[strongSwan] Ikev2 with eap-mschapv2 - is freeradius supported ?
carl leopold
carlbright772 at gmail.com
Thu Dec 11 18:28:30 CET 2014
Hi,
Thanks with the help from this forum I was able to get a connection working
with Ikev2 by setting the ipsec.secrets file with my cert key.
Can i ask for some help with another problem. I have found that Ikev2 is
not working with freeradius using eap-mscahpv2 (IOS client) as i expected.
I can get it to work by setting the user in the ipsec.secrets file but i am
trying to use central freeradius server / mysql DB for authentication and
not the sercrets file.
Does eap-mschapv2 only support ipsec.sercrets file and not freeradius ?
>From my reading of freeradius supports eap-mschapv2 as its built in and so
should just work.
I can get ikev1 user log in ok so that proves freeradius setup is ok and i
see it works via freeradius logs. I put two sets of ipsec logs below, one
with the user in the ipsec.secrets file that works and another set that
shows the errors when removed. I notice that freeradius logs dont get any
changes / no contact from strongswan.
Here is the offending part in the logs to save you time reading below:
Dec 11 12:08:31 vpn2 charon: 05[IKE] EAP-MS-CHAPv2 username: 'carl'
Dec 11 12:08:31 vpn2 charon: 05[IKE] no EAP key found for hosts '
strongholdvpn2.ddns.net' - 'carl'
Dec 11 12:08:31 vpn2 charon: 05[IKE] EAP-MS-CHAPv2 verification failed,
retry (1)
Any help or advice appreciated. Should i use eap-radius or something else ?
>From my reading of IOS 8 support i can only use eap-mschapv2.
Many Thanks
Carl
file Strongswan.conf:
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
eap-radius {
class_group = yes
eap_start = yes
servers {
primary {
address = vpn2
secret =sharedsec
nas_identifer = ipsec-gateway
sockets = 20
}
}
}
}
}
include strongswan.d/*.conf
file ipsec.conf:
conn %default
keyexchange=ikev2
ike=aes128-sha1-modp2048!
esp=aes128-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
rightdns=8.8.8.8,8.8.4.4
conn win7
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=vpnHostCert.pem
leftid=strongholdvpn2.ddns.net
leftsendcert=always
right=%any
rightid=*@strongholdvpn2.ddns.net
rightsourceip=10.10.3.0/24
rightauth=eap-mschapv2
eap_identity=%any
auto=add
conn IOS8_IKEV1
keyexchange=ikev1
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=vpnHostCert.pem
rightauth=pubkey
rightauth2=xauth:password
auto=add
eap_identity=%identity
rightsourceip=172.16.0.0/16
right=%any
file: ipsec.sercets
: RSA vpnHostKey.pem
carl : EAP "connect1"
include /var/lib/strongswan/ipsec.secrets.inc
Logs where user can login using ipsec.secrets with user set:
Dec 11 12:05:42 vpn2 charon: 00[DMN] Starting IKE charon daemon (strongSwan
5.2.1, Linux 3.13.0-37-generic, x86_64)
Dec 11 12:05:42 vpn2 charon: 00[DMN] agent plugin requires CAP_DAC_OVERRIDE
capability
Dec 11 12:05:42 vpn2 charon: 00[LIB] plugin 'agent': failed to load -
agent_plugin_create returned NULL
Dec 11 12:05:42 vpn2 charon: 00[DMN] xauth-pam plugin requires
CAP_AUDIT_WRITE capability
Dec 11 12:05:42 vpn2 charon: 00[LIB] plugin 'xauth-pam': failed to load -
xauth_pam_plugin_create returned NULL
Dec 11 12:05:42 vpn2 charon: 00[CFG] HA config misses local/remote address
Dec 11 12:05:42 vpn2 charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Dec 11 12:05:42 vpn2 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Dec 11 12:05:42 vpn2 charon: 00[CFG] loaded ca certificate "C=CH,
O=strongSwan, CN=strongSwan Root CA" from
'/etc/ipsec.d/cacerts/strongswanCert.pem'
