[strongSwan] unable to connect to strongSwan IKEv2 using eap-radius based authentication

yordanos beyene yordanosb at gmail.com
Tue Jun 12 01:23:38 CEST 2012


Thank you Kemmo for the tips.

I scaled down my configurated to use eap-mschapv2 authentication instead of
eap-radius.

After I initiated a vpn connection from Win7,  security associations are
established for both directions : 172.16.50.10 (windows7 IP
address)  <-> 172.16.30.2(vpn gateway IP address) . I also have securiy
policy added (172.16.80.1<->0.0.0.0/0) where 172.16.80.1 is the Win7
machine tunnel IP which is dynamically  assigned from the configured IP
pool.

My current  problem is ping requests from Win7 to a protected linux host
(172,16.40.10)  behind the VPN server fails. The ping requests reach
the host and ping replies from the host reach the vpn gateway but don't get
to the Win7 client.

 Do I need to install firewall policy? The following security policy is
dynsmicslly added.

I have the following SP automatically added to the SPD.
 172.16.80.1[any] 0.0.0.0/0[any] any
        in priority=1680 index=0x80000180 ipsec
        esp/tunnel/172.16.50.10-172.16.30.2/unique:20
        created: Jun 12 06:50:56 2012  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=0x80000180 seq=1 pid=4876
        refcnt=2
        vrfid=0 linkvrfid=0
0.0.0.0/0[any] 172.16.80.1[any] any
        out priority=2000 index=0x80000179 ipsec
        esp/tunnel/172.16.30.2-172.16.50.10/unique:20
        created: Jun 12 06:50:56 2012  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=0x80000179 seq=2 pid=4876
        refcnt=2
        vrfid=0 linkvrfid=0

Below is ping messages from two VPN server interface - tunnel interface and
internal interface.

Here is ping packet capture from  vpn server tunnel interface (Win7 packets
are routed to this iinterface) .
06:33:05.676371 (FP) IP 172.16.50.10 > 172.16.30.2:
ESP(spi=0xccd10f1f,seq=0x4f)
06:33:09.466764 (FP) IP 172.16.50.10 > 172.16.30.2:
ESP(spi=0xccd10f1f,seq=0x50)
06:33:11.104529 (FP) IP 172.16.50.10 > 172.16.30.2:
ESP(spi=0xccd10f1f,seq=0x51)

Below is ping packet capture from vpn server internal interface ( directly
connected to the linux host - 172.16.40.10). Internal host responds to
Win7 ping request but response doesn't reach Win7 machine. VPN server fails
to apply esp and send to Win7 - 172.16.50.10.


06:29:39.484332 IP 172.16.80.1 > 172.16.40.10: icmp 40: echo request seq 375
06:29:39.484425 IP 172.16.40.10 > 172.16.80.1: icmp 40: echo reply seq 375
06:29:39.484437 IP 172.16.40.2 > 172.16.40.10: icmp 68: net 172.16.80.1
unreachable
06:29:44.491581 IP 172.16.80.1 > 172.16.40.10: icmp 40: echo request seq 376
06:29:44.491666 (FP) IP 172.16.40.10 > 172.16.80.1: icmp 40: echo reply seq
376
06:29:44.491668 IP 172.16.40.10 > 172.16.80.1: icmp 40: echo reply seq 376
06:29:44.491682 IP 172.16.40.2 > 172.16.40.10: icmp 68: net 172.16.80.1
unreachable

 I am also perplexed why port 4500 is used instead of 500 during IKE
exchange. See vpn server logs and configuration  below. I am not behind NAT.

