[strongSwan] Ikev2 with eap-mschapv2 - is freeradius supported ?

Noel Kuntze noel at familie-kuntze.de
Thu Dec 11 20:35:14 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Carl,

EAP is for IKEv2. XAUTH is for IKEv1. Use those for user authentication in conns for the respective versions of IKE.

Xauth simply does not work in a conn definition that enforces the usage of IKEv2, as there is no Xauth in the IKEv2 standard.
EAP does not work in a conn definition that enforces the usage of IKEv1, as there is no EAP in the IKEv1 standard.

Windows 7 uses EAP to authenticate itself against the IPsec responder. It does not use RSA in the first round. Hence, only your
second version of the conn definition works.

There is no "xauth:password" plugin in strongSwan that has that name. Look at the plugin list [1] of strongswan to see what
plugins are available. If you want to authenticate clients using IKEv1 and Xauth using radius, you can use the 'xauth-eap'
module to basicly proxy the xauth authentication through eap to be able to use the 'eap-radius' module [2].

You might need to adjust your Freeradius configuration to work correctly with strongSwan. Maybe put the (eap-)mschapv2 module in front of
the sql module in 'authorize'?

[1] https://wiki.strongswan.org/projects/strongswan/wiki/PluginList
[2] https://wiki.strongswan.org/projects/strongswan/wiki/XAuthEAP

