[strongSwan] Strongswan+RADIUS secret code problem?

Alexandre Chapellon a.chapellon at horoa.net
Fri Oct 28 08:17:48 CEST 2011


running freeradius debug with freeradius -X will certainly give you much 
more information about why auth fails.
My twi cents is a compatibility problem of windows certificates.

Regards.

Le 28/10/2011 06:37, T Z a écrit :
> Hi all,
>
> I'm using Strongswan 4.5.2 (from Debian squeeze-backports) and 
> Freeradius 2.1.0 (from Debian stable) to construct an IKEv2 VPN for my 
> clients. It seems that Strongswan is connected with Freeradius, but 
> client connection just fails. Testing with Windows 7 IKEv2 client, it 
> prompts "Error 13801: IKE authentication credentials are unacceptable."
>
> Here's the log:
>
> /var/log/syslog:
> Oct 28 13:31:06 vpn charon: 08[NET] received packet: from 
> client.ip.address[500] to server.ip.address[500]
> Oct 28 13:31:06 vpn charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA 
> KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Oct 28 13:31:06 vpn charon: 08[IKE] client.ip.address is initiating an 
> IKE_SA
> Oct 28 13:31:06 vpn charon: 08[IKE] remote host is behind NAT
> Oct 28 13:31:06 vpn charon: 08[IKE] sending cert request for "C=CH, 
> O=TonyVPN, CN=TonyVPN CA"
> Oct 28 13:31:06 vpn charon: 08[ENC] generating IKE_SA_INIT response 0 
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Oct 28 13:31:06 vpn charon: 08[NET] sending packet: from 
> server.ip.address[500] to client.ip.address[500]
> Oct 28 13:31:07 vpn charon: 10[NET] received packet: from 
> client.ip.address[4500] to server.ip.address[4500]
> Oct 28 13:31:07 vpn charon: 10[ENC] unknown attribute type 
> INTERNAL_IP4_SERVER
> Oct 28 13:31:07 vpn charon: 10[ENC] unknown attribute type 
> INTERNAL_IP6_SERVER
> Oct 28 13:31:07 vpn charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi 
> CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> Oct 28 13:31:07 vpn charon: 10[IKE] received 32 cert requests for an 
> unknown ca
> Oct 28 13:31:07 vpn charon: 10[CFG] looking for peer configs matching 
> server.ip.address[%any]...client.ip.address[client.nat.ip.address]
> Oct 28 13:31:07 vpn charon: 10[CFG] selected peer config 'L2TP-PSK-NAT'
> Oct 28 13:31:07 vpn charon: 10[IKE] peer requested EAP, config 
> inacceptable
> Oct 28 13:31:07 vpn charon: 10[CFG] switching to peer config 'IPSec-IKEv2'
> Oct 28 13:31:07 vpn charon: 10[IKE] EAP-Identity request configured, 
> but not supported
> Oct 28 13:31:07 vpn charon: 10[CFG] sending RADIUS Access-Request to 
> server 'vpnserver'
> Oct 28 13:31:07 vpn charon: 10[CFG] received RADIUS Access-Challenge 
> from server 'vpnserver'
> Oct 28 13:31:07 vpn charon: 10[IKE] initiating EAP_RADIUS method (id 0x01)
> Oct 28 13:31:07 vpn charon: 10[IKE] peer supports MOBIKE
> Oct 28 13:31:07 vpn charon: 10[IKE] authentication of 'C=CH, O=VPN, 
> CN=server.ip.address' (myself) with RSA signature successful
> Oct 28 13:31:07 vpn charon: 10[IKE] sending end entity cert "C=CH, 
> O=VPN, CN=server.ip.address"
> Oct 28 13:31:07 vpn charon: 10[ENC] generating IKE_AUTH response 1 [ 
> IDr CERT AUTH EAP/REQ/MD5 ]
> Oct 28 13:31:07 vpn charon: 10[NET] sending packet: from 
> server.ip.address[4500] to client.ip.address[4500]
> Oct 28 13:31:36 vpn charon: 13[JOB] deleting half open IKE_SA after 
> timeout
>
> /var/log/auth.log:
> Oct 28 13:31:06 japanvpn charon: 08[IKE] client.ip.address is 
> initiating an IKE_SA
>
> /etc/ipsec.conf:
> conn IPSec-IKEv2
>         keyexchange=ikev2
>         auto=add
>         left=server.ip.address
>         leftsubnet=0.0.0.0/0
>         leftauth=pubkey
>         leftcert=serverCert.pem
>         right=%any
>         rightsourceip=192.168.104.0/0
>         rightauth=eap-radius
>         rightsendcert=never
>         eap_identity=%any
>
> /etc/strongswan.conf:
>                 eap-radius {
>                         servers {
>                                 vpnserver {
>                                         secret = somesecret
>                                         address = 127.0.0.1
>                                 }
>                         }
>                 }
>
> By setting FreeRADIUS to debug mode I found that the user name 
> Strongswan passed to FreeRADIUS was incorrect (some gibberish), so I 
> guess it's a secret code problem but I'm 100% sure the secret code is 
> correct. Also I've tried changing it to some other string like 123456 
> but Strongswan passes the username as the same gibberish as before, 
> thus I don't think it's a secret code problem.
>
> Any suggestions/advices would be appreciated.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>





More information about the Users mailing list