Here is  ipsec.conf and strongswan log.

ipsec.conf:

conn %default
        auto=route
        keyexchange=ikev2
        keyingtries=1
conn myvpn~mypolicy
        vpn=myvpn
        left=172.16.30.2
        leftsubnet=0.0.0.0/0
        leftauth=pubkey
        leftcert=zeus at ares.cer
        leftid=@zeus.test.net
        right=%any
        rightsourceip=172.16.80.0/24
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any
        auto=add
vpn server log:
Jun 12 06:14:23 router CHARON-INFO: 12[ENC] parsed INFORMATIONAL response 1
[ ]
Jun 12 06:14:23 router CHARON-INFO: 12[IKE] IKE_SA deleted
Jun 12 06:14:23 router CHARON-INFO: 12[IKE] IKE_SA deleted
Jun 12 06:14:23 router CHARON-INFO: 12[LIB] releasing address to pool
'myvpn~mypolicy' failed
Jun 12 06:14:23 router CHARON-INFO: 15[CFG] received stroke: delete
connection 'myvpn~mypolicy'
Jun 12 06:14:23 router CHARON-INFO: 15[CFG] deleted connection
'myvpn~mypolicy'
Jun 12 06:14:23 router CHARON-INFO: 09[CFG] received stroke: add connection
'myvpn~mypolicy'
Jun 12 06:14:23 router CHARON-INFO: 09[CFG]   loaded certificate "C=US,
ST=MYSTATE, O=MYORG, OU=MYGROUP, CN=zeus.test.net, E=zeus at test.net" from
'zeus at ares.cer'
Jun 12 06:14:23 router CHARON-INFO: 09[CFG] added configuration
'myvpn~mypolicy'
Jun 12 06:14:23 router CHARON-INFO: 09[CFG] adding virtual IP address pool
'myvpn~mypolicy': 172.16.80.0/24
Jun 12 06:15:24 router CHARON-INFO: 13[NET] received packet: from [500] to
[500]
Jun 12 06:15:24 router CHARON-INFO: 13[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 12 06:15:24 router CHARON-INFO: 13[IKE] 172.16.50.10 is initiating an
IKE_SA
Jun 12 06:15:24 router CHARON-INFO: 13[IKE] 172.16.50.10 is initiating an
IKE_SA
Jun 12 06:15:24 router CHARON-INFO: 13[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 12 06:15:24 router CHARON-INFO: 13[NET] sending packet: from [500] to
[500]
Jun 12 06:15:24 router CHARON-INFO: 15[NET] received packet: from [4500] to
[4500]
Jun 12 06:15:24 router CHARON-INFO: 15[ENC] unknown attribute type
INTERNAL_IP4_SERVER
Jun 12 06:15:24 router CHARON-INFO: 15[ENC] parsed IKE_AUTH request 1 [ IDi
CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
"C=US, ST=CA, L=Roseville, O=HP, OU=SPG, CN=ares.hp.com, E=ares at hp.com"
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
c0:7a:98:68:8d:89:fb:ab:05:64:0c:11:7d:aa:7d:65:b8:ca:cc:4e
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
4a:81:0c:de:f0:c0:90:0f:19:06:42:31:35:a2:a2:8d:d3:44:fd:08
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
f0:17:62:13:55:3d:b3:ff:0a:00:6b:fb:50:84:97:f3:ed:62:d0:1a
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
42:32:b6:16:fa:04:fd:fe:5d:4b:7a:c3:fd:f7:4c:40:1d:5a:43:af
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
be:a8:a0:74:72:50:6b:44:b7:c9:23:d8:fb:a8:ff:b3:57:6b:68:6c
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
fb:61:40:61:b4:8a:bc:eb:56:1d:64:16:1f:ab:6d:f3:f7:ae:45:a5
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
53:32:d1:b3:cf:7f:fa:e0:f1:a0:5d:85:4e:92:d2:9e:45:1d:b4:4f
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
00:ad:d9:a3:f6:79:f6:6e:74:a9:7f:33:3d:81:17:d7:4c:cf:33:de
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
a8:48:b4:24:2f:c6:ea:24:a0:d7:8e:3c:b9:3c:5c:78:d7:98:33:e4
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
a1:72:5f:26:1b:28:98:43:95:5d:07:37:d5:85:96:9d:4b:d2:c3:45
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
unknown ca with keyid
4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
Jun 12 06:15:24 router CHARON-INFO: 15[CFG] looking for peer configs
matching 172.16.30.2[%any]...172.16.50.10[172.16.50.10]
