[strongSwan] Strongswan+RADIUS secret code problem?

Tony Zhou tonytzhou at gmail.com
Fri Oct 28 14:49:16 CEST 2011 

Freeradius log without eap-identity enabled:

rad_recv: Access-Request packet from host 127.0.0.1 port 54333, id=149,
length=73
        User-Name = "\254\020J\367"
        EAP-Message = 0x0200000901ac104af7
        NAS-Port-Type = Virtual
        NAS-Identifier = "strongSwan"
        Message-Authenticator = 0x804aa820651189b312713567d5ce2064
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "-?J-", looking up realm NULL
[suffix] No such realm "NULL"

Module list I loaded:
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke
kernel-netlink fips-prf eap-md5 eap-mschapv2 eap-radius updown socket-raw

As indicated before, loading eap-identity would prevent strongswan sending
packets to freeradius.

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Friday, October 28, 2011 1:47 AM
To: T Z
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan+RADIUS secret code problem?

Hello,

did you enable EAP Identity?

   ./configure ... --enable-eap-identity

Regards

Andreas

On 10/28/2011 06:37 AM, T Z wrote:
> Hi all,
>
> I'm using Strongswan 4.5.2 (from Debian squeeze-backports) and 
> Freeradius 2.1.0 (from Debian stable) to construct an IKEv2 VPN for my 
> clients. It seems that Strongswan is connected with Freeradius, but 
> client connection just fails. Testing with Windows 7 IKEv2 client, it 
> prompts "Error 13801: IKE authentication credentials are unacceptable."
>
> Here's the log:
>
> /var/log/syslog:
> Oct 28 13:31:06 vpn charon: 08[NET] received packet: from 
> client.ip.address[500] to server.ip.address[500] Oct 28 13:31:06 vpn 
> charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
> N(NATD_D_IP) ] Oct 28 13:31:06 vpn charon: 08[IKE] client.ip.address 
> is initiating an IKE_SA Oct 28 13:31:06 vpn charon: 08[IKE] remote 
> host is behind NAT Oct 28 13:31:06 vpn charon: 08[IKE] sending cert 
> request for "C=CH, O=TonyVPN, CN=TonyVPN CA"
> Oct 28 13:31:06 vpn charon: 08[ENC] generating IKE_SA_INIT response 0 
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Oct 28 
> 13:31:06 vpn charon: 08[NET] sending packet: from 
> server.ip.address[500] to client.ip.address[500] Oct 28 13:31:07 vpn 
> charon: 10[NET] received packet: from client.ip.address[4500] to 
> server.ip.address[4500] Oct 28 13:31:07 vpn charon: 10[ENC] unknown 
> attribute type INTERNAL_IP4_SERVER Oct 28 13:31:07 vpn charon: 10[ENC] 
> unknown attribute type INTERNAL_IP6_SERVER Oct 28 13:31:07 vpn charon: 
> 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR 
> DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Oct 28 13:31:07 vpn charon: 
> 10[IKE] received 32 cert requests for an unknown ca Oct 28 13:31:07 
> vpn charon: 10[CFG] looking for peer configs matching 
> server.ip.address[%any]...client.ip.address[client.nat.ip.address]
> Oct 28 13:31:07 vpn charon: 10[CFG] selected peer config 'L2TP-PSK-NAT'
> Oct 28 13:31:07 vpn charon: 10[IKE] peer requested EAP, config 
> inacceptable Oct 28 13:31:07 vpn charon: 10[CFG] switching to peer config
'IPSec-IKEv2'
> Oct 28 13:31:07 vpn charon: 10[IKE] EAP-Identity request configured, 
> but not supported Oct 28 13:31:07 vpn charon: 10[CFG] sending RADIUS 
> Access-Request to server 'vpnserver'
> Oct 28 13:31:07 vpn charon: 10[CFG] received RADIUS Access-Challenge 
> from server 'vpnserver'
> Oct 28 13:31:07 vpn charon: 10[IKE] initiating EAP_RADIUS method (id 
> 0x01) Oct 28 13:31:07 vpn charon: 10[IKE] peer supports MOBIKE Oct 28 
> 13:31:07 vpn charon: 10[IKE] authentication of 'C=CH, O=VPN, 
> CN=server.ip.address' (myself) with RSA signature successful Oct 28 
> 13:31:07 vpn charon: 10[IKE] sending end entity cert "C=CH, O=VPN, 
> CN=server.ip.address"
> Oct 28 13:31:07 vpn charon: 10[ENC] generating IKE_AUTH response 1 [ 
> IDr CERT AUTH EAP/REQ/MD5 ] Oct 28 13:31:07 vpn charon: 10[NET] 
> sending packet: from server.ip.address[4500] to 
> client.ip.address[4500] Oct 28 13:31:36 vpn charon: 13[JOB] deleting 
> half open IKE_SA after timeout
>
> /var/log/auth.log:
> Oct 28 13:31:06 japanvpn charon: 08[IKE] client.ip.address is 
> initiating an IKE_SA
>
> /etc/ipsec.conf:
> conn IPSec-IKEv2
> keyexchange=ikev2
> auto=add
> left=server.ip.address
> leftsubnet=0.0.0.0/0
> leftauth=pubkey
> leftcert=serverCert.pem
> right=%any
> rightsourceip=192.168.104.0/0
> rightauth=eap-radius
> rightsendcert=never
> eap_identity=%any
>
> /etc/strongswan.conf:
> eap-radius {
> servers {
> vpnserver {
> secret = somesecret
> address = 127.0.0.1
> }
> }
> }
>
> By setting FreeRADIUS to debug mode I found that the user name 
> Strongswan passed to FreeRADIUS was incorrect (some gibberish), so I 
> guess it's a secret code problem but I'm 100% sure the secret code is 
> correct. Also I've tried changing it to some other string like 123456 
> but Strongswan passes the username as the same gibberish as before, 
> thus I don't think it's a secret code problem.
>
> Any suggestions/advices would be appreciated.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications University of Applied
Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list