[strongSwan] Integrating radius with strongswan.

Azfar Hashmi azfar.hashmi at cloudways.com
Tue Feb 19 15:23:37 CET 2013 

Now I have a problem.

When I load plugins in strongswan.conf I can connect (via radius auth)
but cannot browse internet.

load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509
revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius
eap-md5 xauth-eap updown
        plugins {
                eap-radius {
      secret = secret
      server = 127.0.0.1
    }


Is any module conflicting with something.

On 2/19/2013 6:12 PM, Azfar Hashmi wrote:
> Okay I converted both authby=xauthrsasig and xauth=server with
> rightauth=pubkey and rightauth2=xauth as per v5 documents and its
> working fine.
>
> On 2/19/2013 5:59 PM, Azfar Hashmi wrote:
>> Hi Martin,
>>
>> I am on 5.0.2 how how can I convert my ipsec.conf for multiple auth
>> i-e xauth+rsasig with radius. I don't see any option in rightauth to
>> define rsasig as first auth. How can check that with which option
>> strongswan 5 default complied with. Do I need to recompile it with
>> --enable-eap-radius, --enable-xauth-eap ect etc? I want to use
>> xauthrassig due to iOS Vpn on Demand. I also noticed that
>> left|rightauth and left|rightauth2 are only available in IKEv2 (Prior
>> to 5.0.0 <http://wiki.strongswan.org/projects/strongswan/wiki/500>
>> this parameter is only supported for IKEv2) but I am using IKEv1.
>>
>> http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
>>
>> Below is my current config
>>
>> config setup
>>        
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>>         nat_traversal=yes
>>         charonstart=yes
>>         plutostart=yes
>>         crlcheckinterval=600
>>         uniqueids=no
>>
>> conn ios
>>         keyexchange=ikev1
>>         authby=xauthrsasig
>>         xauth=server
>>         left=%defaultroute
>>         leftsubnet=0.0.0.0/0
>>         leftfirewall=yes
>>         leftcert=serverCert.pem
>>         right=%any
>>         rightsubnet=10.0.0.0/24
>>         rightsourceip=10.0.0.0/24
>>         auto=add
>>
>> include /var/lib/strongswan/ipsec.conf.inc
>>
>>
>> On 2/18/2013 8:00 PM, Azfar Hashmi wrote:
>>> Hi Martin,
>>>
>>> Thanks for the clearing up things. I will first move to v5.x then
>>> come back.
>>>
>>> On 2/18/2013 7:44 PM, Martin Willi wrote:
>>>> Hi Azfar,
>>>>
>>>>> I am using Strongswan 4.5.2 (Debian Squeeze) with xauthrsasig auth type.
>>>>> Now I want to replace ipsec.secrets and put a radius server.
>>>> In 4.5.2, IKEv1 is handled in the "pluto" daemon. Pluto does not have
>>>> support for RADIUS authentication.
>>>>
>>>> With strongSwan 5.x, we reimplemented IKEv1 in the newer "charon" daemon
>>>> which also supports IKEv2. With its eap-radius backend and the xauth-eap
>>>> bridge, you can authenticate XAuth clients against RADIUS. It requires a
>>>> RADIUS server that speaks EAP, though. See [1] for details.
>>>>
>>>>> 1) Can I still use xauth+rsa as a auth mechanism with eap-radius plugin.
>>>> With the xauth-eap helper plugin, yes.
>>>>
>>>>> 2) Do I need to recompile strongswan for eap-radius plugin or Debian 6
>>>>> comes with it.
>>>> You need at least 5.0.0, better 5.0.2, which doesn't come with Debian
>>>> yet. Also, you need the eap-radius and the xauth-eap plugins, along with
>>>> a suitable EAP method.
>>>>
>>>>> 3) I want to use single server for both radius and strongswan, what is
>>>>> the role of strongswan.conf in *"alice"*?
>>>> Alice is the RADIUS server in this example, so you won't need it. You
>>>> can install your RADIUS server on moon, and configure eap-radius to use
>>>> the local RADIUS server.
>>>>
>>>> Regards
>>>> Martin
>>>>
>>>> [1]http://wiki.strongswan.org/projects/strongswan/wiki/XAuthEAP
>>>>
>>>
>>>
>>> -- 
>>>
>>> AzfarHashmi
>>>
>>> Cloudways
>>>
>>> Your Managed Cloud
>>>
>>>  
>>>
>>> e: azfar.hashmi at cloudways.com
>>>
>>> w: www.cloudways.com <http://www.cloudways.com>
>>>
>>>  
>>>
>>> PGP keyid: 0xF42034B0F915D729
>>>
>>> http://keyserver.pgp.com
>>>
>>>  
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> -- 
>>
>> AzfarHashmi
>>
>> Cloudways
>>
>> Your Managed Cloud
>>
>>  
>>
>> e: azfar.hashmi at cloudways.com
>>
>> w: www.cloudways.com <http://www.cloudways.com>
>>
>>  
>>
>> PGP keyid: 0xF42034B0F915D729
>>
>> http://keyserver.pgp.com
>>
>>  
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
> -- 
>
> AzfarHashmi
>
> Cloudways
>
> Your Managed Cloud
>
>  
>
> e: azfar.hashmi at cloudways.com
>
> w: www.cloudways.com <http://www.cloudways.com>
>
>  
>
> PGP keyid: 0xF42034B0F915D729
>
> http://keyserver.pgp.com
>
>  
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 

AzfarHashmi

Cloudways

Your Managed Cloud

 

e: azfar.hashmi at cloudways.com

w: www.cloudways.com <http://www.cloudways.com>

 

PGP keyid: 0xF42034B0F915D729

http://keyserver.pgp.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130219/5a9774a5/attachment.html>

More information about the Users mailing list