[strongSwan] trying to configure strongswan to act like a windows7 client

Olivier PELERIN olivier_pelerin at hotmail.com
Mon Jul 11 11:57:19 CEST 2011 

Many thanks Andreas, I've reemerged the package with the proper USE flags on my gentoo linux

EAP now is succesful. However I'm getting the following error message

Jul 11 11:54:06 ironmaiden charon: 16[ENC] found payload of type SECURITY_ASSOCIATION
Jul 11 11:54:06 ironmaiden charon: 16[ENC] found payload of type TRAFFIC_SELECTOR_INITIATOR
Jul 11 11:54:06 ironmaiden charon: 16[ENC] found payload of type TRAFFIC_SELECTOR_RESPONDER
Jul 11 11:54:06 ironmaiden charon: 16[ENC] parsed IKE_AUTH response 5 [ AUTH SA TSi TSr N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Jul 11 11:54:06 ironmaiden charon: 16[IKE] received SET_WINDOW_SIZE notify
Jul 11 11:54:06 ironmaiden charon: 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED notify
Jul 11 11:54:06 ironmaiden charon: 16[IKE] received NON_FIRST_FRAGMENTS_ALSO notify
Jul 11 11:54:06 ironmaiden charon: 16[IKE] authentication of 'CN=10.1.1.254, OU=TAC, O=Cisco, C=BE' with EAP successful
Jul 11 11:54:06 ironmaiden charon: 16[CFG] constraint check failed: identity 'C=BE, O=CISCO, OU=TAC, CN=10.1.1.254' required 
Jul 11 11:54:06 ironmaiden charon: 16[CFG] selected peer config 'C=BE,O=CISCO,OU=TAC,CN=10.1.1.254' inacceptable
Jul 11 11:54:06 ironmaiden charon: 16[CFG] no alternative config found
Jul 11 11:54:06 ironmaiden charon: 16[KNL] deleting SAD entry with SPI ce5058a0
Jul 11 11:54:06 ironmaiden charon: 16[KNL] deleted SAD entry with SPI ce5058a0
Jul 11 11:54:06 ironmaiden charon: 16[IKE] IKE_SA C=BE,O=CISCO,OU=TAC,CN=10.1.1.254[1] state change: CONNECTING => DESTROYING
Jul 11 11:54:10 ironmaiden charon: 01[JOB] got event, queuing job for execution

Why my peer config is unacceptable?

ironmaiden strongswan_ikev2 # cat /etc/ipsec.conf 
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        charondebug="ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc 2, lib 2"
        crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        # nat_traversal=yes
        charonstart=yes
        plutostart=yes
# Add connections here.
conn "C=BE,O=CISCO,OU=TAC,CN=10.1.1.254"
        left=10.1.1.1
        right=10.1.1.254
        keyexchange=ikev2
        ike=3des-sha1-modp1024
        esp=aes-sha1
        leftauth=eap-mschapv2
        leftid=cisco
        rightid="C=BE,O=CISCO,OU=TAC,CN=10.1.1.254"
        eap_identity=cisco
        rightsubnet=0.0.0.0/0
        auto=start
        mobike=no

I've tried various rightid's but it never went ok.



> Date: Sun, 10 Jul 2011 21:47:36 +0200
> From: andreas.steffen at strongswan.org
> To: olivier_pelerin at hotmail.com
> CC: users at lists.strongswan.org
> Subject: Re: [strongSwan] trying to configure strongswan to act like a windows7 client
> 
> Hello Olivier,
> 
> you must enable and load the eap-identity module:
> 
>    ./configure --enable-eap-identity --enable-eap-mschapv2
> 
> After starting strongSwan the command
> 
>    ipsec statusall
> 
> should list the eap-identity and eap-mschapv2 plugins.
> 
> Regards
> 
> Andreas
> 
> On 07/10/2011 01:46 PM, Olivier PELERIN wrote:
> >
> > I'm connecting to a Cisco router which query for the EAP identity
> >
> > The router sends:
> > *Jul 10 11:44:01.237: IKEv2:(SA ID = 1):Building packet for encryption.
> > Payload contents:
> > VID Next payload: IDr, reserved: 0x0, length: 20
> > IDr Next payload: CERT, reserved: 0x0, length: 74
> > Id type: DER ASN1 DN, Reserved: 0x0 0x0
> > CERT Next payload: AUTH, reserved: 0x0, length: 865
> > Cert encoding X.509 Certificate - signature
> > AUTH Next payload: EAP, reserved: 0x0, length: 264
> > Auth method RSA, reserved: 0x0, reserved 0x0
> > EAP Next payload: NONE, reserved: 0x0, length: 10
> > Code: request: id: 59, length: 6
> > Type: identity
> >
> > and I get a NAK from the strongswan
> >
> >
> >
> > Jul 10 13:32:26 ironmaiden charon: 13[IKE] authentication of
> > 'CN=10.1.1.254, OU=TAC, O=Cisco, C=BE' with RSA signature successful
> > Jul 10 13:32:26 ironmaiden charon: 13[IKE] server requested
> > EAP_IDENTITY, sending 'cisco'
> > Jul 10 13:32:26 ironmaiden charon: 13[IKE] EAP_IDENTITY not supported,
> > sending EAP_NAK
> > Jul 10 13:32:26 ironmaiden charon: 13[IKE] reinitiating already active tasks
> > Jul 10 13:32:26 ironmaiden charon: 13[IKE] IKE_AUTHENTICATE task
> > Jul 10 13:32:26 ironmaiden charon: 13[ENC] added payload of type
> > EXTENSIBLE_AUTHENTICATION to message
> > Jul 10 13:32:26 ironmaiden charon: 13[ENC] added payload of type
> > EXTENSIBLE_AUTHENTICATION to message
> > Jul 10 13:32:26 ironmaiden charon: 13[ENC] generating IKE_AUTH request 2
> > [ EAP/RES/NAK ]
> > Jul 10 13:32:26 ironmaiden charon: 13[ENC] insert payload
> > EXTENSIBLE_AUTHENTICATION to encryption payload
> >
> >
> > conn cisco
> > left=10.1.1.1
> > right=10.1.1.254
> > keyexchange=ikev2
> > ike=3des-sha1-modp1024
> > esp=aes-sha1
> > leftauth=eap-mschapv2
> > leftid=10.1.1.1
> > eap_identity=cisco
> > rightsubnet=0.0.0.0/0
> > auto=start
> > mobike=no
> >
> >
> >
> > This config works well with a true windows7 client.... Why EAP-Identity
> > is not supported?
> >
> >
> > ------------------------------------------------------------------------
> > From: olivier_pelerin at hotmail.com
> > To: users at lists.strongswan.org
> > Date: Sun, 10 Jul 2011 13:06:11 +0200
> > Subject: Re: [strongSwan] trying to configure strongswan to act like a
> > windows7 client
> >
> > Ok I think I've found it
> >
> > http://www.strongswan.org/uml/testresults/ikev2/rw-eap-mschapv2-id-rsa/index.html
> >
> > Let me play a bit
> >
> >
> >
> > ------------------------------------------------------------------------
> > From: olivier_pelerin at hotmail.com
> > To: users at lists.strongswan.org
> > Subject: trying to configure strongswan to act like a windows7 client
> > Date: Sun, 10 Jul 2011 11:57:57 +0200
> >
> > Hello,
> >
> >
> > I would like to emulate a windows7 ikev2 client by using strongswan.
> > Does anyone have an idea?
> >
> > Cheers,
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110711/4a795b88/attachment.html>

More information about the Users mailing list