[strongSwan] unable to connect to strongSwan IKEv2 using eap-radius based authentication
Kimmo Koivisto
koippa at gmail.com
Mon Jun 11 09:01:20 CEST 2012
2012/6/11 yordanos beyene <yordanosb at gmail.com>:
> Hi Everyone,
Hello
>
> I am having difficulties connectiong to strongSwan IKEv2 using eap-radius
> from a windows7 Agile VPN client. Below are my vpn server, windows7, radius
> configuration and error messages. I have followed the strongSwan windows7
> certificate requirements and tried for a couple of days different
> recommendations from the strongswam mailing archive but I couldn't make it
> to work. I really appreciate any help.
If I would be you, I would first make the connection work with
eap-mschapv2 and rule out the problems with certificates.
This is my configuration from working eap-mschapv2 connection:
conn win7
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=mycert.crt
leftid=@cert-cn
right=%any
rightsourceip=192.168.2.0/25
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
>
> conn myvpn~mypolicy
> vpn=myvpn
> mobike=no
I would enable mobike, that is quite important for me, changing
interface from WLAN to 3G etc works nice.
> left=172.16.30.2
> leftsubnet=172.26.40.0/24
Split tunneling is not possibe, thus you can narrow traffic selector
to your subnet. I'm negotiating 0.0.0.0/0 so I can surf internet with
the connection
> =============================
> #Windows 7 Agile vpn client
>
> Type of VPN : IKEv2
> Authentication: EAP ; sub-menu: tried both PEAP and EAP-MSCHAP v2
> X509 machine certificate and CA certificate installed , and verified as
> valid
With mschapv2, client machine certificate is not needed, server is
authenticated using server certificate, client authenticates with EAP.
> Added the following configuration to the windows 7 hosts file
>
> 172.16.30.2 zeus.test.net
> ( 172.16.30.2 refers to the vpn gateway interface, and zeus.test.net is the
> vpn gateway certificate CN and subject alt name).====
Did you configure you VPN connection using the zeus.test.net? I know,
stupid thing to ask but just to verify that problem is not there.
> when I started the Windows 7 Agile vpn connection, the following error
> message shows on the vpn gateway and windows7 :
> #Windows7 error message
>
> starts "Verifying user name and password and displays
> Error:13801: IKE authentication credentials are unacceptable
> =============================
When you authenticate using eap-mschapv2 and username/password
authentication fails, Windows shows window with message "Re-enter your
user name and password. Windows could not connect using ...."
Error 13801 means problem in certificates, at least in mschapv2.
If you already have client certificate installed, you can also try
using the selection "use machine certificate" and try without EAP,
that verifies that certificates are okay.
In that case, this is my working configuration for it:
conn %default
keyingtries=3
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=30s
rekey=no
conn win7certs
authby=rsasig
left=my-public-ip
leftsubnet=0.0.0.0/0
leftcert=mycert.crt
leftid=@cert-cn
right=%any
rightsourceip=192.168.3.0/24
auto=add
Regards,
Kimmo
>
> No user authentication request send to the radius server.
>
> Thank you!
>
> Jordan.
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list