[strongSwan] Ikev2 with eap-mschapv2 - is freeradius supported ?
Noel Kuntze
noel at familie-kuntze.de
Thu Dec 11 18:36:39 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Carl,
You need to use rightauth=eap-radius or rightauth2=eap-radius to delegate authentication to a radius server.
Also, there is no "xauth:password" method. What do you want to do with that? Authenticate using xauth with password?
Xauth always prompts for username and password. Set xauth to use the credential store of strongSwan for authentication.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 11.12.2014 um 18:28 schrieb carl leopold:
> Hi,
>
> Thanks with the help from this forum I was able to get a connection working with Ikev2 by setting the ipsec.secrets file with my cert key.
>
> Can i ask for some help with another problem. I have found that Ikev2 is not working with freeradius using eap-mscahpv2 (IOS client) as i expected. I can get it to work by setting the user in the ipsec.secrets file but i am trying to use central freeradius server / mysql DB for authentication and not the sercrets file.
>
> Does eap-mschapv2 only support ipsec.sercrets file and not freeradius ?
>
> From my reading of freeradius supports eap-mschapv2 as its built in and so should just work.
>
> I can get ikev1 user log in ok so that proves freeradius setup is ok and i see it works via freeradius logs. I put two sets of ipsec logs below, one with the user in the ipsec.secrets file that works and another set that shows the errors when removed. I notice that freeradius logs dont get any changes / no contact from strongswan.
>
> Here is the offending part in the logs to save you time reading below:
>
> Dec 11 12:08:31 vpn2 charon: 05[IKE] EAP-MS-CHAPv2 username: 'carl'
> Dec 11 12:08:31 vpn2 charon: 05[IKE] no EAP key found for hosts 'strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>' - 'carl'
> Dec 11 12:08:31 vpn2 charon: 05[IKE] EAP-MS-CHAPv2 verification failed, retry (1)
>
> Any help or advice appreciated. Should i use eap-radius or something else ? From my reading of IOS 8 support i can only use eap-mschapv2.
>
> Many Thanks
> Carl
>
> file Strongswan.conf:
>
> charon {
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> eap-radius {
> class_group = yes
> eap_start = yes
> servers {
> primary {
> address = vpn2
> secret =sharedsec
> nas_identifer = ipsec-gateway
> sockets = 20
> }
> }
> }
> }
> }
>
> include strongswan.d/*.conf
>
> file ipsec.conf:
>
> conn %default
> keyexchange=ikev2
> ike=aes128-sha1-modp2048!
> esp=aes128-sha1!
> dpdaction=clear
> dpddelay=300s
> rekey=no
> rightdns=8.8.8.8,8.8.4.4
>
> conn win7
> left=%any
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> leftauth=pubkey
> leftcert=vpnHostCert.pem
> leftid=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>
> leftsendcert=always
> right=%any
> rightid=*@strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>
> rightsourceip=10.10.3.0/24 <http://10.10.3.0/24>
> rightauth=eap-mschapv2
> eap_identity=%any
> auto=add
>
> conn IOS8_IKEV1
> keyexchange=ikev1
> left=%any
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> leftauth=pubkey
> leftcert=vpnHostCert.pem
> rightauth=pubkey
> rightauth2=xauth:password
> auto=add