Dec 11 12:05:42 vpn2 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Dec 11 12:05:42 vpn2 charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Dec 11 12:05:42 vpn2 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Dec 11 12:05:42 vpn2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Dec 11 12:05:42 vpn2 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Dec 11 12:05:42 vpn2 charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/vpnHostKey.pem'
Dec 11 12:05:42 vpn2 charon: 00[CFG] loaded EAP secret for carl
Dec 11 12:05:42 vpn2 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Dec 11 12:05:42 vpn2 charon: 00[CFG] loaded 1 RADIUS server configuration
Dec 11 12:05:42 vpn2 charon: 00[LIB] loaded plugins: charon aes rc2 sha1
sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc hmac gcm attr
kernel-netlink resolve socket-default farp stroke updown eap-identity
eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc
xauth-generic xauth-eap tnc-tnccs dhcp lookip error-notify certexpire led
addrblock unity
Dec 11 12:05:42 vpn2 charon: 00[LIB] unable to load 5 plugin features (5
due to unmet dependencies)
Dec 11 12:05:42 vpn2 charon: 00[LIB] dropped capabilities, running as uid
0, gid 0
Dec 11 12:05:42 vpn2 charon: 00[JOB] spawning 16 worker threads
Dec 11 12:05:42 vpn2 charon: 08[NET] waiting for data on sockets
Dec 11 12:05:42 vpn2 charon: 09[CFG] received stroke: add connection 'win7'
Dec 11 12:05:42 vpn2 charon: 09[CFG] conn win7
Dec 11 12:05:42 vpn2 charon: 09[CFG] left=%any
Dec 11 12:05:42 vpn2 charon: 09[CFG] leftsubnet=0.0.0.0/0
Dec 11 12:05:42 vpn2 charon: 09[CFG] leftauth=pubkey
Dec 11 12:05:42 vpn2 charon: 09[CFG] leftid=strongholdvpn2.ddns.net
Dec 11 12:05:42 vpn2 charon: 09[CFG] leftcert=vpnHostCert.pem
Dec 11 12:05:42 vpn2 charon: 09[CFG] right=%any
Dec 11 12:05:42 vpn2 charon: 09[CFG] rightsourceip=10.10.3.0/24
Dec 11 12:05:42 vpn2 charon: 09[CFG] rightdns=8.8.8.8,8.8.4.4
Dec 11 12:05:42 vpn2 charon: 09[CFG] rightauth=eap-mschapv2
Dec 11 12:05:42 vpn2 charon: 09[CFG] rightid=*@strongholdvpn2.ddns.net
Dec 11 12:05:42 vpn2 charon: 09[CFG] eap_identity=%any
Dec 11 12:05:42 vpn2 charon: 09[CFG] ike=aes128-sha1-modp2048!
Dec 11 12:05:42 vpn2 charon: 09[CFG] esp=aes128-sha1!
Dec 11 12:05:42 vpn2 charon: 09[CFG] dpddelay=300
Dec 11 12:05:42 vpn2 charon: 09[CFG] dpdtimeout=150
Dec 11 12:05:42 vpn2 charon: 09[CFG] dpdaction=1
Dec 11 12:05:42 vpn2 charon: 09[CFG] mediation=no
Dec 11 12:05:42 vpn2 charon: 09[CFG] keyexchange=ikev2
Dec 11 12:05:42 vpn2 charon: 09[CFG] left nor right host is our side,
assuming left=local
Dec 11 12:05:42 vpn2 charon: 09[CFG] adding virtual IP address pool
10.10.3.0/24
Dec 11 12:05:42 vpn2 charon: 09[CFG] loaded certificate "C=CH,
O=strongSwan, CN=strongholdvpn2.ddns.net" from 'vpnHostCert.pem'
Dec 11 12:05:42 vpn2 charon: 09[CFG] added configuration 'win7'
Dec 11 12:05:42 vpn2 charon: 11[CFG] received stroke: add connection
'IOS8_IKEV1'
Dec 11 12:05:42 vpn2 charon: 11[CFG] conn IOS8_IKEV1
Dec 11 12:05:42 vpn2 charon: 11[CFG] left=%any
Dec 11 12:05:42 vpn2 charon: 11[CFG] leftsubnet=0.0.0.0/0
Dec 11 12:05:42 vpn2 charon: 11[CFG] leftauth=pubkey
Dec 11 12:05:42 vpn2 charon: 11[CFG] leftcert=vpnHostCert.pem
Dec 11 12:05:42 vpn2 charon: 11[CFG] right=%any
Dec 11 12:05:42 vpn2 charon: 11[CFG] rightsourceip=172.16.0.0/16
Dec 11 12:05:42 vpn2 charon: 11[CFG] rightdns=8.8.8.8,8.8.4.4
Dec 11 12:05:42 vpn2 charon: 11[CFG] rightauth=pubkey
Dec 11 12:05:42 vpn2 charon: 11[CFG] rightauth2=xauth:password
Dec 11 12:05:42 vpn2 charon: 11[CFG] eap_identity=%identity
Dec 11 12:05:42 vpn2 charon: 11[CFG]
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
Dec 11 12:05:42 vpn2 charon: 11[CFG]
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
Dec 11 12:05:42 vpn2 charon: 11[CFG] dpddelay=300
Dec 11 12:05:42 vpn2 charon: 11[CFG] dpdtimeout=150
Dec 11 12:05:42 vpn2 charon: 11[CFG] dpdaction=1
