[strongSwan] unable to connect to strongSwan IKEv2 using eap-radius based authentication

yordanos beyene yordanosb at gmail.com
Mon Jun 11 02:09:04 CEST 2012


Hi Everyone,

I am having difficulties connectiong to strongSwan IKEv2 using eap-radius
from a windows7 Agile VPN client. Below are my vpn server, windows7, radius
configuration and error messages. I have followed the strongSwan windows7
certificate requirements and tried for a couple of days different
recommendations from the strongswam mailing archive but I couldn't make it
to work. I really appreciate any help.

=======================
#vpn server configuration
config setup
        charonstart=yes
        plutostart=no
conn myvpn~mypolicy
        vpn=myvpn
        mobike=no
        left=172.16.30.2
        leftsubnet=172.26.40.0/24
        leftid=@zeus.test.net
        leftcert=zeus at ares.cer
        leftauth=pubkey
        ike=3des-sha1-modp1024!
        esp=3des-sha1-modp1024!
        keyexchange=ikev2
        ikelifetime=8h
        keylife=1h
        right=%any
        rightsendcert=never
        rightsourceip=172.16.80.0/24
        rightauth=eap-radius
        eap_identity=%identity
        auto=add
========================
Note:

   - zeus at ares.cert is the vpn server certificate file name
   - "zeus.test.net" is the vpn server certificate CN.
   - vpn server x509 certificates meets Windows 7 requirements.  Below
   are the subject alt name and extended key usage values from teh server
   certificate

             X509v3 Subject Alternative Name:
                DNS:zeus.tes.net
            X509v3 Extended Key Usage:
                1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web
Client Authentication

   - eap-radius, eap-md5, and eap-identity plugins are loaded on the
   strongswan vpn server.

#strongswan.conf contains the eap-radius configuration

charon {
  plugins {
    eap-radius {
        # server myradius
        server = XX.XXX.XXX.XX
        secret = testing123
        nas-id = mynas    }
  }
}
 =============================

#I am using FreeRADIUS for eap-radius authentication. FreeRadius is
configured as follows:

 /etc/raddb/clients.conf
client XX.XXX.0.0/16 {
secret = testing123
shortname= my-private-network
nastype     = mynas
...
}

# /etc/raddb/eap.conf
eap{
default_eap_type= md5
md5 {
}
}
# /etc/raddb/users
carol Cleartext-Password := "testtest"
=============================
 #Windows 7 Agile vpn client

   - Type of VPN : IKEv2
   - Authentication: EAP ; sub-menu: tried both PEAP and EAP-MSCHAP v2
   - X509 machine certificate and CA certificate installed , and verified
   as valid
   - Added the following configuration to the windows 7 hosts file

*            172.16.30.2    zeus.test.net *
( 172.16.30.2 refers to the vpn gateway interface, and zeus.test.net is the
vpn gateway certificate CN and subject alt name).====

when I started the Windows 7 Agile vpn connection,  the following error
message shows on the vpn gateway and windows7 :

#strongswan vpn gateway error messages

Jun 11 07:08:07 router CHARON-INFO: 10[NET] received packet: from [500] to
[500]
Jun 11 07:08:07 router CHARON-INFO: 10[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 11 07:08:07 router CHARON-INFO: 10[IKE] 172.16.50.10 is initiating an
IKE_SA
Jun 11 07:08:07 router CHARON-INFO: 10[IKE] 172.16.50.10 is initiating an
IKE_SA
Jun 11 07:08:07 router CHARON-INFO: 10[IKE] sending cert request for "C=US,
ST=MYSTATE, L=MYCITY, O=MYORG, OU=MYUNIT, CN=ares.test.net, E=ares at test.net"
Jun 11 07:08:07 router CHARON-INFO: 10[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jun 11 07:08:07 router CHARON-INFO: 10[NET] sending packet: from [500] to
[500]
Jun 11 07:08:07 router CHARON-INFO: 13[NET] received packet: from [4500] to
[4500]
Jun 11 07:08:07 router CHARON-INFO: 13[ENC] unknown attribute type
INTERNAL_IP4_SERVER
Jun 11 07:08:07 router CHARON-INFO: 13[ENC] unknown attribute type
INTERNAL_IP6_SERVER
Jun 11 07:08:07 router CHARON-INFO: 13[ENC] parsed IKE_AUTH request 1 [ IDi
CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
"C=US, ST=CA, L=MYCITY, O=MYORG, OU=MYUNIT, CN=ares.test.net,
E=ares at test.net"
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
c0:7a:98:68:8d:89:fb:ab:05:64:0c:11:7d:aa:7d:65:b8:ca:cc:4e
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
4a:81:0c:de:f0:c0:90:0f:19:06:42:31:35:a2:a2:8d:d3:44:fd:08
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
f0:17:62:13:55:3d:b3:ff:0a:00:6b:fb:50:84:97:f3:ed:62:d0:1a
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
42:32:b6:16:fa:04:fd:fe:5d:4b:7a:c3:fd:f7:4c:40:1d:5a:43:af
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
be:a8:a0:74:72:50:6b:44:b7:c9:23:d8:fb:a8:ff:b3:57:6b:68:6c
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
fb:61:40:61:b4:8a:bc:eb:56:1d:64:16:1f:ab:6d:f3:f7:ae:45:a5
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
53:32:d1:b3:cf:7f:fa:e0:f1:a0:5d:85:4e:92:d2:9e:45:1d:b4:4f
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
00:ad:d9:a3:f6:79:f6:6e:74:a9:7f:33:3d:81:17:d7:4c:cf:33:de
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
a8:48:b4:24:2f:c6:ea:24:a0:d7:8e:3c:b9:3c:5c:78:d7:98:33:e4
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
a1:72:5f:26:1b:28:98:43:95:5d:07:37:d5:85:96:9d:4b:d2:c3:45
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] received cert request for
unknown ca with keyid
4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
Jun 11 07:08:07 router CHARON-INFO: 13[CFG] looking for peer configs
matching 172.16.30.2[%any]...172.16.50.10[172.16.50.10]
Jun 11 07:08:07 router CHARON-INFO: 13[CFG] selected peer config
'myvpn~mypolicy'
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] initiating EAP-Identity request
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] peer supports MOBIKE, but
disabled in config
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] authentication of 'C=US,
ST=MYSTATE, O=MYORG, OU=SPG, CN=zeus.test.net, E=zeus at test.net' (myself)
with RSA signature successful
Jun 11 07:08:07 router CHARON-INFO: 13[IKE] sending end entity cert "C=US,
ST=MYSTATE, O=MYORG, OU=SPG, CN=zeus.test.net, E=zeus at test.net"

=================
 #Windows7 error message

starts "Verifying user name and password and displays
Error:13801: IKE  authentication credentials are unacceptable
=============================

No user authentication request send to the radius server.

Thank you!

Jordan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120610/350bda3d/attachment.html>


More information about the Users mailing list