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 11.12.2014 um 20:06 schrieb carl leopold:
> Hi,
>
> Thanks for the advice, i have removed the rightauth=eap-mschapv2 and also for Ikev1. But i cant get it to work for either. About the xauth is that not recommeneded because its old ?. It is in the documentation and i have it working.. please advise why i should not use it.
>
> Try 1) with ikev2 rightauth=pubkey and rightauth2=eap-radius it does not work and freeradius is not called. See log snippet below.
>
> conn %default
>     keyexchange=ikev2
>     ike=aes128-sha1-modp2048!
>     esp=aes128-sha1!
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     rightdns=8.8.8.8,8.8.4.4
>
> conn win7
>     left=%any
>     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>     leftauth=pubkey
>     leftcert=vpnHostCert.pem
>     leftid=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>
>     leftsendcert=always
>     right=%any
>     rightid=*@strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>
>     rightsourceip=10.10.3.0/24 <http://10.10.3.0/24>
>     eap_identity=%identity
>     auto=add
>     rightauth=pubkey
>     rightauth2=eap-radius
>
> Logs:
>
> Dec 11 13:10:14 vpn2 charon: 13[CFG] selected peer config 'win7'
> Dec 11 13:10:14 vpn2 charon: 13[IKE] peer requested EAP, config inacceptable
> Dec 11 13:10:14 vpn2 charon: 13[CFG] no alternative config found
>
> *****************
>
> Try 2) with ikev2 rightauth=eap-radius it does not work but freeradius is called (an improvement) The freeradius logs complains a lot about many things like plain text password, and goes on about removing 'Auth-Type = Local' from /etc/freeradius/sites-enabled/default and it fails the authentication. But i know the username and password are in the db and radcheck passes. Also Ikev1 with rightauth:xauth pasword works as before though i have been told that should not be used.
>
> I looked in that config file and there is no 'Auth-Type = Local'. The setup is all vanilla default and has pam and chap and mschap already set.
>
> I tested with and without eap_identity=%identity and it seems to pass the user name when its set so i keep that.
>
> Not sure what to do next. Any advice would be greatly appreciated.
>
> Many Thanks
> Carl
>
> See log snippet below.
>
> conn %default
>     keyexchange=ikev2
>     ike=aes128-sha1-modp2048!
>     esp=aes128-sha1!
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     rightdns=8.8.8.8,8.8.4.4
>
> conn win7
>     left=%any
>     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>     leftauth=pubkey
>     leftcert=vpnHostCert.pem
>     leftid=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>
>     leftsendcert=always
>     right=%any
>     rightid=*@strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>
>     rightsourceip=10.10.3.0/24 <http://10.10.3.0/24>
>     eap_identity=%identity
>     auto=add
>     rightauth=eap-radius
> Dec 11 13:15:50 vpn2 charon: 14[CFG] found matching ike config: %any...%any with prio 28
> Dec 11 13:15:50 vpn2 charon: 14[IKE] 191.101.55.203 is initiating an IKE_SA
> Dec 11 13:15:50 vpn2 charon: 14[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> Dec 11 13:15:50 vpn2 charon: 14[CFG] selecting proposal:
> Dec 11 13:15:50 vpn2 charon: 14[CFG]   proposal matches
> Dec 11 13:15:50 vpn2 charon: 14[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> Dec 11 13:15:50 vpn2 charon: 14[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> Dec 11 13:15:50 vpn2 charon: 14[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> Dec 11 13:15:50 vpn2 charon: 14[IKE] remote host is behind NAT
> Dec 11 13:15:50 vpn2 charon: 14[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
> Dec 11 13:15:50 vpn2 charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Dec 11 13:15:50 vpn2 charon: 14[NET] sending packet: from 178.62.119.121[500] to 191.101.55.203[500] (465 bytes)
> Dec 11 13:15:50 vpn2 charon: 09[NET] sending packet: from 178.62.119.121[500] to 191.101.55.203[500]
> Dec 11 13:15:50 vpn2 charon: 06[NET] received packet: from 191.101.55.203[4500] to 178.62.119.121[4500]
> Dec 11 13:15:50 vpn2 charon: 06[NET] waiting for data on sockets
> Dec 11 13:15:50 vpn2 charon: 15[NET] received packet: from 191.101.55.203[4500] to 178.62.119.121[4500] (364 bytes)
> Dec 11 13:15:50 vpn2 charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Dec 11 13:15:50 vpn2 charon: 15[CFG] looking for peer configs matching 178.62.119.121[strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>]...191.101.55.203[client at strongholdvpn2.ddns.net <mailto:client at strongholdvpn2.ddns.net>]
> Dec 11 13:15:50 vpn2 charon: 15[CFG]   candidate "win7", match: 20/19/28 (me/other/ike)
> Dec 11 13:15:50 vpn2 charon: 15[CFG] selected peer config 'win7'
> Dec 11 13:15:50 vpn2 charon: 15[IKE] initiating EAP_IDENTITY method (id 0x00)
> Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP4_ADDRESS attribute
> Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP4_DHCP attribute
> Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP4_DNS attribute
> Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP4_NETMASK attribute
> Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP6_ADDRESS attribute
> Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP6_DHCP attribute
> Dec 11 13:15:50 vpn2 charon: 15[IKE] processing INTERNAL_IP6_DNS attribute
> Dec 11 13:15:50 vpn2 charon: 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Dec 11 13:15:50 vpn2 charon: 15[IKE] authentication of 'strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>' (myself) with RSA signature successful
> Dec 11 13:15:50 vpn2 charon: 15[IKE] sending end entity cert "C=CH, O=strongSwan, CN=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net>"
> Dec 11 13:15:50 vpn2 charon: 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> Dec 11 13:15:50 vpn2 charon: 15[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[4500] (2028 bytes)
> Dec 11 13:15:50 vpn2 charon: 09[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[4500]
> Dec 11 13:15:50 vpn2 charon: 06[NET] received packet: from 191.101.55.203[4500] to 178.62.119.121[4500]
> Dec 11 13:15:50 vpn2 charon: 06[NET] waiting for data on sockets
> Dec 11 13:15:50 vpn2 charon: 16[NET] received packet: from 191.101.55.203[4500] to 178.62.119.121[4500] (76 bytes)
> Dec 11 13:15:50 vpn2 charon: 16[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
> Dec 11 13:15:50 vpn2 charon: 16[IKE] received EAP identity 'carl'
