[strongSwan] Strongswan+RADIUS secret code problem?
Julian Poschmann
julian.poschmann at rwth-aachen.de
Fri Oct 28 23:59:54 CEST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 28.10.2011 17:31, schrieb T Z:
> Hi Julian,
>
> Thanks for the reply. I changed the default eap type to mschapv2
> but the problem persists. Do you mind to post your strongswan.conf
> and ipsec.conf so I can make sure it's not a strongswan but a
> freeradius problem? Thank you.
Below are my configs (I left out pluto stuff, I'm running other
connections as well).
For installing the ca-certifacte in Windows 7:
Be sure to exactly follow the wiki (using mmc with snap-in etc.). At
my first try, I thought "Cool, I can just start the install wizard via
double-clicking the cert file".
Turns out, installing it this way, the cert is only installed for the
current user, which is not sufficient for the windows ipsec client.
You really have to use mmc to install it for the machine account.
There's a warning about that on the wiki, but you can easily overread
that under the last image.
==== ipsec.conf ====
ca bergland
cacert=cacert.pem
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
charonstart=yes
plutostart=yes
nat_traversal=yes
plutostderrlog=/var/log/pluto.log
uniqueids=yes
conn extern
keyexchange=ikev2
ike=aes256-sha-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
left=%defaultroute
leftcert=server.pem
leftsubnet=10.0.0.0/24
leftfirewall=yes
lefthostaccess=yes
right=%any
rightsourceip=10.0.1.0/27
rightauth=eap-radius
rightsendcert=never
eap_identity=%identity
auto=add
rekey=no
=======================
=== strongswan.conf ===
charon {
dns1 = 10.0.0.1
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database =
mysql://user:password@localhost/database
}
eap-radius {
servers {
local {
address = localhost
secret = testing123
}
}
}
}
filelog {
/var/log/charon.log {
time_format = %b %e %T
default = 1
flush_line = yes
}
stderr {
ike = 2
knl = 3
ike_name = yes
}
}
# ...
}
=======================
- --
Julian Poschmann
Josefstr. 126
52080 Aachen-Eilendorf
Telefon: +49 170 3295135
E-Mail: julian.poschmannn at rwth-aachen.de
PGP-ID: 0x7D51DD8B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iEYEARECAAYFAk6rJdoACgkQJmSm8H1R3YvjngCePybw6nlrvPfHiUGTS4Jyvq39
uQgAnjPwsJtXs5iTz7XrTULsDBXzYW1o
=HkU2
-----END PGP SIGNATURE-----
More information about the Users
mailing list