> eap_identity=%identity
> rightsourceip=172.16.0.0/16 <http://172.16.0.0/16>
> right=%any
>
>
> file: ipsec.sercets
>
> : RSA vpnHostKey.pem
> carl : EAP "connect1"
>
> include /var/lib/strongswan/ipsec.secrets.inc
>
> Logs where user can login using ipsec.secrets with user set:
>
> Dec 11 12:05:42 vpn2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-37-generic, x86_64)
> Dec 11 12:05:42 vpn2 charon: 00[DMN] agent plugin requires CAP_DAC_OVERRIDE capability
> Dec 11 12:05:42 vpn2 charon: 00[LIB] plugin 'agent': failed to load - agent_plugin_create returned NULL
> Dec 11 12:05:42 vpn2 charon: 00[DMN] xauth-pam plugin requires CAP_AUDIT_WRITE capability
> Dec 11 12:05:42 vpn2 charon: 00[LIB] plugin 'xauth-pam': failed to load - xauth_pam_plugin_create returned NULL
> Dec 11 12:05:42 vpn2 charon: 00[CFG] HA config misses local/remote address
> Dec 11 12:05:42 vpn2 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
> Dec 11 12:05:42 vpn2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Dec 11 12:05:42 vpn2 charon: 00[CFG] loaded ca certificate "C=CH, O=strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
> Dec 11 12:05:42 vpn2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Dec 11 12:05:42 vpn2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Dec 11 12:05:42 vpn2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Dec 11 12:05:42 vpn2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Dec 11 12:05:42 vpn2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Dec 11 12:05:42 vpn2 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/vpnHostKey.pem'
> Dec 11 12:05:42 vpn2 charon: 00[CFG] loaded EAP secret for carl
> Dec 11 12:05:42 vpn2 charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
> Dec 11 12:05:42 vpn2 charon: 00[CFG] loaded 1 RADIUS server configuration
> Dec 11 12:05:42 vpn2 charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
> Dec 11 12:05:42 vpn2 charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
> Dec 11 12:05:42 vpn2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
> Dec 11 12:05:42 vpn2 charon: 00[JOB] spawning 16 worker threads
> Dec 11 12:05:42 vpn2 charon: 08[NET] waiting for data on sockets
> Dec 11 12:05:42 vpn2 charon: 09[CFG] received stroke: add connection 'win7'
> Dec 11 12:05:42 vpn2 charon: 09[CFG] conn win7
> Dec 11 12:05:42 vpn2 charon: 09[CFG] left=%any
> Dec 11 12:05:42 vpn2 charon: 09[CFG] leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> Dec 11 12:05:42 vpn2 charon: 09[CFG] leftauth=pubkey
> Dec 11 12:05:42 vpn2 charon: 09[CFG] leftid=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>
> Dec 11 12:05:42 vpn2 charon: 09[CFG] leftcert=vpnHostCert.pem
> Dec 11 12:05:42 vpn2 charon: 09[CFG] right=%any
> Dec 11 12:05:42 vpn2 charon: 09[CFG] rightsourceip=10.10.3.0/24 <http://10.10.3.0/24>
> Dec 11 12:05:42 vpn2 charon: 09[CFG] rightdns=8.8.8.8,8.8.4.4
> Dec 11 12:05:42 vpn2 charon: 09[CFG] rightauth=eap-mschapv2
> Dec 11 12:05:42 vpn2 charon: 09[CFG] rightid=*@strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>
> Dec 11 12:05:42 vpn2 charon: 09[CFG] eap_identity=%any
> Dec 11 12:05:42 vpn2 charon: 09[CFG] ike=aes128-sha1-modp2048!
> Dec 11 12:05:42 vpn2 charon: 09[CFG] esp=aes128-sha1!
