[strongSwan] ikev2_and_eap-sim
Alan Evans
alanrevans at googlemail.com
Tue Jul 5 20:18:21 CEST 2011
HI Dmitry,
It looks like a problem on the radius side. I know I had to modify the
source code to add a NAS Identifier AVP to the Radius-Request to make my AAA
Server happy. [Note I'm not using FreeRadius I'm using my own AAA]
I think you'll need to look at the AAA logfile to see why it's rejecting the
request. If you have a pcap file of the radius transaction I can take a look
and make sure it's similar to mine.
cheers
AlanE
2011/7/5 einstein at smtp.ru <einstein at smtp.ru>
> **
> Hello, Alan
> Thank you for your reply.
>
> I've tried various configurations and got different results, but neither result
> was not desirable.
> ipsec.conf:
>
> config setup
> strictcrlpolicy=no
> plutostart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
>
> conn rw-eap
> left=83.149.6.20
> leftsubnet=10.0.0.0/24
> #leftid=@moon.strongswan.org
> #leftcert=moonCert.pem
> #leftauth=pubkey
> leftfirewall=yes
> #rightid=*@strongswan.org
> rightauth=eap-radius
> #eap_identity=%any
> rightsendcert=never
> right=%any
> auto=add
> strongswan.conf:
>
> charon {
> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation
> hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius
> eap-identity updown
> plugins {
> eap-radius {
> secret = secret
> server = 10.255.2.70
> }
> }
> filelog {
> /usr/local/strongswan/logs/charon.log {
> # add a timestamp prefix
> time_format = %b %e %T
> # loggers to files also accept the append option to open files
> in
> # append mode at startup (default is yes)
> append = no
> # the default loglevel for all daemon subsystems (defaults to
> 1).
> default = 4
> # flush each line to disk
> flush_line = yes
> }
> }
> }
> With this configuration Strongswan sends packets to RADIUS-server, but in
> this packets there are no necessary data.
> If i configure Strongswan, as described here(
> https://lists.strongswan.org/pipermail/users/2011-May/006231.html, third
> link-->rw-eap-sim-id-radius), no packets sends to RADIUS-server.
>
> --
> Best regards, Dmitry.
>
> Alan Evans пишет:
>
> Hi Dmitry,
>
> I have this working in my setup.
>
> If you send me your ipsec.conf file and log file I will take a quick look.
>
> Set charondebug = "ike 3, cfg 3, net 3, knl 3" in the ipsec.conf file so we
> get some debug info.
>
> cheers
> AlanaE
>
> 2011/7/5 einstein at smtp.ru <einstein at smtp.ru>
>
>> Hello,
>>
>> Dear developers, help me, please.
>> Is it possible to configure Strongswan to work according to the attached
>> diagram.
>> In short: I need to configure authorization for the IKEv2 with EAP-SIM
>> with RADIUS-server.
>> I can't do it yet.
>> I take dumps of each packet exchange and decrypts it using Wireshark.
>> Dump shows that information request from strongswan to client does not
>> occur, and to the radius are sent information from the first packet
>> IKE_AUTH.
>> For the RADIUS-server does not receive the necessary data, it return
>> 'Access-Reject', and in response packet 'IKE_AUTH' Strongswan sent
>> 'EAP-FAILURE' and terminates the connection.
>>
>> I will be very grateful for any help.
>>
>> --
>> Best regards, Dmitry.
>>
>>
>> ---------------------------------------------------------------------------------------------------
>>
>> Здравствуйте,
>>
>> Уважаемые разработчики, помогите, пожалуйста, разобраться.
>> Возможно ли настроить strongswan, чтобы он работал согласно приложенной
>> схемы.
>> Вкратце: мне нужно настроить IKEv2 с авторизацией по EAP-SIM с
>> RADIUS-сервером.
>> Пока у меня никак не получается это сделать.
>> Я снимаю дампы каждого обмена пакетами и расшифровываю их с помощью
>> wireshark.
>> По дампам видно, что запроса информации у клиента не происходит, а на
>> радиус отправляется информация из первого пакета 'IKE_AUTH'.
>> Так как RADIUS-сервер не получает необходимых данных, он отвечает
>> 'Access-Reject', и в ответном пакете 'IKE_AUTH' Strongswan посылает
>> 'EAP-FAILURE' и завершает соединение.
>>
>> Буду очень признателен за любую помощь.
>>
>> --
>> С Уважением, Дмитрий.
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110705/04d54810/attachment.html>
More information about the Users
mailing list