[strongSwan] Weird NAT IP as username.

Andreas Steffen andreas.steffen at strongswan.org
Sat Apr 6 17:30:26 CEST 2013 

Hmm, are you sure the client in question is sending an EAP identity?
I just checked one of our example RADIUS scenarios

http://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-id-radius/

and I see that the gateway nevertheless logs the EAP Identity:

16[IKE] initiating EAP_IDENTITY method (id 0x00)
16[IKE] authentication of 'moon.strongswan.org' (myself) with RSA
signature successful
16[IKE] sending end entity cert "C=CH, O=Linux strongSwan,
CN=moon.strongswan.org"
16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
(1436 bytes)

05[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
(76 bytes)
05[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
05[IKE] received EAP identity 'carol'
05[CFG] sending RADIUS Access-Request to server '10.1.0.10'
05[CFG] received RADIUS Access-Challenge from server '10.1.0.10'
05[IKE] initiating EAP_MD5 method (id 0x01)
05[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
(92 bytes)

04[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
(92 bytes)
04[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MD5 ]
04[CFG] sending RADIUS Access-Request to server '10.1.0.10'
04[CFG] received RADIUS Access-Accept from server '10.1.0.10'
04[IKE] RADIUS authentication of 'carol' successful
04[IKE] EAP method EAP_MD5 succeeded, no MSK established
04[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
(76 bytes)

03[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
(92 bytes)
03[ENC] parsed IKE_AUTH request 4 [ AUTH ]
03[IKE] authentication of 'carol at strongswan.org' with EAP successful
03[IKE] authentication of 'moon.strongswan.org' (myself) with EAP
03[IKE] IKE_SA rw-eap[1] established between
192.168.0.1[moon.strongswan.org]...192.168.0.100[carol at strongswan.org]

Regards

Andreas

On 04/06/2013 05:07 PM, Kris wrote:
> Hi, Andreas
> 
> Thanks for your explanation. Because there're some logs with username
> '192.168.3.254' in my Radius accounting DB, so I worry about it should
> be the correct username, or not, user's traffic accounting may be not
> accurate. 
> 
> --
> Kris
> 
> 
> On Sat, Apr 6, 2013 at 10:43 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
> 
>     Hi Kris,
> 
>     192.168.3.254 is just the outer IKEv2 client identity and is
>     equivalent to the client IP address in the local LAN behind
>     the NAT router. The inner EAP identity is not visible in the gateway
>     log because it is handled by the RADIUS server.
> 
>     Don't worry!
> 
>     Andreas
> 
>     On 04/06/2013 04:08 PM, Kris wrote:
>     >
>     > I got weird log in Strongswan like:
>     >
>     > Apr  3 06:31:36 13[ENC] parsed IKE_AUTH request 6 [ AUTH ]
>     > Apr  3 06:31:36 13[IKE] authentication of '192.168.3.254' with EAP
>     > successful
>     > Apr  3 06:31:36 13[IKE] authentication of 'xx.com <http://xx.com>
>     <http://xx.com>'
>     > (myself) with EAP
>     > Apr  3 06:31:36 13[IKE] IKE_SA win7[16115] established between
>     > 19.45.16.1[xx.com <http://xx.com>
>     <http://xx.com>]...12.46.25.8[192.168.3.254]
>     >
>     > Apr  3 06:31:36 13[IKE] authentication of '192.168.3.254' with EAP
>     > successful
>     >
>     > How could this possible? '192.168.3.254' isn't my Radius' user at all,
>     > how could it act like VPN username ?
>     >
>     > I'm runing 5.0.2dr4, is this a bug or my config mistake?
>     >
>     > conn win7
>     >         keyexchange=ikev2
>     >         left=%any
>     >         leftid=xx.com <http://xx.com> <http://xx.com>
>     >         leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>     >         leftauth=pubkey
>     >         leftcert=gw.cer
>     >         right=%any
>     >         rightsendcert=never
>     >         rightauth=eap-radius
>     >         eap_identity=%identity
>     >         rightsourceip=%ippool
>     >         ikelifetime=48h
>     >         lifetime=48h
>     >         rekeymargin=9m
>     >         rekey=no
>     >         reauth=no
>     >         dpddelay=30
>     >         dpdtimeout=150
>     >         dpdaction=clear
>     >
>     > --
>     > Kris
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130406/2fa8a372/attachment.bin>

More information about the Users mailing list