[strongSwan] Strongswan+RADIUS secret code problem?

T Z ttzforj at hotmail.com
Fri Oct 28 06:37:44 CEST 2011


Hi all,

I'm using Strongswan 4.5.2 (from Debian squeeze-backports) and Freeradius 2.1.0 (from Debian stable) to construct an IKEv2 VPN for my clients. It seems that Strongswan is connected with Freeradius, but client connection just fails. Testing with Windows 7 IKEv2 client, it prompts "Error 13801: IKE authentication credentials are unacceptable."

Here's the log:

/var/log/syslog:
Oct 28 13:31:06 vpn charon: 08[NET] received packet: from client.ip.address[500] to server.ip.address[500]
Oct 28 13:31:06 vpn charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 28 13:31:06 vpn charon: 08[IKE] client.ip.address is initiating an IKE_SA
Oct 28 13:31:06 vpn charon: 08[IKE] remote host is behind NAT
Oct 28 13:31:06 vpn charon: 08[IKE] sending cert request for "C=CH, O=TonyVPN, CN=TonyVPN CA"
Oct 28 13:31:06 vpn charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 28 13:31:06 vpn charon: 08[NET] sending packet: from server.ip.address[500] to client.ip.address[500]
Oct 28 13:31:07 vpn charon: 10[NET] received packet: from client.ip.address[4500] to server.ip.address[4500]
Oct 28 13:31:07 vpn charon: 10[ENC] unknown attribute type INTERNAL_IP4_SERVER
Oct 28 13:31:07 vpn charon: 10[ENC] unknown attribute type INTERNAL_IP6_SERVER
Oct 28 13:31:07 vpn charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Oct 28 13:31:07 vpn charon: 10[IKE] received 32 cert requests for an unknown ca
Oct 28 13:31:07 vpn charon: 10[CFG] looking for peer configs matching server.ip.address[%any]...client.ip.address[client.nat.ip.address]
Oct 28 13:31:07 vpn charon: 10[CFG] selected peer config 'L2TP-PSK-NAT'
Oct 28 13:31:07 vpn charon: 10[IKE] peer requested EAP, config inacceptable
Oct 28 13:31:07 vpn charon: 10[CFG] switching to peer config 'IPSec-IKEv2'
Oct 28 13:31:07 vpn charon: 10[IKE] EAP-Identity request configured, but not supported
Oct 28 13:31:07 vpn charon: 10[CFG] sending RADIUS Access-Request to server 'vpnserver'
Oct 28 13:31:07 vpn charon: 10[CFG] received RADIUS Access-Challenge from server 'vpnserver'
Oct 28 13:31:07 vpn charon: 10[IKE] initiating EAP_RADIUS method (id 0x01)
Oct 28 13:31:07 vpn charon: 10[IKE] peer supports MOBIKE
Oct 28 13:31:07 vpn charon: 10[IKE] authentication of 'C=CH, O=VPN, CN=server.ip.address' (myself) with RSA signature successful
Oct 28 13:31:07 vpn charon: 10[IKE] sending end entity cert "C=CH, O=VPN, CN=server.ip.address"
Oct 28 13:31:07 vpn charon: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MD5 ]
Oct 28 13:31:07 vpn charon: 10[NET] sending packet: from server.ip.address[4500] to client.ip.address[4500]
Oct 28 13:31:36 vpn charon: 13[JOB] deleting half open IKE_SA after timeout

/var/log/auth.log:
Oct 28 13:31:06 japanvpn charon: 08[IKE] client.ip.address is initiating an IKE_SA

/etc/ipsec.conf:
conn IPSec-IKEv2
        keyexchange=ikev2
        auto=add
        left=server.ip.address
        leftsubnet=0.0.0.0/0
        leftauth=pubkey
        leftcert=serverCert.pem
        right=%any
        rightsourceip=192.168.104.0/0
        rightauth=eap-radius
        rightsendcert=never
        eap_identity=%any

/etc/strongswan.conf:
                eap-radius {
                        servers {
                                vpnserver {
                                        secret = somesecret
                                        address = 127.0.0.1
                                }
                        }
                }

By setting FreeRADIUS to debug mode I found that the user name Strongswan passed to FreeRADIUS was incorrect (some gibberish), so I guess it's a secret code problem but I'm 100% sure the secret code is correct. Also I've tried changing it to some other string like 123456 but Strongswan passes the username as the same gibberish as before, thus I don't think it's a secret code problem.

Any suggestions/advices would be appreciated.
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111028/0a7fc63c/attachment.html>


More information about the Users mailing list