> Dec 11 12:05:42 vpn2 charon: 09[CFG] dpddelay=300
> Dec 11 12:05:42 vpn2 charon: 09[CFG] dpdtimeout=150
> Dec 11 12:05:42 vpn2 charon: 09[CFG] dpdaction=1
> Dec 11 12:05:42 vpn2 charon: 09[CFG] mediation=no
> Dec 11 12:05:42 vpn2 charon: 09[CFG] keyexchange=ikev2
> Dec 11 12:05:42 vpn2 charon: 09[CFG] left nor right host is our side, assuming left=local
> Dec 11 12:05:42 vpn2 charon: 09[CFG] adding virtual IP address pool 10.10.3.0/24 <http://10.10.3.0/24>
> Dec 11 12:05:42 vpn2 charon: 09[CFG] loaded certificate "C=CH, O=strongSwan, CN=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>" from 'vpnHostCert.pem'
> Dec 11 12:05:42 vpn2 charon: 09[CFG] added configuration 'win7'
> Dec 11 12:05:42 vpn2 charon: 11[CFG] received stroke: add connection 'IOS8_IKEV1'
> Dec 11 12:05:42 vpn2 charon: 11[CFG] conn IOS8_IKEV1
> Dec 11 12:05:42 vpn2 charon: 11[CFG] left=%any
> Dec 11 12:05:42 vpn2 charon: 11[CFG] leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> Dec 11 12:05:42 vpn2 charon: 11[CFG] leftauth=pubkey
> Dec 11 12:05:42 vpn2 charon: 11[CFG] leftcert=vpnHostCert.pem
> Dec 11 12:05:42 vpn2 charon: 11[CFG] right=%any
> Dec 11 12:05:42 vpn2 charon: 11[CFG] rightsourceip=172.16.0.0/16 <http://172.16.0.0/16>
> Dec 11 12:05:42 vpn2 charon: 11[CFG] rightdns=8.8.8.8,8.8.4.4
> Dec 11 12:05:42 vpn2 charon: 11[CFG] rightauth=pubkey
> Dec 11 12:05:42 vpn2 charon: 11[CFG] rightauth2=xauth:password
> Dec 11 12:05:42 vpn2 charon: 11[CFG] eap_identity=%identity
> Dec 11 12:05:42 vpn2 charon: 11[CFG] ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
> Dec 11 12:05:42 vpn2 charon: 11[CFG] esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
> Dec 11 12:05:42 vpn2 charon: 11[CFG] dpddelay=300
> Dec 11 12:05:42 vpn2 charon: 11[CFG] dpdtimeout=150
> Dec 11 12:05:42 vpn2 charon: 11[CFG] dpdaction=1
> Dec 11 12:05:42 vpn2 charon: 11[CFG] mediation=no
> Dec 11 12:05:42 vpn2 charon: 11[CFG] keyexchange=ikev1
> Dec 11 12:05:42 vpn2 charon: 11[CFG] left nor right host is our side, assuming left=local
> Dec 11 12:05:42 vpn2 charon: 11[CFG] adding virtual IP address pool 172.16.0.0/16 <http://172.16.0.0/16>
> Dec 11 12:05:42 vpn2 charon: 11[CFG] loaded certificate "C=CH, O=strongSwan, CN=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>" from 'vpnHostCert.pem'
> Dec 11 12:05:42 vpn2 charon: 11[CFG] id '%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>'
> Dec 11 12:05:42 vpn2 charon: 11[CFG] added configuration 'IOS8_IKEV1'
> Dec 11 12:05:53 vpn2 charon: 08[NET] received packet: from 191.101.55.203[500] to 178.62.119.121[500]
> Dec 11 12:05:53 vpn2 charon: 08[NET] waiting for data on sockets
> Dec 11 12:05:53 vpn2 charon: 13[NET] received packet: from 191.101.55.203[500] to 178.62.119.121[500] (416 bytes)
> Dec 11 12:05:53 vpn2 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Dec 11 12:05:53 vpn2 charon: 13[CFG] looking for an ike config for 178.62.119.121...191.101.55.203
> Dec 11 12:05:53 vpn2 charon: 13[CFG] candidate: %any...%any, prio 28
> Dec 11 12:05:53 vpn2 charon: 13[CFG] found matching ike config: %any...%any with prio 28
> Dec 11 12:05:53 vpn2 charon: 13[IKE] 191.101.55.203 is initiating an IKE_SA
> Dec 11 12:05:53 vpn2 charon: 13[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> Dec 11 12:05:53 vpn2 charon: 13[CFG] selecting proposal:
> Dec 11 12:05:53 vpn2 charon: 13[CFG] proposal matches
> Dec 11 12:05:53 vpn2 charon: 13[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> Dec 11 12:05:53 vpn2 charon: 13[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> Dec 11 12:05:53 vpn2 charon: 13[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> Dec 11 12:05:53 vpn2 charon: 13[IKE] remote host is behind NAT
> Dec 11 12:05:53 vpn2 charon: 13[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
> Dec 11 12:05:53 vpn2 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Dec 11 12:05:53 vpn2 charon: 13[NET] sending packet: from 178.62.119.121[500] to 191.101.55.203[500] (465 bytes)
> Dec 11 12:05:53 vpn2 charon: 05[NET] sending packet: from 178.62.119.121[500] to 191.101.55.203[500]