Dec 11 12:05:42 vpn2 charon: 11[CFG] mediation=no
Dec 11 12:05:42 vpn2 charon: 11[CFG] keyexchange=ikev1
Dec 11 12:05:42 vpn2 charon: 11[CFG] left nor right host is our side,
assuming left=local
Dec 11 12:05:42 vpn2 charon: 11[CFG] adding virtual IP address pool
172.16.0.0/16
Dec 11 12:05:42 vpn2 charon: 11[CFG] loaded certificate "C=CH,
O=strongSwan, CN=strongholdvpn2.ddns.net" from 'vpnHostCert.pem'
Dec 11 12:05:42 vpn2 charon: 11[CFG] id '%any' not confirmed by
certificate, defaulting to 'C=CH, O=strongSwan, CN=strongholdvpn2.ddns.net'
Dec 11 12:05:42 vpn2 charon: 11[CFG] added configuration 'IOS8_IKEV1'
Dec 11 12:05:53 vpn2 charon: 08[NET] received packet: from
191.101.55.203[500] to 178.62.119.121[500]
Dec 11 12:05:53 vpn2 charon: 08[NET] waiting for data on sockets
Dec 11 12:05:53 vpn2 charon: 13[NET] received packet: from
191.101.55.203[500] to 178.62.119.121[500] (416 bytes)
Dec 11 12:05:53 vpn2 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Dec 11 12:05:53 vpn2 charon: 13[CFG] looking for an ike config for
178.62.119.121...191.101.55.203
Dec 11 12:05:53 vpn2 charon: 13[CFG] candidate: %any...%any, prio 28
Dec 11 12:05:53 vpn2 charon: 13[CFG] found matching ike config: %any...%any
with prio 28
Dec 11 12:05:53 vpn2 charon: 13[IKE] 191.101.55.203 is initiating an IKE_SA
Dec 11 12:05:53 vpn2 charon: 13[IKE] IKE_SA (unnamed)[1] state change:
CREATED => CONNECTING
Dec 11 12:05:53 vpn2 charon: 13[CFG] selecting proposal:
Dec 11 12:05:53 vpn2 charon: 13[CFG] proposal matches
Dec 11 12:05:53 vpn2 charon: 13[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 11 12:05:53 vpn2 charon: 13[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 11 12:05:53 vpn2 charon: 13[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 11 12:05:53 vpn2 charon: 13[IKE] remote host is behind NAT
Dec 11 12:05:53 vpn2 charon: 13[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan Root CA"
Dec 11 12:05:53 vpn2 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Dec 11 12:05:53 vpn2 charon: 13[NET] sending packet: from
178.62.119.121[500] to 191.101.55.203[500] (465 bytes)
Dec 11 12:05:53 vpn2 charon: 05[NET] sending packet: from
178.62.119.121[500] to 191.101.55.203[500]
Dec 11 12:05:53 vpn2 charon: 08[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500]
Dec 11 12:05:53 vpn2 charon: 08[NET] waiting for data on sockets
Dec 11 12:05:53 vpn2 charon: 14[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500] (364 bytes)
Dec 11 12:05:53 vpn2 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Dec 11 12:05:53 vpn2 charon: 14[CFG] looking for peer configs matching
178.62.119.121[strongholdvpn2.ddns.net]...191.101.55.203[
client at strongholdvpn2.ddns.net]
Dec 11 12:05:53 vpn2 charon: 14[CFG] candidate "win7", match: 20/19/28
(me/other/ike)
Dec 11 12:05:53 vpn2 charon: 14[CFG] selected peer config 'win7'
Dec 11 12:05:53 vpn2 charon: 14[IKE] initiating EAP_IDENTITY method (id
0x00)
Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP4_ADDRESS
attribute
Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP4_DHCP attribute
Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP4_DNS attribute
Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP4_NETMASK
attribute
Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP6_ADDRESS
attribute
Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP6_DHCP attribute
Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP6_DNS attribute
Dec 11 12:05:53 vpn2 charon: 14[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 11 12:05:53 vpn2 charon: 14[IKE] authentication of '
strongholdvpn2.ddns.net' (myself) with RSA signature successful
Dec 11 12:05:53 vpn2 charon: 14[IKE] sending end entity cert "C=CH,
O=strongSwan, CN=strongholdvpn2.ddns.net"
