[strongSwan] unable to connect to strongSwan IKEv2 using eap-radius based authentication

Kimmo Koivisto koippa at gmail.com
Tue Jun 12 07:04:56 CEST 2012


2012/6/12 yordanos beyene <yordanosb at gmail.com>:
> Thank you Kemmo for the tips.

Hello Yordanos

>
> I scaled down my configurated to use eap-mschapv2 authentication instead of
> eap-radius.

did you use IP address or DNS name in your VPN connection?

> My current  problem is ping requests from Win7 to a protected linux host
> (172,16.40.10)  behind the VPN server fails. The ping requests reach
> the host and ping replies from the host reach the vpn gateway but don't get
> to the Win7 client.
>
> Do I need to install firewall policy? The following security policy is
> dynsmicslly added.

depens on your environment but firewall is not mandatory. Just
remember to route the address pool back to the strongswan and NAT the
traffic going out.

>
> Below is ping packet capture from vpn server internal interface ( directly
> connected to the linux host - 172.16.40.10). Internal host responds to
> Win7 ping request but response doesn't reach Win7 machine. VPN server fails
> to apply esp and send to Win7 - 172.16.50.10.

is ip_forwarding enabled?
do you see routing table 220 and is there any content?

> I am also perplexed why port 4500 is used instead of 500 during IKE
> exchange. See vpn server logs and configuration  below. I am not behind NAT.

Mobike RFC4555 specifies
" To
   simplify things, implementations that support both this specification
   and NAT Traversal MUST change to port 4500 if the correspondent also
   supports both, even if no NAT was detected between them"