Jun 12 06:15:24 router CHARON-INFO: 15[CFG] selected peer config
'myvpn~mypolicy'
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] initiating EAP-Identity request
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] peer supports MOBIKE
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] authentication of 'zeus.test.net'
(myself) with RSA signature successful
Jun 12 06:15:24 router CHARON-INFO: 15[IKE] sending end entity cert "C=US,
ST=CA, O=MYORG, OU=SPG, CN=zeus.test.net, E=zeus at test.net"
Jun 12 06:15:24 router CHARON-INFO: 15[ENC] generating IKE_AUTH response 1
[ IDr CERT AUTH EAP/REQ/ID ]
Jun 12 06:15:24 router CHARON-INFO: 15[NET] sending packet: from [4500] to
[4500]
Jun 12 06:15:24 router CHARON-INFO: 12[NET] received packet: from [4500] to
[4500]
Jun 12 06:15:24 router CHARON-INFO: 12[ENC] parsed IKE_AUTH request 2 [
EAP/RES/ID ]
Jun 12 06:15:24 router CHARON-INFO: 12[IKE] received EAP identity 'jordan'
Jun 12 06:15:24 router CHARON-INFO: 12[IKE] initiating EAP_MSCHAPV2 method
Jun 12 06:15:24 router CHARON-INFO: 12[ENC] generating IKE_AUTH response 2
[ EAP/REQ/MSCHAPV2 ]
Jun 12 06:15:24 router CHARON-INFO: 12[NET] sending packet: from [4500] to
[4500]
Jun 12 06:15:24 router CHARON-INFO: 16[NET] received packet: from [4500] to
[4500]
Jun 12 06:15:24 router CHARON-INFO: 16[ENC] parsed IKE_AUTH request 3 [
EAP/RES/MSCHAPV2 ]
Jun 12 06:15:24 router CHARON-INFO: 16[ENC] generating IKE_AUTH response 3
[ EAP/REQ/MSCHAPV2 ]
Jun 12 06:15:24 router CHARON-INFO: 16[NET] sending packet: from [4500] to
[4500]
Jun 12 06:15:24 router CHARON-INFO: 09[NET] received packet: from [4500] to
[4500]
Jun 12 06:15:24 router CHARON-INFO: 09[ENC] parsed IKE_AUTH request 4 [
EAP/RES/MSCHAPV2 ]
Jun 12 06:15:24 router CHARON-INFO: 09[IKE] EAP method EAP_MSCHAPV2
succeeded, MSK established
Jun 12 06:15:24 router CHARON-INFO: 09[ENC] generating IKE_AUTH response 4
[ EAP/SUCC ]
Jun 12 06:15:24 router CHARON-INFO: 09[NET] sending packet: from [4500] to
[4500]
Jun 12 06:15:24 router CHARON-INFO: 08[NET] received packet: from [4500] to
[4500]
Jun 12 06:15:24 router CHARON-INFO: 08[ENC] parsed IKE_AUTH request 5 [
AUTH ]
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] authentication of
'172.16.50.10' with EAP successful
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] authentication of 'zeus.test.net'
(myself) with EAP
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] IKE_SA myvpn~mypolicy[9]
established between 172.16.30.2[zeus.test.net]...172.16.50.10[172.16.50.10]
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] IKE_SA myvpn~mypolicy[9]
established between 172.16.30.2[zeus.test.net]...172.16.50.10[172.16.50.10]
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] scheduling reauthentication in
10137s
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] maximum IKE_SA lifetime 10677s
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] peer requested virtual IP
(vr*)%any
Jun 12 06:15:24 router CHARON-INFO: 08[CFG] assigning new lease to 'jordan'
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] assigning virtual IP
172.16.80.1 to peer
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] CHILD_SA myvpn~mypolicy{13}
established with SPIs c120b985_i 65d20505_o and TS 0.0.0.0/0 ===
172.16.80.1/32
Jun 12 06:15:24 router CHARON-INFO: 08[IKE] CHILD_SA myvpn~mypolicy{13}
established with SPIs c120b985_i 65d20505_o and TS 0.0.0.0/0 ===
172.16.80.1/32
Jun 12 06:15:24 router CHARON-INFO: 08[ENC] generating IKE_AUTH response 5
[ AUTH CP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) ]
Jun 12 06:15:24 router CHARON-INFO: 08[NET] sending packet: from [4500] to
[4500]

