[strongSwan] ikev2_and_eap-sim

Tue Jul 5 20:18:21 CEST 2011

HI Dmitry,

It looks like a problem on the radius side. I know I had to modify the
source code to add a NAS Identifier AVP to the Radius-Request to make my AAA
Server happy. [Note I'm not using FreeRadius I'm using my own AAA]

I think you'll need to look at the AAA logfile to see why it's rejecting the
request. If you have a pcap file of the radius transaction I can take a look
and make sure it's similar to mine.

cheers
AlanE

2011/7/5 einstein at smtp.ru <einstein at smtp.ru>

> **
> Hello, Alan
> Thank you for your reply.
>
> I've tried various configurations and got different results, but neither result
> was not desirable.
> ipsec.conf:
>
> config setup
>         strictcrlpolicy=no
>         plutostart=no
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>
> conn rw-eap
>         left=83.149.6.20
>         leftsubnet=10.0.0.0/24
>         #leftid=@moon.strongswan.org
>         #leftcert=moonCert.pem
>         #leftauth=pubkey
>         leftfirewall=yes
>         #rightid=*@strongswan.org
>         rightauth=eap-radius
>         #eap_identity=%any
>         rightsendcert=never
>         right=%any
>         auto=add
> strongswan.conf:
>
> charon {
>   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation
> hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius
> eap-identity updown
>   plugins {
>     eap-radius {
>       secret = secret
>       server = 10.255.2.70
>     }
>   }
>     filelog {
>         /usr/local/strongswan/logs/charon.log {
>             # add a timestamp prefix
>             time_format = %b %e %T
>             # loggers to files also accept the append option to open files
> in
>             # append mode at startup (default is yes)
>             append = no
>             # the default loglevel for all daemon subsystems (defaults to
> 1).
>             default = 4
>             # flush each line to disk
>             flush_line = yes
>         }
>    }
> }
> With this configuration Strongswan sends packets to RADIUS-server, but in
> this packets there are no necessary data.
> If i configure Strongswan, as described here(
> https://lists.strongswan.org/pipermail/users/2011-May/006231.html,  third
> link-->rw-eap-sim-id-radius), no packets sends to RADIUS-server.
>
> --
> Best regards, Dmitry.
>
> Alan Evans пишет:
>
> Hi Dmitry,
>
> I have this working in my setup.
>
> If you send me your ipsec.conf file and log file I will take a quick look.
>
> Set charondebug = "ike 3, cfg 3, net 3, knl 3" in the ipsec.conf file so we
> get some debug info.
>
> cheers
> AlanaE
>
> 2011/7/5 einstein at smtp.ru <einstein at smtp.ru>
>
>> Hello,
>>
>> Dear developers, help me, please.
>> Is it possible to configure Strongswan to work according to the attached
>> diagram.
>> In short: I need to configure authorization for the IKEv2 with EAP-SIM
>> with RADIUS-server.
>> I can't do it yet.
>> I take dumps of each packet exchange and decrypts it using Wireshark.
>> Dump shows that information request from strongswan to client does not
>> occur, and to the radius are sent information from  the first packet
>> IKE_AUTH.
>> For the RADIUS-server does not receive the necessary data, it return
>> 'Access-Reject', and in response packet 'IKE_AUTH' Strongswan sent
>> 'EAP-FAILURE' and terminates the connection.
>>
>> I will be very grateful for any help.
>>
>> --
>> Best regards, Dmitry.
>>
>>
>> ---------------------------------------------------------------------------------------------------
>>
>> Здравствуйте,
>>
>> Уважаемые разработчики, помогите, пожалуйста, разобраться.
>> Возможно ли настроить strongswan, чтобы он работал согласно приложенной
>> схемы.
>> Вкратце: мне нужно настроить IKEv2 с авторизацией по EAP-SIM с
>> RADIUS-сервером.
>> Пока у меня никак не получается это сделать.
>> Я снимаю дампы каждого обмена пакетами и расшифровываю их с помощью
>> wireshark.
>> По дампам видно, что запроса информации у клиента не происходит, а на
>> радиус отправляется информация из первого пакета 'IKE_AUTH'.
>> Так как RADIUS-сервер не получает необходимых данных, он отвечает
>> 'Access-Reject', и в ответном пакете 'IKE_AUTH' Strongswan посылает
>> 'EAP-FAILURE' и завершает соединение.
>>
>> Буду очень признателен за любую помощь.
>>
>> --
>> С Уважением, Дмитрий.
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110705/04d54810/attachment.html>