Regards,
Kimmo

>
> Here is  ipsec.conf and strongswan log.
>
> ipsec.conf:
>
> conn %default
>         auto=route
>         keyexchange=ikev2
>         keyingtries=1
> conn myvpn~mypolicy
>         vpn=myvpn
>         left=172.16.30.2
>         leftsubnet=0.0.0.0/0
>         leftauth=pubkey
>         leftcert=zeus at ares.cer
>         leftid=@zeus.test.net
>         right=%any
>         rightsourceip=172.16.80.0/24
>         rightauth=eap-mschapv2
>         rightsendcert=never
>         eap_identity=%any
>         auto=add
> vpn server log:
> Jun 12 06:14:23 router CHARON-INFO: 12[ENC] parsed INFORMATIONAL response 1
> [ ]
> Jun 12 06:14:23 router CHARON-INFO: 12[IKE] IKE_SA deleted
> Jun 12 06:14:23 router CHARON-INFO: 12[IKE] IKE_SA deleted
> Jun 12 06:14:23 router CHARON-INFO: 12[LIB] releasing address to pool
> 'myvpn~mypolicy' failed
> Jun 12 06:14:23 router CHARON-INFO: 15[CFG] received stroke: delete
> connection 'myvpn~mypolicy'
> Jun 12 06:14:23 router CHARON-INFO: 15[CFG] deleted connection
> 'myvpn~mypolicy'
> Jun 12 06:14:23 router CHARON-INFO: 09[CFG] received stroke: add connection
> 'myvpn~mypolicy'
> Jun 12 06:14:23 router CHARON-INFO: 09[CFG]   loaded certificate "C=US,
> ST=MYSTATE, O=MYORG, OU=MYGROUP, CN=zeus.test.net, E=zeus at test.net" from
> 'zeus at ares.cer'
> Jun 12 06:14:23 router CHARON-INFO: 09[CFG] added configuration
> 'myvpn~mypolicy'
> Jun 12 06:14:23 router CHARON-INFO: 09[CFG] adding virtual IP address pool
> 'myvpn~mypolicy': 172.16.80.0/24
> Jun 12 06:15:24 router CHARON-INFO: 13[NET] received packet: from [500] to
> [500]
> Jun 12 06:15:24 router CHARON-INFO: 13[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jun 12 06:15:24 router CHARON-INFO: 13[IKE] 172.16.50.10 is initiating an
> IKE_SA
> Jun 12 06:15:24 router CHARON-INFO: 13[IKE] 172.16.50.10 is initiating an
> IKE_SA
> Jun 12 06:15:24 router CHARON-INFO: 13[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Jun 12 06:15:24 router CHARON-INFO: 13[NET] sending packet: from [500] to
> [500]
> Jun 12 06:15:24 router CHARON-INFO: 15[NET] received packet: from [4500] to
> [4500]
> Jun 12 06:15:24 router CHARON-INFO: 15[ENC] unknown attribute type
> INTERNAL_IP4_SERVER
> Jun 12 06:15:24 router CHARON-INFO: 15[ENC] parsed IKE_AUTH request 1 [ IDi
> CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for "C=US,
> ST=CA, L=Roseville, O=HP, OU=SPG, CN=ares.hp.com, E=ares at hp.com"
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> c0:7a:98:68:8d:89:fb:ab:05:64:0c:11:7d:aa:7d:65:b8:ca:cc:4e
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 4a:81:0c:de:f0:c0:90:0f:19:06:42:31:35:a2:a2:8d:d3:44:fd:08
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> f0:17:62:13:55:3d:b3:ff:0a:00:6b:fb:50:84:97:f3:ed:62:d0:1a
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 42:32:b6:16:fa:04:fd:fe:5d:4b:7a:c3:fd:f7:4c:40:1d:5a:43:af
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> be:a8:a0:74:72:50:6b:44:b7:c9:23:d8:fb:a8:ff:b3:57:6b:68:6c
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> fb:61:40:61:b4:8a:bc:eb:56:1d:64:16:1f:ab:6d:f3:f7:ae:45:a5
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 53:32:d1:b3:cf:7f:fa:e0:f1:a0:5d:85:4e:92:d2:9e:45:1d:b4:4f
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 00:ad:d9:a3:f6:79:f6:6e:74:a9:7f:33:3d:81:17:d7:4c:cf:33:de
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> a8:48:b4:24:2f:c6:ea:24:a0:d7:8e:3c:b9:3c:5c:78:d7:98:33:e4
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> a1:72:5f:26:1b:28:98:43:95:5d:07:37:d5:85:96:9d:4b:d2:c3:45
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> unknown ca with keyid
> 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
> Jun 12 06:15:24 router CHARON-INFO: 15[CFG] looking for peer configs
> matching 172.16.30.2[%any]...172.16.50.10[172.16.50.10]
