[strongSwan] Strongswan with freeradius on Debian server

Andreas Steffen andreas.steffen at strongswan.org
Thu Apr 25 12:47:21 CEST 2013


Hi Sabrina,

first some comments on your notation:

- There is no leftid=%fromcert option in strongSwan.
  By default the subject DN of the certificate is used.

- left|rightrsasigkey=%cert is not needed by strongSwan.

- the client debian needs an aaa_identity entry of the form

  aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"

  which contains the subject DN of the freeradius server certificate.

- the eap.conf file on the freeradius server must contain the
  following configuration:


http://www.strongswan.org/uml/testresults/ikev2/rw-eap-peap-radius/alice.eap.conf

  Instead of md5, mschapv2 can be used as well.

Please learn from our example scenarios. This why we put them on our
web server in the first place.

Regards

Andreas

On 04/25/2013 12:14 PM, Sabrina Louison-francois wrote:
> Thanks for your help. I change my configuration.
> 
> On server strongswan:
> conn road
>          left=192.168.10.8       # Gateway's information
>          leftid=%fromcert
>          leftsubnet=10.1.0.0/24
>          leftrsasigkey=%cert
>          leftauth=pubkey
>          leftcert=/etc/ipsec.d/certs/monserveur.pem
>          right=%any
>          rightauth=eap-radius
>          rightsendcert=never
>          auto=add
> 
> On client debian:
> conn home
>          left=%any       # Localhost's information
>          leftauth=eap
>          leftid=login at mydomain.fr
>          right=192.168.10.8
>          rightsubnet=10.1.0.0/24
>          rightid=%fromcert
>          rightauth=pubkey
>          rightrsasigkey=%cert
>          auto=add
> 
> But the authentication failed with another error on Radius server:
> Thu Apr 25 11:24:24 2013 : Error:     TLS_accept: failed in SSLv3 read 
> client certificate A
> Thu Apr 25 11:24:24 2013 : Error: rlm_eap: SSL error error:14094419:SSL 
> routines:SSL3_READ_BYTES:tlsv1 alert access denied
> Thu Apr 25 11:24:24 2013 : Error: SSL: SSL_read failed inside of TLS 
> (-1), TLS session fails.
> Thu Apr 25 11:24:24 2013 : Auth: Login incorrect (TLS Alert 
> read:fatal:access denied): [login] (from client serv-tests port 1 cli 
> 192.168.110.65[4500])
> 
> Do I have to save my strongswan server certificate in my radius trusted 
> certs  list ? When I try to pu an aaa_identity parameters on my client:
> aaa_identity= "C=FR, CN=aaa.mydomain.fr" (= radius certificate subject)
> 
> I have an issue like:
> Thu Apr 25 12:11:27 2013 : Error: TLS Alert read:fatal:certificate unknown
> Thu Apr 25 12:11:27 2013 : Error:     TLS_accept: failed in SSLv3 read 
> client certificate A
> Thu Apr 25 12:11:27 2013 : Error: rlm_eap: SSL error error:14094416:SSL 
> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> Thu Apr 25 12:11:27 2013 : Error: SSL: SSL_read failed inside of TLS 
> (-1), TLS session fails.
> Thu Apr 25 12:11:27 2013 : Auth: Login incorrect (TLS Alert 
> read:fatal:certificate unknown): [login] (from client serv-tests port 9 
> cli 192.168.110.65[4500])
> 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130425/36d4adb2/attachment.bin>


More information about the Users mailing list