Dec 11 12:05:53 vpn2 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr
CERT AUTH EAP/REQ/ID ]
Dec 11 12:05:53 vpn2 charon: 14[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024] (2028 bytes)
Dec 11 12:05:53 vpn2 charon: 05[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024]
Dec 11 12:05:53 vpn2 charon: 08[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500]
Dec 11 12:05:53 vpn2 charon: 08[NET] waiting for data on sockets
Dec 11 12:05:53 vpn2 charon: 15[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500] (76 bytes)
Dec 11 12:05:53 vpn2 charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID
]
Dec 11 12:05:53 vpn2 charon: 15[IKE] received EAP identity 'carl'
Dec 11 12:05:53 vpn2 charon: 15[IKE] initiating EAP_MSCHAPV2 method (id
0x06)
Dec 11 12:05:53 vpn2 charon: 15[ENC] generating IKE_AUTH response 2 [
EAP/REQ/MSCHAPV2 ]
Dec 11 12:05:53 vpn2 charon: 15[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024] (108 bytes)
Dec 11 12:05:53 vpn2 charon: 05[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024]
Dec 11 12:05:53 vpn2 charon: 08[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500]
Dec 11 12:05:53 vpn2 charon: 08[NET] waiting for data on sockets
Dec 11 12:05:53 vpn2 charon: 16[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500] (140 bytes)
Dec 11 12:05:53 vpn2 charon: 16[ENC] parsed IKE_AUTH request 3 [
EAP/RES/MSCHAPV2 ]
Dec 11 12:05:53 vpn2 charon: 16[IKE] EAP-MS-CHAPv2 username: 'carl'
Dec 11 12:05:53 vpn2 charon: 16[ENC] generating IKE_AUTH response 3 [
EAP/REQ/MSCHAPV2 ]
Dec 11 12:05:53 vpn2 charon: 16[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024] (140 bytes)
Dec 11 12:05:53 vpn2 charon: 05[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024]
Dec 11 12:05:53 vpn2 charon: 08[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500]
Dec 11 12:05:53 vpn2 charon: 08[NET] waiting for data on sockets
Dec 11 12:05:53 vpn2 charon: 03[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500] (76 bytes)
Dec 11 12:05:53 vpn2 charon: 03[ENC] parsed IKE_AUTH request 4 [
EAP/RES/MSCHAPV2 ]
Dec 11 12:05:53 vpn2 charon: 03[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK
established
Dec 11 12:05:53 vpn2 charon: 03[ENC] generating IKE_AUTH response 4 [
EAP/SUCC ]
Dec 11 12:05:53 vpn2 charon: 03[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024] (76 bytes)
Dec 11 12:05:53 vpn2 charon: 05[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024]
Dec 11 12:05:54 vpn2 charon: 08[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500]
Dec 11 12:05:54 vpn2 charon: 02[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500] (92 bytes)
Dec 11 12:05:54 vpn2 charon: 02[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Dec 11 12:05:54 vpn2 charon: 02[IKE] authentication of '
client at strongholdvpn2.ddns.net' with EAP successful
Dec 11 12:05:54 vpn2 charon: 02[IKE] authentication of '
strongholdvpn2.ddns.net' (myself) with EAP
Dec 11 12:05:54 vpn2 charon: 02[IKE] IKE_SA win7[1] established between
178.62.119.121[strongholdvpn2.ddns.net]...191.101.55.203[
client at strongholdvpn2.ddns.net]
Dec 11 12:05:54 vpn2 charon: 02[IKE] IKE_SA win7[1] state change:
CONNECTING => ESTABLISHED
Dec 11 12:05:54 vpn2 charon: 02[IKE] peer requested virtual IP %any
Dec 11 12:05:54 vpn2 charon: 02[CFG] assigning new lease to 'carl'
Dec 11 12:05:54 vpn2 charon: 02[IKE] assigning virtual IP 10.10.3.1 to peer
'carl'
Dec 11 12:05:54 vpn2 charon: 02[IKE] peer requested virtual IP %any6
Dec 11 12:05:54 vpn2 charon: 02[IKE] no virtual IP found for %any6
requested by 'carl'
Dec 11 12:05:54 vpn2 charon: 02[IKE] building INTERNAL_IP4_DNS attribute
Dec 11 12:05:54 vpn2 charon: 02[IKE] building INTERNAL_IP4_DNS attribute
