[strongSwan] Ikev2 with eap-mschapv2 - is freeradius supported ?

carl leopold carlbright772 at gmail.com
Thu Dec 11 20:06:06 CET 2014 

Hi,

Thanks for the advice, i have removed the rightauth=eap-mschapv2 and also
for Ikev1. But i cant get it to work for either. About the xauth is that
not recommeneded because its old ?. It is in the documentation and i have
it working.. please advise why i should not use it.

Try 1) with ikev2 rightauth=pubkey and rightauth2=eap-radius it does not
work and freeradius is not called. See log snippet below.

conn %default
    keyexchange=ikev2
    ike=aes128-sha1-modp2048!
    esp=aes128-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    rightdns=8.8.8.8,8.8.4.4

conn win7
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=vpnHostCert.pem
    leftid=strongholdvpn2.ddns.net
    leftsendcert=always
    right=%any
    rightid=*@strongholdvpn2.ddns.net
    rightsourceip=10.10.3.0/24
    eap_identity=%identity
    auto=add
    rightauth=pubkey
    rightauth2=eap-radius

Logs:

Dec 11 13:10:14 vpn2 charon: 13[CFG] selected peer config 'win7'
Dec 11 13:10:14 vpn2 charon: 13[IKE] peer requested EAP, config inacceptable
Dec 11 13:10:14 vpn2 charon: 13[CFG] no alternative config found

*****************

Try 2) with ikev2 rightauth=eap-radius it does not work but freeradius is
called (an improvement) The freeradius logs complains a lot about many
things like plain text password, and goes on about removing 'Auth-Type =
Local' from /etc/freeradius/sites-enabled/default and it fails the
authentication. But i know the username and password are in the db and
radcheck passes. Also Ikev1 with rightauth:xauth pasword works as before
though i have been told that should not be used.

I looked in that config file and there is no 'Auth-Type = Local'. The setup
is all vanilla default and has pam and chap and mschap already set.

I tested with and without eap_identity=%identity and it seems to pass the
user name when its set so i keep that.

Not sure what to do next. Any advice would be greatly appreciated.

Many Thanks
Carl

See log snippet below.

conn %default
    keyexchange=ikev2
    ike=aes128-sha1-modp2048!
    esp=aes128-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    rightdns=8.8.8.8,8.8.4.4