> Jun 12 06:15:24 router CHARON-INFO: 15[CFG] selected peer config
> 'myvpn~mypolicy'
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] initiating EAP-Identity request
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] peer supports MOBIKE
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] authentication of
> 'zeus.test.net' (myself) with RSA signature successful
> Jun 12 06:15:24 router CHARON-INFO: 15[IKE] sending end entity cert "C=US,
> ST=CA, O=MYORG, OU=SPG, CN=zeus.test.net, E=zeus at test.net"
> Jun 12 06:15:24 router CHARON-INFO: 15[ENC] generating IKE_AUTH response 1 [
> IDr CERT AUTH EAP/REQ/ID ]
> Jun 12 06:15:24 router CHARON-INFO: 15[NET] sending packet: from [4500] to
> [4500]
> Jun 12 06:15:24 router CHARON-INFO: 12[NET] received packet: from [4500] to
> [4500]
> Jun 12 06:15:24 router CHARON-INFO: 12[ENC] parsed IKE_AUTH request 2 [
> EAP/RES/ID ]
> Jun 12 06:15:24 router CHARON-INFO: 12[IKE] received EAP identity 'jordan'
> Jun 12 06:15:24 router CHARON-INFO: 12[IKE] initiating EAP_MSCHAPV2 method
> Jun 12 06:15:24 router CHARON-INFO: 12[ENC] generating IKE_AUTH response 2 [
> EAP/REQ/MSCHAPV2 ]
> Jun 12 06:15:24 router CHARON-INFO: 12[NET] sending packet: from [4500] to
> [4500]
> Jun 12 06:15:24 router CHARON-INFO: 16[NET] received packet: from [4500] to
> [4500]
> Jun 12 06:15:24 router CHARON-INFO: 16[ENC] parsed IKE_AUTH request 3 [
> EAP/RES/MSCHAPV2 ]
> Jun 12 06:15:24 router CHARON-INFO: 16[ENC] generating IKE_AUTH response 3 [
> EAP/REQ/MSCHAPV2 ]
> Jun 12 06:15:24 router CHARON-INFO: 16[NET] sending packet: from [4500] to
> [4500]
> Jun 12 06:15:24 router CHARON-INFO: 09[NET] received packet: from [4500] to
> [4500]
> Jun 12 06:15:24 router CHARON-INFO: 09[ENC] parsed IKE_AUTH request 4 [
> EAP/RES/MSCHAPV2 ]
> Jun 12 06:15:24 router CHARON-INFO: 09[IKE] EAP method EAP_MSCHAPV2
> succeeded, MSK established
> Jun 12 06:15:24 router CHARON-INFO: 09[ENC] generating IKE_AUTH response 4 [
> EAP/SUCC ]
> Jun 12 06:15:24 router CHARON-INFO: 09[NET] sending packet: from [4500] to
> [4500]
> Jun 12 06:15:24 router CHARON-INFO: 08[NET] received packet: from [4500] to
> [4500]
> Jun 12 06:15:24 router CHARON-INFO: 08[ENC] parsed IKE_AUTH request 5 [ AUTH
> ]
> Jun 12 06:15:24 router CHARON-INFO: 08[IKE] authentication of '172.16.50.10'
> with EAP successful
> Jun 12 06:15:24 router CHARON-INFO: 08[IKE] authentication of
> 'zeus.test.net' (myself) with EAP
> Jun 12 06:15:24 router CHARON-INFO: 08[IKE] IKE_SA myvpn~mypolicy[9]
> established between 172.16.30.2[zeus.test.net]...172.16.50.10[172.16.50.10]
> Jun 12 06:15:24 router CHARON-INFO: 08[IKE] IKE_SA myvpn~mypolicy[9]
> established between 172.16.30.2[zeus.test.net]...172.16.50.10[172.16.50.10]
> Jun 12 06:15:24 router CHARON-INFO: 08[IKE] scheduling reauthentication in
> 10137s
> Jun 12 06:15:24 router CHARON-INFO: 08[IKE] maximum IKE_SA lifetime 10677s
> Jun 12 06:15:24 router CHARON-INFO: 08[IKE] peer requested virtual IP
> (vr*)%any
> Jun 12 06:15:24 router CHARON-INFO: 08[CFG] assigning new lease to 'jordan'
> Jun 12 06:15:24 router CHARON-INFO: 08[IKE] assigning virtual IP 172.16.80.1
> to peer
> Jun 12 06:15:24 router CHARON-INFO: 08[IKE] CHILD_SA myvpn~mypolicy{13}
> established with SPIs c120b985_i 65d20505_o and TS 0.0.0.0/0 ===
> 172.16.80.1/32
> Jun 12 06:15:24 router CHARON-INFO: 08[IKE] CHILD_SA myvpn~mypolicy{13}
> established with SPIs c120b985_i 65d20505_o and TS 0.0.0.0/0 ===
> 172.16.80.1/32
> Jun 12 06:15:24 router CHARON-INFO: 08[ENC] generating IKE_AUTH response 5 [
> AUTH CP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
> N(ADD_4_ADDR) ]
> Jun 12 06:15:24 router CHARON-INFO: 08[NET] sending packet: from [4500] to
> [4500]
>
> I appreciate any help.
>
> Thanks!
>
> Jordan.
> On Mon, Jun 11, 2012 at 12:01 AM, Kimmo Koivisto <koippa at gmail.com> wrote:
