[strongSwan] Strongswan with freeradius on Debian server
Sabrina Louison-francois
sabrina.louison-francois at ens-cachan.fr
Thu Apr 25 12:14:31 CEST 2013
Thanks for your help. I change my configuration.
On server strongswan:
conn road
left=192.168.10.8 # Gateway's information
leftid=%fromcert
leftsubnet=10.1.0.0/24
leftrsasigkey=%cert
leftauth=pubkey
leftcert=/etc/ipsec.d/certs/monserveur.pem
right=%any
rightauth=eap-radius
rightsendcert=never
auto=add
On client debian:
conn home
left=%any # Localhost's information
leftauth=eap
leftid=login at mydomain.fr
right=192.168.10.8
rightsubnet=10.1.0.0/24
rightid=%fromcert
rightauth=pubkey
rightrsasigkey=%cert
auto=add
But the authentication failed with another error on Radius server:
Thu Apr 25 11:24:24 2013 : Error: TLS_accept: failed in SSLv3 read
client certificate A
Thu Apr 25 11:24:24 2013 : Error: rlm_eap: SSL error error:14094419:SSL
routines:SSL3_READ_BYTES:tlsv1 alert access denied
Thu Apr 25 11:24:24 2013 : Error: SSL: SSL_read failed inside of TLS
(-1), TLS session fails.
Thu Apr 25 11:24:24 2013 : Auth: Login incorrect (TLS Alert
read:fatal:access denied): [login] (from client serv-tests port 1 cli
192.168.110.65[4500])
Do I have to save my strongswan server certificate in my radius trusted
certs list ? When I try to pu an aaa_identity parameters on my client:
aaa_identity= "C=FR, CN=aaa.mydomain.fr" (= radius certificate subject)
I have an issue like:
Thu Apr 25 12:11:27 2013 : Error: TLS Alert read:fatal:certificate unknown
Thu Apr 25 12:11:27 2013 : Error: TLS_accept: failed in SSLv3 read
client certificate A
Thu Apr 25 12:11:27 2013 : Error: rlm_eap: SSL error error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Thu Apr 25 12:11:27 2013 : Error: SSL: SSL_read failed inside of TLS
(-1), TLS session fails.
Thu Apr 25 12:11:27 2013 : Auth: Login incorrect (TLS Alert
read:fatal:certificate unknown): [login] (from client serv-tests port 9
cli 192.168.110.65[4500])
Le 25/04/2013 10:07, Andreas Steffen a écrit :
> Hello Sabrina,
>
> you mix strongSwan with Openswan notation and IKEv1 Xauth with
> IKEv2 EAP. Why not have a look at our ikev2/rw-eap-peap-radius
> example scenario where you get all the configuration details:
>
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-peap-radius/
>
> You might add
>
> eap_identity=%any
>
> on moon and omit the wildcard filter
>
> rightid=*.strongswan.org
>
> Best regards
>
> Andreas
>
> On 04/25/2013 08:48 AM, Sabrina Louison-francois wrote:
>> Hello,
>>
>>
>> I installed a strongswan server (5.0.3) on Debian and want it to work
>> with radius authentication (eap-peap) for my users. My server
>> authenticates with a certificate.
>>
>> Here is server's ipsec.conf:
>> # basic configuration
>>
>> config setup
>> # strictcrlpolicy=yes
>> # uniqueids = no
>>
>> # Add connections here.
>>
>> conn road
>> left=192.168.10.8 # Gateway's information
>> leftid=%fromcert
>> leftsubnet=10.1.0.0/24
>> leftrsasigkey=%cert
>> leftcert=/etc/ipsec.d/certs/myserver.pem
>> eap_identity=%any
>> right=%any
>> rightauth=eap-radius
>> rightsendcert=never
>> auto=add
>>
>> I tested it with a client on Debian. In ipsec.secrets, I tried to put
>> password for my login like this ' login : EAP "passwd" '. But it does
>> not work. No password is sent to the radius server and the
>> authentication failed.
>>
>> Here is user's ipsec.conf:
>> # basic configuration
>>
>> config setup
>> # strictcrlpolicy=yes
>> # uniqueids = no
>>
>> # Add connections here.
>>
>> conn home
>> left=%any # Localhost's information
>> leftauth=eap-radius
>> leftauth2=xauth-eap
>> #leftrsasigkey=%cert
>> eap_identity="login"
>> right=192.168.10.8
>> rightsubnet=10.1.0.0/24
>> rightid=%fromcert
>> rightrsasigkey=%cert
>> auto=add
>>
>> Could anyone tell me where the password must be set ? Or is there a way
>> to force my server asking for user's credentials each time ?
>>
>> Thanks for you help.
>>
>
--
Sabrina
More information about the Users
mailing list