> Dec 11 12:05:53 vpn2 charon: 08[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500]
> Dec 11 12:05:53 vpn2 charon: 08[NET] waiting for data on sockets
> Dec 11 12:05:53 vpn2 charon: 14[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500] (364 bytes)
> Dec 11 12:05:53 vpn2 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Dec 11 12:05:53 vpn2 charon: 14[CFG] looking for peer configs matching 178.62.119.121[strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>]...191.101.55.203[client at strongholdvpn2.ddns.net <mailto:client at strongholdvpn2.ddns.net>]
> Dec 11 12:05:53 vpn2 charon: 14[CFG] candidate "win7", match: 20/19/28 (me/other/ike)
> Dec 11 12:05:53 vpn2 charon: 14[CFG] selected peer config 'win7'
> Dec 11 12:05:53 vpn2 charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
> Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP4_ADDRESS attribute
> Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP4_DHCP attribute
> Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP4_DNS attribute
> Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP4_NETMASK attribute
> Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP6_ADDRESS attribute
> Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP6_DHCP attribute
> Dec 11 12:05:53 vpn2 charon: 14[IKE] processing INTERNAL_IP6_DNS attribute
> Dec 11 12:05:53 vpn2 charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Dec 11 12:05:53 vpn2 charon: 14[IKE] authentication of 'strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>' (myself) with RSA signature successful
> Dec 11 12:05:53 vpn2 charon: 14[IKE] sending end entity cert "C=CH, O=strongSwan, CN=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>"
> Dec 11 12:05:53 vpn2 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> Dec 11 12:05:53 vpn2 charon: 14[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024] (2028 bytes)
> Dec 11 12:05:53 vpn2 charon: 05[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024]
> Dec 11 12:05:53 vpn2 charon: 08[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500]
> Dec 11 12:05:53 vpn2 charon: 08[NET] waiting for data on sockets
> Dec 11 12:05:53 vpn2 charon: 15[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500] (76 bytes)
> Dec 11 12:05:53 vpn2 charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
> Dec 11 12:05:53 vpn2 charon: 15[IKE] received EAP identity 'carl'
> Dec 11 12:05:53 vpn2 charon: 15[IKE] initiating EAP_MSCHAPV2 method (id 0x06)
> Dec 11 12:05:53 vpn2 charon: 15[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
> Dec 11 12:05:53 vpn2 charon: 15[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024] (108 bytes)
> Dec 11 12:05:53 vpn2 charon: 05[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024]
> Dec 11 12:05:53 vpn2 charon: 08[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500]
> Dec 11 12:05:53 vpn2 charon: 08[NET] waiting for data on sockets
> Dec 11 12:05:53 vpn2 charon: 16[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500] (140 bytes)
> Dec 11 12:05:53 vpn2 charon: 16[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
> Dec 11 12:05:53 vpn2 charon: 16[IKE] EAP-MS-CHAPv2 username: 'carl'
> Dec 11 12:05:53 vpn2 charon: 16[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> Dec 11 12:05:53 vpn2 charon: 16[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024] (140 bytes)
> Dec 11 12:05:53 vpn2 charon: 05[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024]
> Dec 11 12:05:53 vpn2 charon: 08[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500]
> Dec 11 12:05:53 vpn2 charon: 08[NET] waiting for data on sockets
> Dec 11 12:05:53 vpn2 charon: 03[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500] (76 bytes)
> Dec 11 12:05:53 vpn2 charon: 03[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> Dec 11 12:05:53 vpn2 charon: 03[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
> Dec 11 12:05:53 vpn2 charon: 03[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