conn win7
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=vpnHostCert.pem
    leftid=strongholdvpn2.ddns.net
    leftsendcert=always
    right=%any
    rightid=*@strongholdvpn2.ddns.net
    rightsourceip=10.10.3.0/24
    eap_identity=%identity
    auto=add
    rightauth=eap-radius
 Dec 11 13:15:50 vpn2 charon: 14[CFG] found matching ike config:
%any...%any with prio 28
Dec 11 13:15:50 vpn2 charon: 14[IKE] 191.101.55.203 is initiating an IKE_SA
Dec 11 13:15:50 vpn2 charon: 14[IKE] IKE_SA (unnamed)[1] state change:
CREATED => CONNECTING
Dec 11 13:15:50 vpn2 charon: 14[CFG] selecting proposal:
Dec 11 13:15:50 vpn2 charon: 14[CFG]   proposal matches
Dec 11 13:15:50 vpn2 charon: 14[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 11 13:15:50 vpn2 charon: 14[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 11 13:15:50 vpn2 charon: 14[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 11 13:15:50 vpn2 charon: 14[IKE] remote host is behind NAT
Dec 11 13:15:50 vpn2 charon: 14[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan Root CA"
Dec 11 13:15:50 vpn2 charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Dec 11 13:15:50 vpn2 charon: 14[NET] sending packet: from
178.62.119.121[500] to 191.101.55.203[500] (465 bytes)
Dec 11 13:15:50 vpn2 charon: 09[NET] sending packet: from
178.62.119.121[500] to 191.101.55.203[500]
Dec 11 13:15:50 vpn2 charon: 06[NET] received packet: from
191.101.55.203[4500] to 178.62.119.121[4500]
Dec 11 13:15:50 vpn2 charon: 06[NET] waiting for data on sockets
Dec 11 13:15:50 vpn2 charon: 15[NET] received packet: from
191.101.55.203[4500] to 178.62.119.121[4500] (364 bytes)
Dec 11 13:15:50 vpn2 charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Dec 11 13:15:50 vpn2 charon: 15[CFG] looking for peer configs matching
178.62.119.121[strongholdvpn2.ddns.net]...191.101.55.203[
client at strongholdvpn2.ddns.net]
Dec 11 13:15:50 vpn2 charon: 15[CFG]   candidate "win7", match: 20/19/28
(me/other/ike)
Dec 11 13:15:50 vpn2 charon: 15[CFG] selected peer config 'win7'
Dec 11 13:15:50 vpn2 charon: 15[IKE] initiating EAP_IDENTITY method (id
0x00)
Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP4_ADDRESS
attribute
Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP4_DHCP attribute
Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP4_DNS attribute
Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP4_NETMASK
attribute
Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP6_ADDRESS
attribute
Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP6_DHCP attribute
Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP6_DNS attribute
Dec 11 13:15:50 vpn2 charon: 15[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 11 13:15:50 vpn2 charon: 15[IKE] authentication of '
strongholdvpn2.ddns.net' (myself) with RSA signature successful
Dec 11 13:15:50 vpn2 charon: 15[IKE] sending end entity cert "C=CH,
O=strongSwan, CN=strongholdvpn2.ddns.net"
Dec 11 13:15:50 vpn2 charon: 15[ENC] generating IKE_AUTH response 1 [ IDr
CERT AUTH EAP/REQ/ID ]
Dec 11 13:15:50 vpn2 charon: 15[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[4500] (2028 bytes)
Dec 11 13:15:50 vpn2 charon: 09[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[4500]
Dec 11 13:15:50 vpn2 charon: 06[NET] received packet: from
191.101.55.203[4500] to 178.62.119.121[4500]
Dec 11 13:15:50 vpn2 charon: 06[NET] waiting for data on sockets
Dec 11 13:15:50 vpn2 charon: 16[NET] received packet: from
191.101.55.203[4500] to 178.62.119.121[4500] (76 bytes)
Dec 11 13:15:50 vpn2 charon: 16[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID
]
Dec 11 13:15:50 vpn2 charon: 16[IKE] received EAP identity 'carl'
Dec 11 13:15:50 vpn2 charon: 16[CFG] RADIUS server 'primary' is candidate:
210
Dec 11 13:15:50 vpn2 charon: 16[CFG] sending RADIUS Access-Request to
server 'primary'
Dec 11 13:15:51 vpn2 charon: 16[CFG] received RADIUS Access-Reject from
server 'primary'
Dec 11 13:15:51 vpn2 charon: 16[IKE] RADIUS authentication of 'carl' failed
Dec 11 13:15:51 vpn2 charon: 16[IKE] initiating EAP_RADIUS method failed
Dec 11 13:15:51 vpn2 charon: 16[ENC] generating IKE_AUTH response 2 [
EAP/FAIL ]
Dec 11 13:15:51 vpn2 charon: 16[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[4500] (76 bytes)
Dec 11 13:15:51 vpn2 charon: 16[IKE] IKE_SA win7[1] state change:
CONNECTING => DESTROYING
Dec 11 13:15:51 vpn2 charon: 09[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[4500]

Freeradius logs:

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 43489, id=105,
length=133
User-Name = "carl"
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 1
NAS-Port-Id = "win7"
NAS-IP-Address = 178.62.119.121
Called-Station-Id = "178.62.119.121[4500]"
Calling-Station-Id = "191.101.55.203[4500]"
NAS-Identifier = "strongSwan"
Message-Authenticator = 0x479e892b8e242a7ee0a7cec41bcdca8e
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "carl", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> carl
[sql] sql_set_user escaped user --> 'carl'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM radcheck
      WHERE username = 'carl'           ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM radreply
      WHERE username = 'carl'           ORDER BY id
[sql] expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username = 'carl'
      ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] returns noop
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> carl
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 105 to 127.0.0.1 port 43489
Waking up in 4.9 seconds.
Cleaning up request 0 ID 105 with timestamp +226
Ready to process requests.


******************

Try 3) IKEV1 with  rightauth=eap-radius

Not working now but was when i used xauth:password.