I appreciate any help.

Thanks!

Jordan.
On Mon, Jun 11, 2012 at 12:01 AM, Kimmo Koivisto <koippa at gmail.com> wrote:

> 2012/6/11 yordanos beyene <yordanosb at gmail.com>:
> > Hi Everyone,
> Hello
>
> >
> > I am having difficulties connectiong to strongSwan IKEv2 using eap-radius
> > from a windows7 Agile VPN client. Below are my vpn server, windows7,
> radius
> > configuration and error messages. I have followed the strongSwan windows7
> > certificate requirements and tried for a couple of days different
> > recommendations from the strongswam mailing archive but I couldn't make
> it
> > to work. I really appreciate any help.
>
> If I would be you, I would first make the connection work with
> eap-mschapv2 and rule out the problems with certificates.
>
> This is my configuration from working eap-mschapv2 connection:
>
> conn win7
>    rekey=no
>    left=%any
>    leftsubnet=0.0.0.0/0
>    leftauth=pubkey
>    leftcert=mycert.crt
>    leftid=@cert-cn
>    right=%any
>    rightsourceip=192.168.2.0/25
>    rightauth=eap-mschapv2
>    rightsendcert=never
>    eap_identity=%any
>    auto=add
>
>
> >
> > conn myvpn~mypolicy
> >         vpn=myvpn
> >         mobike=no
>
> I would enable mobike, that is quite important for me, changing
> interface from WLAN to 3G etc works nice.
>
> >         left=172.16.30.2
> >         leftsubnet=172.26.40.0/24
>
> Split tunneling is not possibe, thus you can narrow traffic selector
> to your subnet. I'm negotiating 0.0.0.0/0 so I can surf internet with
> the connection
>
> > =============================
> >  #Windows 7 Agile vpn client
> >
> > Type of VPN : IKEv2
> > Authentication: EAP ; sub-menu: tried both PEAP and EAP-MSCHAP v2
> > X509 machine certificate and CA certificate installed , and verified as
> > valid
>
> With mschapv2, client machine certificate is not needed, server is
> authenticated using server certificate, client authenticates with EAP.
>
> > Added the following configuration to the windows 7 hosts file
> >
> >             172.16.30.2    zeus.test.net
> > ( 172.16.30.2 refers to the vpn gateway interface, and zeus.test.net is
> the
> > vpn gateway certificate CN and subject alt name).====
>
> Did you configure you VPN connection using the zeus.test.net? I know,
> stupid thing to ask but just to verify that problem is not there.
>
> > when I started the Windows 7 Agile vpn connection,  the following error
> > message shows on the vpn gateway and windows7 :
> > #Windows7 error message
> >
> > starts "Verifying user name and password and displays
> > Error:13801: IKE  authentication credentials are unacceptable
> > =============================
>
> When you authenticate using eap-mschapv2 and username/password
> authentication fails, Windows shows window with message "Re-enter your
> user name and password. Windows could not connect using ...."
> Error 13801 means problem in certificates, at least in mschapv2.
>
> If you already have client certificate installed, you can also try
> using the selection "use machine certificate" and try without EAP,
> that verifies that certificates are okay.
>
> In that case, this is my working configuration for it:
>
>
> conn %default
>       keyingtries=3
>       keyexchange=ikev2
>       ike=aes256-sha1-modp1024!
>       esp=aes256-sha1!
>       dpdaction=clear
>       dpddelay=30s
>       rekey=no
>
> conn win7certs
>        authby=rsasig
>        left=my-public-ip
>        leftsubnet=0.0.0.0/0
>        leftcert=mycert.crt
>        leftid=@cert-cn
>        right=%any
>        rightsourceip=192.168.3.0/24
>        auto=add
>
>
> Regards,
> Kimmo
>
> >
> > No user authentication request send to the radius server.
> >
> > Thank you!
> >
> > Jordan.
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120611/92eae49e/attachment.html>


More information about the Users mailing list