[strongSwan] Strongswan 5, IKEv1, Xauth and Radius?

Kimmo Koivisto koippa at gmail.com
Fri Jun 22 16:14:34 CEST 2012 

Hello Martin

Thanks for the clarification, I now understand :)


I tried to configure this, but got strange error in Xauth:

no XAuth method found named 'Pû'

and the name was changing when I tried, there seems to be missing
name-variable in xauth.c
DBG1(DBG_CFG, "no XAuth method found named '%s'");

I fixed this by adding the name variable:
DBG1(DBG_CFG, "no XAuth method found named '%s'",name);

and now getting error
no XAuth method found named 'eap'


So, my question is, do I need to compile something to get xauth-eap or
did I misunderstood something?

Regards,
Kimmo


My config:

conn ikev1
        keyexchange=ikev1
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=3
        left=strong-5-server-ip
        leftsubnet=0.0.0.0/0
        leftcert=server.crt
        leftid=@server-cert-cn
        leftauth=pubkey
        leftfirewall=no
        right=%any
        rightauth=pubkey
        rightauth2=xauth-eap
        rightsourceip=172.26.27.128/25
        modeconfig=push
        auto=add


and log full log is:

13[NET] received packet: from android-4-handser-ip[500] to
strong-5-server-ip[500]
13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
13[IKE] received NAT-T (RFC 3947) vendor ID
13[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
13[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
13[IKE] received XAuth vendor ID
13[IKE] received Cisco Unity vendor ID
13[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
13[IKE] received DPD vendor ID
13[IKE] android-4-handser-ip is initiating a Main Mode IKE_SA
13[ENC] generating ID_PROT response 0 [ SA V V V ]
13[NET] sending packet: from strong-5-server-ip[500] to
android-4-handser-ip[500]
02[NET] received packet: from android-4-handser-ip[500] to
strong-5-server-ip[500]
02[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
02[IKE] remote host is behind NAT
02[IKE] sending cert request for "DC=local, DC=s5-test, CN=s5-test Domain CA"
02[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
02[NET] sending packet: from strong-5-server-ip[500] to
android-4-handser-ip[500]
01[NET] received packet: from android-4-handser-ip[1024] to
strong-5-server-ip[4500]
01[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ]
01[IKE] received cert request for 'DC=local, DC=s5-test, CN=s5-test Domain CA'
01[IKE] received end entity cert "O=s5-test x, CN=Kimmo"
01[CFG] looking for XAuthInitRSA peer configs matching
strong-5-server-ip...android-4-handser-ip[O=s5-test x, CN=Kimmo]
01[CFG] selected peer config "ikev1"
01[CFG]   using certificate "O=s5-test x, CN=Kimmo"
01[CFG]   using trusted ca certificate "DC=local, DC=s5-test,
CN=s5-test Domain CA"
01[CFG] checking certificate status of "O=s5-test x, CN=Kimmo"
01[CFG]   using trusted certificate "DC=local, DC=s5-test, CN=s5-test Domain CA"
01[CFG]   crl correctly signed by "DC=local, DC=s5-test, CN=s5-test Domain CA"
01[CFG]   crl is valid: until Jun 27 07:13:04 2012
01[CFG]   using cached crl
J01[CFG] certificate status is good
J01[CFG]   reached self-signed root ca with a path length of 0
J01[IKE] authentication of 'O=s5-test x, CN=Kimmo' with RSA successful
J01[IKE] authentication of 'vpn2.s5-test.com' (myself) successful
J01[IKE] sending end entity cert "O=s5-test, CN=vpn2.s5-test.com"
J01[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
J01[NET] sending packet: from strong-5-server-ip[4500] to
android-4-handser-ip[1024]
J01[CFG] no XAuth method found named 'Pû'


2012/6/22 Martin Willi <martin at strongswan.org>:
> Hello Kimmo,
>
>> Does this mean that now the AAA server needs to be configured to use
>> EAP, let's say EAP-MSCHAPv2?
>
> With the xauth-eap plugin, yes. This is the same configuration that
> you'd use for IKEv2 clients, Windows 7 Agile VPN for example.
>
>> Then AAA receives the access request from Strongswan and AAA server
>> then responds or starts EAP and strongswan needs to have that
>> eap-mschapv2 enabled?
>
> Yes. AAA should request a (password based) EAP method, and the
> strongSwan gateway acts as client for this EAP method using XAuth
> credentials from the client. To use EAP-MSCHAPv2, pass
> --enable-eap-mschapv2 to ./configure (and enable a MD4 implementation,
> either through --enable-openssl or --enable-md4).
>
> Regards
> Martin
>

More information about the Users mailing list