[strongSwan] IKEv2/EAP-MSCHAP fails with 'traffic selectors inacceptable'
Albrecht Dreß
albrecht.dress at arcor.de
Sun Apr 28 17:46:22 CEST 2013
Hi all,
I am struggling with strongswan 5.0.3 for a EAP-MSCHAP v2/IKEv2 configuration following the example in <http://wiki.strongswan.org/projects/strongswan/wiki/Windows7>, case B.
The configuration shall distinguish between different EAP identities, assigning different subnets, so I can assign different filter rules for the intranet (10.16.0.0/16). Thus, I added a second 'conn' entry.
The gateway to the Internet is named portal.my-domain.com. The internal IP of the same box is 10.16.0.2. The server running strongswan has IP address 10.16.0.41.
The server's ipsec.conf looks as follows:
---8<---ipsec.conf (server)-----------------------------------------------------------------
config setup
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%defaultroute
leftauth=pubkey
leftcert=strongswan.pem
leftid=@portal.my-domain.com
right=%any
rightauth=eap-mschapv2
rightsendcert=never
conn limited
leftsubnet=10.16.0.0/24
rightsourceip=10.20.44.128/25
eap_identity=test
auto=add
conn full
leftsubnet=10.16.0.0/16
rightsourceip=10.20.44.0/25
eap_identity=%any
auto=add
---8<---------------------------------------------------------------------------------------
This configuration works fine with Windows7, with the exception that it asks for authentication *twice*, which is a little annoying. Any idea how I could fix that?
On my linux box at home, also running strongswan 5.0.3, I use the following configuration (192.168.42.4 is my local IP address behind the DSL router):
---8<---ipsec.conf (client)-----------------------------------------------------------------
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
forceencaps=yes
conn to-remote
left=192.168.42.4
leftsourceip=%config
leftsubnet=10.0.0.0/8
leftauth=eap
leftid=test
eap_identity=test
right=<public ip of portal.my-domain.com>
rightauth=pubkey
rightid=%portal.my-domain.com
auto=add
---8<---------------------------------------------------------------------------------------
Trying to launch this connection always fails with the message
received TS_UNACCEPTABLE notify, no CHILD_SA built
The related log on the server looks as follows:
---8<---------------------------------------------------------------------------------------
charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
charon: 15[IKE] 10.16.0.2 is initiating an IKE_SA
charon: 15[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
charon: 15[IKE] local host is behind NAT, sending keep alives
charon: 15[IKE] remote host is behind NAT
charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
charon: 16[IKE] received cert request for "<snipped for privacy>"
charon: 16[IKE] using configured EAP-Identity test
charon: 16[IKE] initiating EAP_MSCHAPV2 method (id 0x22)
charon: 16[IKE] processing INTERNAL_IP4_ADDRESS attribute
charon: 16[IKE] processing INTERNAL_IP4_DNS attribute
charon: 16[IKE] peer supports MOBIKE
charon: 16[IKE] authentication of 'portal.my-domain.com' (myself) with RSA signature successful
charon: 16[IKE] sending end entity cert "<snipped for privacy>"
charon: 16[IKE] sending issuer cert "<snipped for privacy>"
charon: 16[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/MSCHAPV2 ]
charon: 03[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
charon: 03[IKE] EAP-MS-CHAPv2 username: 'test'
charon: 03[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
charon: 02[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
charon: 02[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
charon: 02[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
charon: 01[ENC] parsed IKE_AUTH request 4 [ AUTH ]
charon: 01[IKE] authentication of 'test' with EAP successful
charon: 01[IKE] authentication of 'portal.my-domain.com' (myself) with EAP
charon: 01[IKE] IKE_SA limited[1] established between 10.16.0.41[portal.my-domain.com]...10.16.0.2[test]
charon: 01[IKE] IKE_SA limited[1] state change: CONNECTING => ESTABLISHED
charon: 01[IKE] peer requested virtual IP %any
charon: 01[IKE] assigning virtual IP 10.20.44.129 to peer 'test'
charon: 01[IKE] building INTERNAL_IP4_DNS attribute
charon: 01[IKE] building INTERNAL_IP4_NBNS attribute
charon: 01[IKE] traffic selectors <public ip of my DSL router> === 10.0.0.0/8 inacceptable
charon: 01[IKE] failed to establish CHILD_SA, keeping IKE_SA
charon: 01[ENC] generating IKE_AUTH response 4 [ AUTH CP(ADDR DNS NBNS) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
---8<---------------------------------------------------------------------------------------
I tried various combinations of (left|right)subnet, but couldn't find a working one.
Using NetworkManager, I actually *can* open the connection, but the route added by it is wrong:
---8<---------------------------------------------------------------------------------------
root at antares:~# route -n
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.42.252 0.0.0.0 UG 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 tun0
192.168.42.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
---8<---------------------------------------------------------------------------------------
Instead of the 'inacceptable' message, the server log now says
charon: 12[IKE] CHILD_SA limited{1} established with SPIs [...] and TS 10.16.0.0/24 === 10.20.44.129/32
Any help for solving this issue would be really appreciated!
Thanks in advance,
Albrecht.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130428/1a860693/attachment.pgp>
More information about the Users
mailing list