[strongSwan] Strongswan+RADIUS secret code problem?

T Z ttzforj at hotmail.com
Fri Oct 28 14:51:00 CEST 2011




I found it's weird that if I have eap-identity loaded, strongswan would not send authentication requests to freeradius.

Freeradius log without eap-identity enabled:

 

rad_recv: Access-Request packet from host 127.0.0.1 port
54333, id=149, length=73

        User-Name =
"\254\020J\367"

        EAP-Message
= 0x0200000901ac104af7

       
NAS-Port-Type = Virtual

       
NAS-Identifier = "strongSwan"

       
Message-Authenticator = 0x804aa820651189b312713567d5ce2064

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "▒?J▒", looking up realm NULL [suffix] No such
realm "NULL"

 

Module list I loaded:

load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random
x509 hmac xcbc stroke kernel-netlink fips-prf eap-md5 eap-mschapv2 eap-radius
updown socket-raw

 

> Date: Fri, 28 Oct 2011 07:46:42 +0200
> From: andreas.steffen at strongswan.org
> To: ttzforj at hotmail.com
> CC: users at lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan+RADIUS secret code problem?
> 
> Hello,
> 
> did you enable EAP Identity?
> 
>    ./configure ... --enable-eap-identity
> 
> Regards
> 
> Andreas
> 
> On 10/28/2011 06:37 AM, T Z wrote:
> > Hi all,
> >
> > I'm using Strongswan 4.5.2 (from Debian squeeze-backports) and
> > Freeradius 2.1.0 (from Debian stable) to construct an IKEv2 VPN for my
> > clients. It seems that Strongswan is connected with Freeradius, but
> > client connection just fails. Testing with Windows 7 IKEv2 client, it
> > prompts "Error 13801: IKE authentication credentials are unacceptable."
> >
> > Here's the log:
> >
> > /var/log/syslog:
> > Oct 28 13:31:06 vpn charon: 08[NET] received packet: from
> > client.ip.address[500] to server.ip.address[500]
> > Oct 28 13:31:06 vpn charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE
> > No N(NATD_S_IP) N(NATD_D_IP) ]
> > Oct 28 13:31:06 vpn charon: 08[IKE] client.ip.address is initiating an
> > IKE_SA
> > Oct 28 13:31:06 vpn charon: 08[IKE] remote host is behind NAT
> > Oct 28 13:31:06 vpn charon: 08[IKE] sending cert request for "C=CH,
> > O=TonyVPN, CN=TonyVPN CA"
> > Oct 28 13:31:06 vpn charon: 08[ENC] generating IKE_SA_INIT response 0 [
> > SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> > Oct 28 13:31:06 vpn charon: 08[NET] sending packet: from
> > server.ip.address[500] to client.ip.address[500]
> > Oct 28 13:31:07 vpn charon: 10[NET] received packet: from
> > client.ip.address[4500] to server.ip.address[4500]
> > Oct 28 13:31:07 vpn charon: 10[ENC] unknown attribute type
> > INTERNAL_IP4_SERVER
> > Oct 28 13:31:07 vpn charon: 10[ENC] unknown attribute type
> > INTERNAL_IP6_SERVER
> > Oct 28 13:31:07 vpn charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi
> > CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> > Oct 28 13:31:07 vpn charon: 10[IKE] received 32 cert requests for an
> > unknown ca
> > Oct 28 13:31:07 vpn charon: 10[CFG] looking for peer configs matching
> > server.ip.address[%any]...client.ip.address[client.nat.ip.address]
> > Oct 28 13:31:07 vpn charon: 10[CFG] selected peer config 'L2TP-PSK-NAT'
> > Oct 28 13:31:07 vpn charon: 10[IKE] peer requested EAP, config inacceptable
> > Oct 28 13:31:07 vpn charon: 10[CFG] switching to peer config 'IPSec-IKEv2'
> > Oct 28 13:31:07 vpn charon: 10[IKE] EAP-Identity request configured, but
> > not supported
> > Oct 28 13:31:07 vpn charon: 10[CFG] sending RADIUS Access-Request to
> > server 'vpnserver'
> > Oct 28 13:31:07 vpn charon: 10[CFG] received RADIUS Access-Challenge
> > from server 'vpnserver'
> > Oct 28 13:31:07 vpn charon: 10[IKE] initiating EAP_RADIUS method (id 0x01)
> > Oct 28 13:31:07 vpn charon: 10[IKE] peer supports MOBIKE
> > Oct 28 13:31:07 vpn charon: 10[IKE] authentication of 'C=CH, O=VPN,
> > CN=server.ip.address' (myself) with RSA signature successful
> > Oct 28 13:31:07 vpn charon: 10[IKE] sending end entity cert "C=CH,
> > O=VPN, CN=server.ip.address"
> > Oct 28 13:31:07 vpn charon: 10[ENC] generating IKE_AUTH response 1 [ IDr
> > CERT AUTH EAP/REQ/MD5 ]
> > Oct 28 13:31:07 vpn charon: 10[NET] sending packet: from
> > server.ip.address[4500] to client.ip.address[4500]
> > Oct 28 13:31:36 vpn charon: 13[JOB] deleting half open IKE_SA after timeout
> >
> > /var/log/auth.log:
> > Oct 28 13:31:06 japanvpn charon: 08[IKE] client.ip.address is initiating
> > an IKE_SA
> >
> > /etc/ipsec.conf:
> > conn IPSec-IKEv2
> > keyexchange=ikev2
> > auto=add
> > left=server.ip.address
> > leftsubnet=0.0.0.0/0
> > leftauth=pubkey
> > leftcert=serverCert.pem
> > right=%any
> > rightsourceip=192.168.104.0/0
> > rightauth=eap-radius
> > rightsendcert=never
> > eap_identity=%any
> >
> > /etc/strongswan.conf:
> > eap-radius {
> > servers {
> > vpnserver {
> > secret = somesecret
> > address = 127.0.0.1
> > }
> > }
> > }
> >
> > By setting FreeRADIUS to debug mode I found that the user name
> > Strongswan passed to FreeRADIUS was incorrect (some gibberish), so I
> > guess it's a secret code problem but I'm 100% sure the secret code is
> > correct. Also I've tried changing it to some other string like 123456
> > but Strongswan passes the username as the same gibberish as before, thus
> > I don't think it's a secret code problem.
> >
> > Any suggestions/advices would be appreciated.
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111028/e9ce88b6/attachment.html>


More information about the Users mailing list