[strongSwan] Strongswan with freeradius on Debian server
Sabrina Louison-francois
sabrina.louison-francois at ens-cachan.fr
Thu Apr 25 15:35:59 CEST 2013
Thanks for your help. But I had my TLS problem again. I had to add all
the certificates chain of my radius server into my client
ipsec.d/cacerts to make it work.
--
Sabrina
Le 25/04/2013 12:47, Andreas Steffen a écrit :
> Hi Sabrina,
>
> first some comments on your notation:
>
> - There is no leftid=%fromcert option in strongSwan.
> By default the subject DN of the certificate is used.
>
> - left|rightrsasigkey=%cert is not needed by strongSwan.
>
> - the client debian needs an aaa_identity entry of the form
>
> aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
>
> which contains the subject DN of the freeradius server certificate.
>
> - the eap.conf file on the freeradius server must contain the
> following configuration:
>
>
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-peap-radius/alice.eap.conf
>
> Instead of md5, mschapv2 can be used as well.
>
> Please learn from our example scenarios. This why we put them on our
> web server in the first place.
>
> Regards
>
> Andreas
>
> On 04/25/2013 12:14 PM, Sabrina Louison-francois wrote:
>> Thanks for your help. I change my configuration.
>>
>> On server strongswan:
>> conn road
>> left=192.168.10.8 # Gateway's information
>> leftid=%fromcert
>> leftsubnet=10.1.0.0/24
>> leftrsasigkey=%cert
>> leftauth=pubkey
>> leftcert=/etc/ipsec.d/certs/monserveur.pem
>> right=%any
>> rightauth=eap-radius
>> rightsendcert=never
>> auto=add
>>
>> On client debian:
>> conn home
>> left=%any # Localhost's information
>> leftauth=eap
>> leftid=login at mydomain.fr
>> right=192.168.10.8
>> rightsubnet=10.1.0.0/24
>> rightid=%fromcert
>> rightauth=pubkey
>> rightrsasigkey=%cert
>> auto=add
>>
>> But the authentication failed with another error on Radius server:
>> Thu Apr 25 11:24:24 2013 : Error: TLS_accept: failed in SSLv3 read
>> client certificate A
>> Thu Apr 25 11:24:24 2013 : Error: rlm_eap: SSL error error:14094419:SSL
>> routines:SSL3_READ_BYTES:tlsv1 alert access denied
>> Thu Apr 25 11:24:24 2013 : Error: SSL: SSL_read failed inside of TLS
>> (-1), TLS session fails.
>> Thu Apr 25 11:24:24 2013 : Auth: Login incorrect (TLS Alert
>> read:fatal:access denied): [login] (from client serv-tests port 1 cli
>> 192.168.110.65[4500])
>>
>> Do I have to save my strongswan server certificate in my radius trusted
>> certs list ? When I try to pu an aaa_identity parameters on my client:
>> aaa_identity= "C=FR, CN=aaa.mydomain.fr" (= radius certificate subject)
>>
>> I have an issue like:
>> Thu Apr 25 12:11:27 2013 : Error: TLS Alert read:fatal:certificate unknown
>> Thu Apr 25 12:11:27 2013 : Error: TLS_accept: failed in SSLv3 read
>> client certificate A
>> Thu Apr 25 12:11:27 2013 : Error: rlm_eap: SSL error error:14094416:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>> Thu Apr 25 12:11:27 2013 : Error: SSL: SSL_read failed inside of TLS
>> (-1), TLS session fails.
>> Thu Apr 25 12:11:27 2013 : Auth: Login incorrect (TLS Alert
>> read:fatal:certificate unknown): [login] (from client serv-tests port 9
>> cli 192.168.110.65[4500])
>>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
More information about the Users
mailing list