[strongSwan] Strongswan 5, IKEv1, Xauth and Radius?

Kimmo Koivisto koippa at gmail.com
Fri Jun 22 16:37:58 CEST 2012


Never mind the EAP problem, I enabled xauth in configure and it works
like a charm.

At least I found the missing variable :)

Regards,
Kimmo

2012/6/22 Kimmo Koivisto <koippa at gmail.com>:
> Hello Martin
>
> Thanks for the clarification, I now understand :)
>
>
> I tried to configure this, but got strange error in Xauth:
>
> no XAuth method found named 'Pû'
>
> and the name was changing when I tried, there seems to be missing
> name-variable in xauth.c
> DBG1(DBG_CFG, "no XAuth method found named '%s'");
>
> I fixed this by adding the name variable:
> DBG1(DBG_CFG, "no XAuth method found named '%s'",name);
>
> and now getting error
> no XAuth method found named 'eap'
>
>
> So, my question is, do I need to compile something to get xauth-eap or
> did I misunderstood something?
>
> Regards,
> Kimmo
>
>
> My config:
>
> conn ikev1
>        keyexchange=ikev1
>        ikelifetime=60m
>        keylife=20m
>        rekeymargin=3m
>        keyingtries=3
>        left=strong-5-server-ip
>        leftsubnet=0.0.0.0/0
>        leftcert=server.crt
>        leftid=@server-cert-cn
>        leftauth=pubkey
>        leftfirewall=no
>        right=%any
>        rightauth=pubkey
>        rightauth2=xauth-eap
>        rightsourceip=172.26.27.128/25
>        modeconfig=push
>        auto=add
>
>
> and log full log is:
>
> 13[NET] received packet: from android-4-handser-ip[500] to
> strong-5-server-ip[500]
> 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
> 13[IKE] received NAT-T (RFC 3947) vendor ID
> 13[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
> 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 13[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
> 13[IKE] received XAuth vendor ID
> 13[IKE] received Cisco Unity vendor ID
> 13[ENC] received unknown vendor ID:
> 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
> 13[IKE] received DPD vendor ID
> 13[IKE] android-4-handser-ip is initiating a Main Mode IKE_SA
> 13[ENC] generating ID_PROT response 0 [ SA V V V ]
> 13[NET] sending packet: from strong-5-server-ip[500] to
> android-4-handser-ip[500]
> 02[NET] received packet: from android-4-handser-ip[500] to
> strong-5-server-ip[500]
> 02[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> 02[IKE] remote host is behind NAT
> 02[IKE] sending cert request for "DC=local, DC=s5-test, CN=s5-test Domain CA"
> 02[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
> 02[NET] sending packet: from strong-5-server-ip[500] to
> android-4-handser-ip[500]
> 01[NET] received packet: from android-4-handser-ip[1024] to
> strong-5-server-ip[4500]
> 01[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ]
> 01[IKE] received cert request for 'DC=local, DC=s5-test, CN=s5-test Domain CA'
> 01[IKE] received end entity cert "O=s5-test x, CN=Kimmo"
> 01[CFG] looking for XAuthInitRSA peer configs matching
> strong-5-server-ip...android-4-handser-ip[O=s5-test x, CN=Kimmo]
> 01[CFG] selected peer config "ikev1"
> 01[CFG]   using certificate "O=s5-test x, CN=Kimmo"
> 01[CFG]   using trusted ca certificate "DC=local, DC=s5-test,
> CN=s5-test Domain CA"
> 01[CFG] checking certificate status of "O=s5-test x, CN=Kimmo"
> 01[CFG]   using trusted certificate "DC=local, DC=s5-test, CN=s5-test Domain CA"
> 01[CFG]   crl correctly signed by "DC=local, DC=s5-test, CN=s5-test Domain CA"
> 01[CFG]   crl is valid: until Jun 27 07:13:04 2012
> 01[CFG]   using cached crl
> J01[CFG] certificate status is good
> J01[CFG]   reached self-signed root ca with a path length of 0
> J01[IKE] authentication of 'O=s5-test x, CN=Kimmo' with RSA successful
> J01[IKE] authentication of 'vpn2.s5-test.com' (myself) successful
> J01[IKE] sending end entity cert "O=s5-test, CN=vpn2.s5-test.com"
> J01[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
> J01[NET] sending packet: from strong-5-server-ip[4500] to
> android-4-handser-ip[1024]
> J01[CFG] no XAuth method found named 'Pû'
>
>
> 2012/6/22 Martin Willi <martin at strongswan.org>:
>> Hello Kimmo,
>>
>>> Does this mean that now the AAA server needs to be configured to use
>>> EAP, let's say EAP-MSCHAPv2?
>>
>> With the xauth-eap plugin, yes. This is the same configuration that
>> you'd use for IKEv2 clients, Windows 7 Agile VPN for example.
>>
>>> Then AAA receives the access request from Strongswan and AAA server
>>> then responds or starts EAP and strongswan needs to have that
>>> eap-mschapv2 enabled?
>>
>> Yes. AAA should request a (password based) EAP method, and the
>> strongSwan gateway acts as client for this EAP method using XAuth
>> credentials from the client. To use EAP-MSCHAPv2, pass
>> --enable-eap-mschapv2 to ./configure (and enable a MD4 implementation,
>> either through --enable-openssl or --enable-md4).
>>
>> Regards
>> Martin
>>




More information about the Users mailing list