> Dec 11 12:05:53 vpn2 charon: 03[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024] (76 bytes)
> Dec 11 12:05:53 vpn2 charon: 05[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024]
> Dec 11 12:05:54 vpn2 charon: 08[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500]
> Dec 11 12:05:54 vpn2 charon: 02[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500] (92 bytes)
> Dec 11 12:05:54 vpn2 charon: 02[ENC] parsed IKE_AUTH request 5 [ AUTH ]
> Dec 11 12:05:54 vpn2 charon: 02[IKE] authentication of 'client at strongholdvpn2.ddns.net <mailto:client at strongholdvpn2.ddns.net>' with EAP successful
> Dec 11 12:05:54 vpn2 charon: 02[IKE] authentication of 'strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>' (myself) with EAP
> Dec 11 12:05:54 vpn2 charon: 02[IKE] IKE_SA win7[1] established between 178.62.119.121[strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>]...191.101.55.203[client at strongholdvpn2.ddns.net <mailto:client at strongholdvpn2.ddns.net>]
> Dec 11 12:05:54 vpn2 charon: 02[IKE] IKE_SA win7[1] state change: CONNECTING => ESTABLISHED
> Dec 11 12:05:54 vpn2 charon: 02[IKE] peer requested virtual IP %any
> Dec 11 12:05:54 vpn2 charon: 02[CFG] assigning new lease to 'carl'
> Dec 11 12:05:54 vpn2 charon: 02[IKE] assigning virtual IP 10.10.3.1 to peer 'carl'
> Dec 11 12:05:54 vpn2 charon: 02[IKE] peer requested virtual IP %any6
> Dec 11 12:05:54 vpn2 charon: 02[IKE] no virtual IP found for %any6 requested by 'carl'
> Dec 11 12:05:54 vpn2 charon: 02[IKE] building INTERNAL_IP4_DNS attribute
> Dec 11 12:05:54 vpn2 charon: 02[IKE] building INTERNAL_IP4_DNS attribute
> Dec 11 12:05:54 vpn2 charon: 02[CFG] looking for a child config for 0.0.0.0/0 <http://0.0.0.0/0> ::..ff:ff:ff:ff:ff:ff:ff:ff === 0.0.0.0/0 <http://0.0.0.0/0> ::..ff:ff:ff:ff:ff:ff:ff:ff
> Dec 11 12:05:54 vpn2 charon: 02[CFG] proposing traffic selectors for us:
> Dec 11 12:05:54 vpn2 charon: 02[CFG] 0.0.0.0/0 <http://0.0.0.0/0>
> Dec 11 12:05:54 vpn2 charon: 02[CFG] proposing traffic selectors for other:
> Dec 11 12:05:54 vpn2 charon: 02[CFG] 10.10.3.1/32 <http://10.10.3.1/32>
> Dec 11 12:05:54 vpn2 charon: 02[CFG] candidate "win7" with prio 10+2
> Dec 11 12:05:54 vpn2 charon: 02[CFG] found matching child config "win7" with prio 12
> Dec 11 12:05:54 vpn2 charon: 02[CFG] selecting proposal:
> Dec 11 12:05:54 vpn2 charon: 02[CFG] proposal matches
> Dec 11 12:05:54 vpn2 charon: 02[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> Dec 11 12:05:54 vpn2 charon: 02[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> Dec 11 12:05:54 vpn2 charon: 02[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> Dec 11 12:05:54 vpn2 charon: 02[CFG] selecting traffic selectors for us:
> Dec 11 12:05:54 vpn2 charon: 08[NET] waiting for data on sockets
> Dec 11 12:05:54 vpn2 charon: 02[CFG] config: 0.0.0.0/0 <http://0.0.0.0/0>, received: 0.0.0.0/0 <http://0.0.0.0/0> => match: 0.0.0.0/0 <http://0.0.0.0/0>
> Dec 11 12:05:54 vpn2 charon: 02[CFG] config: 0.0.0.0/0 <http://0.0.0.0/0>, received: ::..ff:ff:ff:ff:ff:ff:ff:ff => no match
> Dec 11 12:05:54 vpn2 charon: 02[CFG] selecting traffic selectors for other:
> Dec 11 12:05:54 vpn2 charon: 02[CFG] config: 10.10.3.1/32 <http://10.10.3.1/32>, received: 0.0.0.0/0 <http://0.0.0.0/0> => match: 10.10.3.1/32 <http://10.10.3.1/32>
> Dec 11 12:05:54 vpn2 charon: 02[CFG] config: 10.10.3.1/32 <http://10.10.3.1/32>, received: ::..ff:ff:ff:ff:ff:ff:ff:ff => no match
> Dec 11 12:05:54 vpn2 charon: 02[IKE] CHILD_SA win7{1} established with SPIs c7990dbd_i 0bddb371_o and TS 0.0.0.0/0 <http://0.0.0.0/0> === 10.10.3.1/32 <http://10.10.3.1/32>
> Dec 11 12:05:54 vpn2 charon: 02[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr ]
> Dec 11 12:05:54 vpn2 charon: 02[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024] (220 bytes)
> Dec 11 12:05:54 vpn2 charon: 05[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024]
>
> **************************************
> Logs where i removed the EAP user carl from ipsec.secrets and i get EAP errors.
