[strongSwan] rightgroups is not working with IKEv1

yordanos beyene yordanosb at gmail.com
Thu Jul 26 02:59:45 CEST 2012


Hi SS team,

I am having difficulty getting strongSwan select the right IKEv1
configuration based on group attributes returned from radius server. I am
using "rightgroups" to define group in ipsec.conf and radius uses Filter-Id
to return the group and Tunnel-Type attribute is set to ESP.

SS returns "constraint check failed: group membership required".

When I commented "rightgroups", tunnel gets installed irrespective of the
Filter-Id attribute returned from radius.

IKEv2 works fine in a similar setup.

I am using SS 5.0.0.

I have my configuration and log below.

 Please let me know if there is a problem with my configuration or this is
an IKEv1 bug.

I appreciate any help.

Jordan.

==============
#ipsec.conf
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=3


conn rw1
        keyexchange=ikev1
        left=172.16.20.1
        leftcert=zeus2.pem
        leftid=@zeus.test.net
        leftauth=pubkey
        leftsubnet=172.16.50.0/24
        right=%any
        rightgroups="group1"
        rightsourceip=192.16.80.10/24
        rightauth=pubkey
        rightauth2=xauth-eap
        auto=add

conn rw2
        keyexchange=ikev1
        left=172.16.20.1
        leftcert=zeus2.pem
        leftid=@zeus.test.net
        leftauth=pubkey
        leftsubnet=172.16.60.0/24
        right=%any
        rightsourceip=192.16.90.10/24
        rightgroups="group2"
        rightauth=pubkey
        rightauth2=xauth-eap
        auto=add

====vpn log=====
Jul 24 08:25:29 13[IKE] 172.16.60.10 is initiating a Main Mode IKE_SA
Jul 24 08:25:29 13[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 24 08:25:29 13[NET] sending packet: from 172.16.20.1[500] to
172.16.60.10[500]
Jul 24 08:25:29 14[NET] received packet: from 172.16.60.10[500] to
172.16.20.1[500]
Jul 24 08:25:29 14[ENC] parsed ID_PROT request 0 [ KE No CERTREQ NAT-D
NAT-D ]
Jul 24 08:25:29 14[IKE] ignoring certificate request without data
Jul 24 08:25:29 14[IKE] sending cert request for "C=US, ST=CA, L=SAC, O=UC,
OU=EDU, CN=ares.test.net, E=ares at test.net"
Jul 24 08:25:29 14[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D
NAT-D ]
Jul 24 08:25:29 14[NET] sending packet: from 172.16.20.1[500] to
172.16.60.10[500]
Jul 24 08:25:30 16[NET] received packet: from 172.16.60.10[500] to
172.16.20.1[500]
Jul 24 08:25:30 16[ENC] parsed ID_PROT request 0 [ ID CERT SIG ]
Jul 24 08:25:30 16[IKE] received end entity cert "C=US, ST=CA, O=UC,
OU=EDU, CN=hera.test.net, E=hera at test.net"
Jul 24 08:25:30 16[CFG] looking for XAuthInitRSA peer configs matching
172.16.20.1...172.16.60.10[C=US, ST=CA, O=UC, OU=EDU, CN=hera.test.net, E=
hera at test.net]
Jul 24 08:25:30 16[CFG] *selected peer config "rw1"*
Jul 24 08:25:30 16[CFG]   using certificate "C=US, ST=CA, O=UC, OU=EDU, CN=
hera.test.net, E=hera at test.net"
Jul 24 08:25:30 16[CFG]   using trusted ca certificate "C=US, ST=CA, L=SAC,
O=UC, OU=EDU, CN=ares.test.com, E=ares at test.net"
Jul 24 08:25:30 16[CFG] checking certificate status of "C=US, ST=CA, O=UC,
OU=EDU, CN=hera.test.net, E=hera at test.net"
Jul 24 08:25:30 16[CFG] certificate status is not available
Jul 24 08:25:30 16[CFG]   reached self-signed root ca with a path length of
0
Jul 24 08:25:30 16[IKE] authentication of 'C=US, ST=CA, O=UC, OU=EDU, CN=
hera.test.net, E=hera at test.net' with RSA successful
Jul 24 08:25:30 16[CFG] *constraint check failed: group membership required*
Jul 24 08:25:30 16[CFG] *switching to peer config 'rw1-ikev1-rep'*
Jul 24 08:25:30 16[CFG]   using certificate "C=US, ST=CA, O=UC, OU=EDU, CN=
hera.test.net, E=hera at test.net"
Jul 24 08:25:30 16[CFG]   using trusted ca certificate "C=US, ST=CA, L=SAC,
O=UC, OU=EDU, CN=ares.test.net, E=ares at test.net"
Jul 24 08:25:30 16[CFG] checking certificate status of "C=US, ST=CA, O=UC,
OU=EDU, CN=hera.test.net, E=hera at test.net"
Jul 24 08:25:30 16[CFG] certificate status is not available
Jul 24 08:25:30 16[CFG]   reached self-signed root ca with a path length of
0
Jul 24 08:25:30 16[IKE] authentication of 'C=US, ST=CA, O=UC, OU=EDU, CN=
hera.test.net, E=hera at test.net' with RSA successful
Jul 24 08:25:30 16[CFG]* constraint check failed: group membership required*
Jul 24 08:25:30 16[CFG] no alternative config found
Jul 24 08:25:30 16[ENC] generating INFORMATIONAL_V1 request 735498134 [
HASH N(AUTH_FAILED) ]
Jul 24 08:25:30 16[NET] sending packet: from 172.16.20.1[500] to
172.16.60.10[500]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120725/0c3bc45e/attachment.html>


More information about the Users mailing list