Logs

Dec 11 13:50:58 vpn2 charon: 11[IKE] sending XAuth vendor ID
Dec 11 13:50:58 vpn2 charon: 11[IKE] sending DPD vendor ID
Dec 11 13:50:58 vpn2 charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID
Dec 11 13:50:58 vpn2 charon: 11[ENC] generating ID_PROT response 0 [ SA V V
V ]
Dec 11 13:50:58 vpn2 charon: 11[NET] sending packet: from
178.62.119.121[500] to 191.101.55.203[500] (136 bytes)
Dec 11 13:50:58 vpn2 charon: 08[NET] sending packet: from
178.62.119.121[500] to 191.101.55.203[500]
Dec 11 13:50:58 vpn2 charon: 05[NET] received packet: from
191.101.55.203[500] to 178.62.119.121[500]
Dec 11 13:50:58 vpn2 charon: 05[NET] waiting for data on sockets
Dec 11 13:50:58 vpn2 charon: 03[NET] received packet: from
191.101.55.203[500] to 178.62.119.121[500] (228 bytes)
Dec 11 13:50:58 vpn2 charon: 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D
NAT-D ]
Dec 11 13:50:58 vpn2 charon: 03[IKE] remote host is behind NAT
Dec 11 13:50:58 vpn2 charon: 03[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan Root CA"
Dec 11 13:50:58 vpn2 charon: 03[ENC] generating ID_PROT response 0 [ KE No
CERTREQ NAT-D NAT-D ]
Dec 11 13:50:58 vpn2 charon: 03[NET] sending packet: from
178.62.119.121[500] to 191.101.55.203[500] (314 bytes)
Dec 11 13:50:58 vpn2 charon: 08[NET] sending packet: from
178.62.119.121[500] to 191.101.55.203[500]
Dec 11 13:50:59 vpn2 charon: 05[NET] received packet: from
191.101.55.203[4500] to 178.62.119.121[4500]
Dec 11 13:50:59 vpn2 charon: 05[NET] waiting for data on sockets
Dec 11 13:50:59 vpn2 charon: 12[NET] received packet: from
191.101.55.203[4500] to 178.62.119.121[4500] (2012 bytes)
Dec 11 13:50:59 vpn2 charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG
CERTREQ N(INITIAL_CONTACT) ]
Dec 11 13:50:59 vpn2 charon: 12[IKE] ignoring certificate request without
data
Dec 11 13:50:59 vpn2 charon: 12[IKE] received end entity cert "C=CH,
O=strongSwan, CN=client at yahoo.com"
Dec 11 13:50:59 vpn2 charon: 12[CFG] looking for XAuthInitRSA peer configs
matching 178.62.119.121...191.101.55.203[C=CH, O=strongSwan, CN=
client at yahoo.com]
Dec 11 13:50:59 vpn2 charon: 12[CFG]   candidate "IOS8_IKEV1", match:
1/1/28 (me/other/ike)
Dec 11 13:50:59 vpn2 charon: 12[IKE] found 1 matching config, but none
allows XAuthInitRSA authentication using Main Mode
Dec 11 13:50:59 vpn2 charon: 12[IKE] queueing INFORMATIONAL task
Dec 11 13:50:59 vpn2 charon: 12[IKE] activating new tasks
Dec 11 13:50:59 vpn2 charon: 12[IKE]   activating INFORMATIONAL task
Dec 11 13:50:59 vpn2 charon: 12[ENC] generating INFORMATIONAL_V1 request
3194029422 [ HASH N(AUTH_FAILED) ]
Dec 11 13:50:59 vpn2 charon: 12[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[4500] (92 bytes)
Dec 11 13:50:59 vpn2 charon: 08[NET] sending packet: from
178.62.119.121[4500] to 191.101.55.203[4500]
Dec 11 13:50:59 vpn2 charon: 12[IKE] IKE_SA (unnamed)[1] state change:
CONNECTING => DESTROYING
Dec 11 13:51:02 vpn2 charon: 05[NET] received packet: from
191.101.55.203[4500] to 178.62.119.121[4500]
Dec 11 13:51:02 vpn2 charon: 05[NET] waiting for data on sockets
Dec 11 13:51:05 vpn2 charon: 05[NET] received packet: from
191.101.55.203[4500] to 178.62.119.121[4500]
Dec 11 13:51:05 vpn2 charon: 05[NET] waiting for data on sockets
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141211/2fa407b7/attachment-0001.html>

More information about the Users mailing list