> ****************************************
>
> Dec 11 12:08:31 vpn2 charon: 16[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
> Dec 11 12:08:31 vpn2 charon: 16[IKE] received EAP identity 'carl'
> Dec 11 12:08:31 vpn2 charon: 16[IKE] initiating EAP_MSCHAPV2 method (id 0x30)
> Dec 11 12:08:31 vpn2 charon: 16[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
> Dec 11 12:08:31 vpn2 charon: 16[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024] (108 bytes)
> Dec 11 12:08:31 vpn2 charon: 10[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024]
> Dec 11 12:08:31 vpn2 charon: 09[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500]
> Dec 11 12:08:31 vpn2 charon: 09[NET] waiting for data on sockets
> Dec 11 12:08:31 vpn2 charon: 05[NET] received packet: from 191.101.55.203[1024] to 178.62.119.121[4500] (140 bytes)
> Dec 11 12:08:31 vpn2 charon: 05[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
> Dec 11 12:08:31 vpn2 charon: 05[IKE] EAP-MS-CHAPv2 username: 'carl'
> Dec 11 12:08:31 vpn2 charon: 05[IKE] no EAP key found for hosts 'strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>' - 'carl'
> Dec 11 12:08:31 vpn2 charon: 05[IKE] EAP-MS-CHAPv2 verification failed, retry (1)
> Dec 11 12:08:33 vpn2 charon: 05[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> Dec 11 12:08:33 vpn2 charon: 05[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024] (124 bytes)
> Dec 11 12:08:33 vpn2 charon: 10[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[1024]
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUidYlAAoJEDg5KY9j7GZYxT8P/jGkdtPI2d9MJnQIsZzwQGMq
Wt1hUEjT8AhEKR/0pz9umz2877TY9xNSm0F2SnDjdtVKuxrswYKlCYCNEKlDPjJs
ceagjWXFHtfOy8QvuFt6f/TQ/MDht8kNLmZ+HGL1IJuW1G8NE/y1GP4/zt91Ira1
gg49Lx41TkIbUHflBVDwJSvI2epq+XhAHXBPeDnPio9aAB2WCd5nnZj4vbYtfc5f
SKO4A2u2kDDdJ86TG+XyblFyBF/zZlOWkKdxmFa8yC8wG2Z5Hrj82J4INKhuPxYC
MkHLJkuUrtWKw21BfkTmJuRP/xGqyhyP/b/JeT6r/hGReU1C5vqCDMko2jpG7C1W
qp6XPV9Ee39BhKxViwtOSF8fm3JnzKWJ5ATW+ku7jlW9IE9nhLOcKJOvqsJBjF+9
xdaM+AhD98OidMKYjglFbGk4PuxcIxE2013u4HMf2xLWT0mdEyIKALCu3tW7GRSu
ZZBPgQSYbpyEk6oMiljRs4zCPnZY1JlZBPL3Cr6fr8xAM8xDG1NthuODDcgPzCCH
vf2/9lgcQfE2q66HmkqPcFOKeE/YgtuzfMFuOtmsEF57WDJ6xdW67zVkrNKnfVmt
APnxikFo5o3wV1q5AqoNOdmlb77QwcbMJvGv2mi1EzwjQq2vbTN+HhBzWdyQVkrB
0bu+wB+Zpn8Ewmub+gdJ
=iiQ3
-----END PGP SIGNATURE-----
More information about the Users
mailing list