[strongSwan] unable to connect to strongSwan IKEv2 using eap-radius based authentication

Kimmo Koivisto koippa at gmail.com
Mon Jun 11 09:01:20 CEST 2012


2012/6/11 yordanos beyene <yordanosb at gmail.com>:
> Hi Everyone,
Hello

>
> I am having difficulties connectiong to strongSwan IKEv2 using eap-radius
> from a windows7 Agile VPN client. Below are my vpn server, windows7, radius
> configuration and error messages. I have followed the strongSwan windows7
> certificate requirements and tried for a couple of days different
> recommendations from the strongswam mailing archive but I couldn't make it
> to work. I really appreciate any help.

If I would be you, I would first make the connection work with
eap-mschapv2 and rule out the problems with certificates.

This is my configuration from working eap-mschapv2 connection:

conn win7
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=mycert.crt
    leftid=@cert-cn
    right=%any
    rightsourceip=192.168.2.0/25
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add


>
> conn myvpn~mypolicy
>         vpn=myvpn
>         mobike=no

I would enable mobike, that is quite important for me, changing
interface from WLAN to 3G etc works nice.

>         left=172.16.30.2
>         leftsubnet=172.26.40.0/24

Split tunneling is not possibe, thus you can narrow traffic selector
to your subnet. I'm negotiating 0.0.0.0/0 so I can surf internet with
the connection

> =============================
>  #Windows 7 Agile vpn client
>
> Type of VPN : IKEv2
> Authentication: EAP ; sub-menu: tried both PEAP and EAP-MSCHAP v2
> X509 machine certificate and CA certificate installed , and verified as
> valid

With mschapv2, client machine certificate is not needed, server is
authenticated using server certificate, client authenticates with EAP.

> Added the following configuration to the windows 7 hosts file
>
>             172.16.30.2    zeus.test.net
> ( 172.16.30.2 refers to the vpn gateway interface, and zeus.test.net is the
> vpn gateway certificate CN and subject alt name).====

Did you configure you VPN connection using the zeus.test.net? I know,
stupid thing to ask but just to verify that problem is not there.

> when I started the Windows 7 Agile vpn connection,  the following error
> message shows on the vpn gateway and windows7 :
> #Windows7 error message
>
> starts "Verifying user name and password and displays
> Error:13801: IKE  authentication credentials are unacceptable
> =============================

When you authenticate using eap-mschapv2 and username/password
authentication fails, Windows shows window with message "Re-enter your
user name and password. Windows could not connect using ...."
Error 13801 means problem in certificates, at least in mschapv2.

If you already have client certificate installed, you can also try
using the selection "use machine certificate" and try without EAP,
that verifies that certificates are okay.

In that case, this is my working configuration for it:


conn %default
       keyingtries=3
       keyexchange=ikev2
       ike=aes256-sha1-modp1024!
       esp=aes256-sha1!
       dpdaction=clear
       dpddelay=30s
       rekey=no

conn win7certs
        authby=rsasig
        left=my-public-ip
        leftsubnet=0.0.0.0/0
        leftcert=mycert.crt
        leftid=@cert-cn
        right=%any
        rightsourceip=192.168.3.0/24
        auto=add


Regards,
Kimmo

>
> No user authentication request send to the radius server.
>
> Thank you!
>
> Jordan.
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users




More information about the Users mailing list