[strongSwan] Weird NAT IP as username.

Kris KRI2183876 at maricopa.edu
Sat Apr 6 17:38:29 CEST 2013 

Opps, not quite. My real question is that some weird logs with user name
"192.168.3.254" in Radius accounting DB, so I go to check Charon's log,
found these logs.




--
Kris


On Sat, Apr 6, 2013 at 11:30 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hmm, are you sure the client in question is sending an EAP identity?
> I just checked one of our example RADIUS scenarios
>
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-id-radius/
>
> and I see that the gateway nevertheless logs the EAP Identity:
>
> 16[IKE] initiating EAP_IDENTITY method (id 0x00)
> 16[IKE] authentication of 'moon.strongswan.org' (myself) with RSA
> signature successful
> 16[IKE] sending end entity cert "C=CH, O=Linux strongSwan,
> CN=moon.strongswan.org"
> 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> 16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
> (1436 bytes)
>
> 05[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
> (76 bytes)
> 05[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
> 05[IKE] received EAP identity 'carol'
> 05[CFG] sending RADIUS Access-Request to server '10.1.0.10'
> 05[CFG] received RADIUS Access-Challenge from server '10.1.0.10'
> 05[IKE] initiating EAP_MD5 method (id 0x01)
> 05[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
> 05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
> (92 bytes)
>
> 04[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
> (92 bytes)
> 04[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MD5 ]
> 04[CFG] sending RADIUS Access-Request to server '10.1.0.10'
> 04[CFG] received RADIUS Access-Accept from server '10.1.0.10'
> 04[IKE] RADIUS authentication of 'carol' successful
> 04[IKE] EAP method EAP_MD5 succeeded, no MSK established
> 04[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
> 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
> (76 bytes)
>
> 03[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
> (92 bytes)
> 03[ENC] parsed IKE_AUTH request 4 [ AUTH ]
> 03[IKE] authentication of 'carol at strongswan.org' with EAP successful
> 03[IKE] authentication of 'moon.strongswan.org' (myself) with EAP
> 03[IKE] IKE_SA rw-eap[1] established between
> 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol at strongswan.org]
>
> Regards
>
> Andreas
>
> On 04/06/2013 05:07 PM, Kris wrote:
> > Hi, Andreas
> >
> > Thanks for your explanation. Because there're some logs with username
> > '192.168.3.254' in my Radius accounting DB, so I worry about it should
> > be the correct username, or not, user's traffic accounting may be not
> > accurate.
> >
> > --
> > Kris
> >
> >
> > On Sat, Apr 6, 2013 at 10:43 PM, Andreas Steffen
> > <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> > wrote:
> >
> >     Hi Kris,
> >
> >     192.168.3.254 is just the outer IKEv2 client identity and is
> >     equivalent to the client IP address in the local LAN behind
> >     the NAT router. The inner EAP identity is not visible in the gateway
> >     log because it is handled by the RADIUS server.
> >
> >     Don't worry!
> >
> >     Andreas
> >
> >     On 04/06/2013 04:08 PM, Kris wrote:
> >     >
> >     > I got weird log in Strongswan like:
> >     >
> >     > Apr  3 06:31:36 13[ENC] parsed IKE_AUTH request 6 [ AUTH ]
> >     > Apr  3 06:31:36 13[IKE] authentication of '192.168.3.254' with EAP
> >     > successful
> >     > Apr  3 06:31:36 13[IKE] authentication of 'xx.com <http://xx.com>
> >     <http://xx.com>'
> >     > (myself) with EAP
> >     > Apr  3 06:31:36 13[IKE] IKE_SA win7[16115] established between
> >     > 19.45.16.1[xx.com <http://xx.com>
> >     <http://xx.com>]...12.46.25.8[192.168.3.254]
> >     >
> >     > Apr  3 06:31:36 13[IKE] authentication of '192.168.3.254' with EAP
> >     > successful
> >     >
> >     > How could this possible? '192.168.3.254' isn't my Radius' user at
> all,
> >     > how could it act like VPN username ?
> >     >
> >     > I'm runing 5.0.2dr4, is this a bug or my config mistake?
> >     >
> >     > conn win7
> >     >         keyexchange=ikev2
> >     >         left=%any
> >     >         leftid=xx.com <http://xx.com> <http://xx.com>
> >     >         leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >     >         leftauth=pubkey
> >     >         leftcert=gw.cer
> >     >         right=%any
> >     >         rightsendcert=never
> >     >         rightauth=eap-radius
> >     >         eap_identity=%identity
> >     >         rightsourceip=%ippool
> >     >         ikelifetime=48h
> >     >         lifetime=48h
> >     >         rekeymargin=9m
> >     >         rekey=no
> >     >         reauth=no
> >     >         dpddelay=30
> >     >         dpdtimeout=150
> >     >         dpdaction=clear
> >     >
> >     > --
> >     > Kris
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130406/76b127d3/attachment.html>

More information about the Users mailing list