to RADIUS-server, but 
in this packets there are no necessary data.
If i configure Strongswan, as described 
here(https://lists.strongswan.org/pipermail/users/2011-May/006231.html,  
third link-->rw-eap-sim-id-radius), no packets sends to RADIUS-server.

-- 
Best regards, Dmitry.

Alan Evans пишет:
> Hi Dmitry,
>
> I have this working in my setup.
>
> If you send me your ipsec.conf file and log file I will take a quick look.
>
> Set charondebug = "ike 3, cfg 3, net 3, knl 3" in the ipsec.conf file 
> so we get some debug info.
>
> cheers
> AlanaE
>
> 2011/7/5 einstein at smtp.ru <mailto:einstein at smtp.ru> <einstein at smtp.ru 
> <mailto:einstein at smtp.ru>>
>
>     Hello,
>
>     Dear developers, help me, please.
>     Is it possible to configure Strongswan to work according to the
>     attached diagram.
>     In short: I need to configure authorization for the IKEv2 with
>     EAP-SIM with RADIUS-server.
>     I can't do it yet.
>     I take dumps of each packet exchange and decrypts it using Wireshark.
>     Dump shows that information request from strongswan to client does
>     not occur, and to the radius are sent information from  the first
>     packet IKE_AUTH.
>     For the RADIUS-server does not receive the necessary data, it
>     return 'Access-Reject', and in response packet 'IKE_AUTH'
>     Strongswan sent 'EAP-FAILURE' and terminates the connection.
>
>     I will be very grateful for any help.
>
>     -- 
>     Best regards, Dmitry.
>
>     ---------------------------------------------------------------------------------------------------
>
>     Здравствуйте,
>
>     Уважаемые разработчики, помогите, пожалуйста, разобраться.
>     Возможно ли настроить strongswan, чтобы он работал согласно
>     приложенной схемы.
>     Вкратце: мне нужно настроить IKEv2 с авторизацией по EAP-SIM с
>     RADIUS-сервером.
>     Пока у меня никак не получается это сделать.
>     Я снимаю дампы каждого обмена пакетами и расшифровываю их с
>     помощью wireshark.
>     По дампам видно, что запроса информации у клиента не происходит, а
>     на радиус отправляется информация из первого пакета 'IKE_AUTH'.
>     Так как RADIUS-сервер не получает необходимых данных, он отвечает
>     'Access-Reject', и в ответном пакете 'IKE_AUTH' Strongswan
>     посылает 'EAP-FAILURE' и завершает соединение.
>
>     Буду очень признателен за любую помощь.
>
>     -- 
>     С Уважением, Дмитрий.
>
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>     https://lists.strongswan.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110705/8b19240a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon.log
Type: application/octet-stream
Size: 197194 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110705/8b19240a/attachment.obj>

More information about the Users mailing list