Dec 11 12:05:54 vpn2 charon: 02[CFG] looking for a child config for
0.0.0.0/0 ::..ff:ff:ff:ff:ff:ff:ff:ff === 0.0.0.0/0
::..ff:ff:ff:ff:ff:ff:ff:ff
Dec 11 12:05:54 vpn2 charon: 02[CFG] proposing traffic selectors for us:
Dec 11 12:05:54 vpn2 charon: 02[CFG] 0.0.0.0/0
Dec 11 12:05:54 vpn2 charon: 02[CFG] proposing traffic selectors for other:
Dec 11 12:05:54 vpn2 charon: 02[CFG] 10.10.3.1/32
Dec 11 12:05:54 vpn2 charon: 02[CFG] candidate "win7" with prio 10+2
Dec 11 12:05:54 vpn2 charon: 02[CFG] found matching child config "win7"
with prio 12
Dec 11 12:05:54 vpn2 charon: 02[CFG] selecting proposal:
Dec 11 12:05:54 vpn2 charon: 02[CFG] proposal matches
Dec 11 12:05:54 vpn2 charon: 02[CFG] received proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Dec 11 12:05:54 vpn2 charon: 02[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Dec 11 12:05:54 vpn2 charon: 02[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Dec 11 12:05:54 vpn2 charon: 02[CFG] selecting traffic selectors for us:
Dec 11 12:05:54 vpn2 charon: 08[NET] waiting for data on sockets
Dec 11 12:05:54 vpn2 charon: 02[CFG] config: 0.0.0.0/0, received: 0.0.0.0/0
=> match: 0.0.0.0/0
Dec 11 12:05:54 vpn2 charon: 02[CFG] config: 0.0.0.0/0, received:
::..ff:ff:ff:ff:ff:ff:ff:ff => no match
Dec 11 12:05:54 vpn2 charon: 02[CFG] selecting traffic selectors for other:
Dec 11 12:05:54 vpn2 charon: 02[CFG] config: 10.10.3.1/32, received:
0.0.0.0/0 => match: 10.10.3.1/32
Dec 11 12:05:54 vpn2 charon: 02[CFG] config: 10.10.3.1/32, received:
::..ff:ff:ff:ff:ff:ff:ff:ff => no match
Dec 11 12:05:54 vpn2 charon: 02[IKE] CHILD_SA win7{1} established with SPIs
c7990dbd_i 0bddb371_o and TS 0.0.0.0/0 === 10.10.3.1/32
Dec 11 12:05:54 vpn2 charon: 02[ENC] generating IKE_AUTH response 5 [ AUTH
CPRP(ADDR DNS DNS) SA TSi TSr ]
Dec 11 12:05:54 vpn2 charon: 02[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024] (220 bytes)
Dec 11 12:05:54 vpn2 charon: 05[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024]
**************************************
Logs where i removed the EAP user carl from ipsec.secrets and i get EAP
errors.
****************************************
Dec 11 12:08:31 vpn2 charon: 16[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID
]
Dec 11 12:08:31 vpn2 charon: 16[IKE] received EAP identity 'carl'
Dec 11 12:08:31 vpn2 charon: 16[IKE] initiating EAP_MSCHAPV2 method (id
0x30)
Dec 11 12:08:31 vpn2 charon: 16[ENC] generating IKE_AUTH response 2 [
EAP/REQ/MSCHAPV2 ]
Dec 11 12:08:31 vpn2 charon: 16[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024] (108 bytes)
Dec 11 12:08:31 vpn2 charon: 10[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024]
Dec 11 12:08:31 vpn2 charon: 09[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500]
Dec 11 12:08:31 vpn2 charon: 09[NET] waiting for data on sockets
Dec 11 12:08:31 vpn2 charon: 05[NET] received packet: from
191.101.55.203[1024] to 178.62.119.121[4500] (140 bytes)
Dec 11 12:08:31 vpn2 charon: 05[ENC] parsed IKE_AUTH request 3 [
EAP/RES/MSCHAPV2 ]
Dec 11 12:08:31 vpn2 charon: 05[IKE] EAP-MS-CHAPv2 username: 'carl'
Dec 11 12:08:31 vpn2 charon: 05[IKE] no EAP key found for hosts '
strongholdvpn2.ddns.net' - 'carl'
Dec 11 12:08:31 vpn2 charon: 05[IKE] EAP-MS-CHAPv2 verification failed,
retry (1)
Dec 11 12:08:33 vpn2 charon: 05[ENC] generating IKE_AUTH response 3 [
EAP/REQ/MSCHAPV2 ]
Dec 11 12:08:33 vpn2 charon: 05[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024] (124 bytes)
Dec 11 12:08:33 vpn2 charon: 10[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[1024]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141211/380fbbfa/attachment-0001.html>
More information about the Users
mailing list