>>
>> 2012/6/11 yordanos beyene <yordanosb at gmail.com>:
>> > Hi Everyone,
>> Hello
>>
>> >
>> > I am having difficulties connectiong to strongSwan IKEv2 using
>> > eap-radius
>> > from a windows7 Agile VPN client. Below are my vpn server, windows7,
>> > radius
>> > configuration and error messages. I have followed the strongSwan
>> > windows7
>> > certificate requirements and tried for a couple of days different
>> > recommendations from the strongswam mailing archive but I couldn't make
>> > it
>> > to work. I really appreciate any help.
>>
>> If I would be you, I would first make the connection work with
>> eap-mschapv2 and rule out the problems with certificates.
>>
>> This is my configuration from working eap-mschapv2 connection:
>>
>> conn win7
>>    rekey=no
>>    left=%any
>>    leftsubnet=0.0.0.0/0
>>    leftauth=pubkey
>>    leftcert=mycert.crt
>>    leftid=@cert-cn
>>    right=%any
>>    rightsourceip=192.168.2.0/25
>>    rightauth=eap-mschapv2
>>    rightsendcert=never
>>    eap_identity=%any
>>    auto=add
>>
>>
>> >
>> > conn myvpn~mypolicy
>> >         vpn=myvpn
>> >         mobike=no
>>
>> I would enable mobike, that is quite important for me, changing
>> interface from WLAN to 3G etc works nice.
>>
>> >         left=172.16.30.2
>> >         leftsubnet=172.26.40.0/24
>>
>> Split tunneling is not possibe, thus you can narrow traffic selector
>> to your subnet. I'm negotiating 0.0.0.0/0 so I can surf internet with
>> the connection
>>
>> > =============================
>> >  #Windows 7 Agile vpn client
>> >
>> > Type of VPN : IKEv2
>> > Authentication: EAP ; sub-menu: tried both PEAP and EAP-MSCHAP v2
>> > X509 machine certificate and CA certificate installed , and verified as
>> > valid
>>
>> With mschapv2, client machine certificate is not needed, server is
>> authenticated using server certificate, client authenticates with EAP.
>>
>> > Added the following configuration to the windows 7 hosts file
>> >
>> >             172.16.30.2    zeus.test.net
>> > ( 172.16.30.2 refers to the vpn gateway interface, and zeus.test.net is
>> > the
>> > vpn gateway certificate CN and subject alt name).====
>>
>> Did you configure you VPN connection using the zeus.test.net? I know,
>> stupid thing to ask but just to verify that problem is not there.
>>
>> > when I started the Windows 7 Agile vpn connection,  the following error
>> > message shows on the vpn gateway and windows7 :
>> > #Windows7 error message
>> >
>> > starts "Verifying user name and password and displays
>> > Error:13801: IKE  authentication credentials are unacceptable
>> > =============================
>>
>> When you authenticate using eap-mschapv2 and username/password
>> authentication fails, Windows shows window with message "Re-enter your
>> user name and password. Windows could not connect using ...."
>> Error 13801 means problem in certificates, at least in mschapv2.
>>
>> If you already have client certificate installed, you can also try
>> using the selection "use machine certificate" and try without EAP,
>> that verifies that certificates are okay.
>>
>> In that case, this is my working configuration for it:
>>
>>
>> conn %default
>>       keyingtries=3
>>       keyexchange=ikev2
>>       ike=aes256-sha1-modp1024!
>>       esp=aes256-sha1!
>>       dpdaction=clear
>>       dpddelay=30s
>>       rekey=no
>>
>> conn win7certs
>>        authby=rsasig
>>        left=my-public-ip
>>        leftsubnet=0.0.0.0/0
>>        leftcert=mycert.crt
>>        leftid=@cert-cn
>>        right=%any
>>        rightsourceip=192.168.3.0/24
>>        auto=add
>>
>>
>> Regards,
>> Kimmo
>>
>> >
>> > No user authentication request send to the radius server.
>> >
>> > Thank you!
>> >
>> > Jordan.
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>
>




More information about the Users mailing list