> Dec 11 13:15:50 vpn2 charon: 16[CFG] RADIUS server 'primary' is candidate: 210
> Dec 11 13:15:50 vpn2 charon: 16[CFG] sending RADIUS Access-Request to server 'primary'
> Dec 11 13:15:51 vpn2 charon: 16[CFG] received RADIUS Access-Reject from server 'primary'
> Dec 11 13:15:51 vpn2 charon: 16[IKE] RADIUS authentication of 'carl' failed
> Dec 11 13:15:51 vpn2 charon: 16[IKE] initiating EAP_RADIUS method failed
> Dec 11 13:15:51 vpn2 charon: 16[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
> Dec 11 13:15:51 vpn2 charon: 16[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[4500] (76 bytes)
> Dec 11 13:15:51 vpn2 charon: 16[IKE] IKE_SA win7[1] state change: CONNECTING => DESTROYING
> Dec 11 13:15:51 vpn2 charon: 09[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[4500]
>
> Freeradius logs:
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 43489, id=105, length=133
> User-Name = "carl"
> NAS-Port-Type = Virtual
> Service-Type = Framed-User
> NAS-Port = 1
> NAS-Port-Id = "win7"
> NAS-IP-Address = 178.62.119.121
> Called-Station-Id = "178.62.119.121[4500]"
> Calling-Station-Id = "191.101.55.203[4500]"
> NAS-Identifier = "strongSwan"
> Message-Authenticator = 0x479e892b8e242a7ee0a7cec41bcdca8e
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "carl", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> [sql] expand: %{User-Name} -> carl
> [sql] sql_set_user escaped user --> 'carl'
> rlm_sql (sql): Reserving sql socket id: 4
> [sql] expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'carl'           ORDER BY id
> WARNING: Found User-Password == "...".
> WARNING: Are you sure you don't mean Cleartext-Password?
> WARNING: See "man rlm_pap" for more information.
> [sql] User found in radcheck table
> [sql] expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'carl'           ORDER BY id
> [sql] expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'carl'           ORDER BY priority
> rlm_sql (sql): Released sql socket id: 4
> ++[sql] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] No clear-text password in the request.  Not performing PAP.
> ++[pap] returns noop
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!    Replacing User-Password in config items with Cleartext-Password.     !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known good"               !!!
> !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> WARNING: Use the PAP or CHAP modules instead.
> No User-Password or CHAP-Password attribute in the request.
> Cannot perform authentication.
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> carl
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 105 to 127.0.0.1 port 43489
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 105 with timestamp +226
> Ready to process requests.
>
>
> ******************
>
> Try 3) IKEV1 with  rightauth=eap-radius
>
> Not working now but was when i used xauth:password.
>
> Logs
>
> Dec 11 13:50:58 vpn2 charon: 11[IKE] sending XAuth vendor ID
> Dec 11 13:50:58 vpn2 charon: 11[IKE] sending DPD vendor ID
> Dec 11 13:50:58 vpn2 charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID
> Dec 11 13:50:58 vpn2 charon: 11[ENC] generating ID_PROT response 0 [ SA V V V ]
> Dec 11 13:50:58 vpn2 charon: 11[NET] sending packet: from 178.62.119.121[500] to 191.101.55.203[500] (136 bytes)
> Dec 11 13:50:58 vpn2 charon: 08[NET] sending packet: from 178.62.119.121[500] to 191.101.55.203[500]
> Dec 11 13:50:58 vpn2 charon: 05[NET] received packet: from 191.101.55.203[500] to 178.62.119.121[500]
> Dec 11 13:50:58 vpn2 charon: 05[NET] waiting for data on sockets
> Dec 11 13:50:58 vpn2 charon: 03[NET] received packet: from 191.101.55.203[500] to 178.62.119.121[500] (228 bytes)
> Dec 11 13:50:58 vpn2 charon: 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> Dec 11 13:50:58 vpn2 charon: 03[IKE] remote host is behind NAT
> Dec 11 13:50:58 vpn2 charon: 03[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
> Dec 11 13:50:58 vpn2 charon: 03[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
> Dec 11 13:50:58 vpn2 charon: 03[NET] sending packet: from 178.62.119.121[500] to 191.101.55.203[500] (314 bytes)
> Dec 11 13:50:58 vpn2 charon: 08[NET] sending packet: from 178.62.119.121[500] to 191.101.55.203[500]
> Dec 11 13:50:59 vpn2 charon: 05[NET] received packet: from 191.101.55.203[4500] to 178.62.119.121[4500]
> Dec 11 13:50:59 vpn2 charon: 05[NET] waiting for data on sockets
> Dec 11 13:50:59 vpn2 charon: 12[NET] received packet: from 191.101.55.203[4500] to 178.62.119.121[4500] (2012 bytes)
> Dec 11 13:50:59 vpn2 charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
> Dec 11 13:50:59 vpn2 charon: 12[IKE] ignoring certificate request without data
> Dec 11 13:50:59 vpn2 charon: 12[IKE] received end entity cert "C=CH, O=strongSwan, CN=client at yahoo.com <mailto:client at yahoo.com>"
> Dec 11 13:50:59 vpn2 charon: 12[CFG] looking for XAuthInitRSA peer configs matching 178.62.119.121...191.101.55.203[C=CH, O=strongSwan, CN=client at yahoo.com <mailto:client at yahoo.com>]
> Dec 11 13:50:59 vpn2 charon: 12[CFG]   candidate "IOS8_IKEV1", match: 1/1/28 (me/other/ike)
> Dec 11 13:50:59 vpn2 charon: 12[IKE] found 1 matching config, but none allows XAuthInitRSA authentication using Main Mode
> Dec 11 13:50:59 vpn2 charon: 12[IKE] queueing INFORMATIONAL task
> Dec 11 13:50:59 vpn2 charon: 12[IKE] activating new tasks
> Dec 11 13:50:59 vpn2 charon: 12[IKE]   activating INFORMATIONAL task
> Dec 11 13:50:59 vpn2 charon: 12[ENC] generating INFORMATIONAL_V1 request 3194029422 [ HASH N(AUTH_FAILED) ]
> Dec 11 13:50:59 vpn2 charon: 12[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[4500] (92 bytes)
> Dec 11 13:50:59 vpn2 charon: 08[NET] sending packet: from 178.62.119.121[4500] to 191.101.55.203[4500]
> Dec 11 13:50:59 vpn2 charon: 12[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
> Dec 11 13:51:02 vpn2 charon: 05[NET] received packet: from 191.101.55.203[4500] to 178.62.119.121[4500]
> Dec 11 13:51:02 vpn2 charon: 05[NET] waiting for data on sockets
> Dec 11 13:51:05 vpn2 charon: 05[NET] received packet: from 191.101.55.203[4500] to 178.62.119.121[4500]
> Dec 11 13:51:05 vpn2 charon: 05[NET] waiting for data on sockets
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUifHvAAoJEDg5KY9j7GZYqhIP/A3rcqAfEzeZfcr4YOYtoUcI
3/RkSWtk5g3CU6mFFvVkX5/6wlXmKp0gkoIehe70Z7kuScglBUyKvMbgnnYlXGRx
S8SbPNGcg0JBNpmX1nC3lm9BZOH+6WfE4fSmWiN28X8oaK0haa0qZ048dqs/Ad6+
lgmBqIaNyuvhh63QDOcFZS57er4efriKSVhoGtqayZ+AZkHBirM/BAo6SkVN6TST
53eCwtCTm4OFmeZI6aoj+8R6Dmlm43Z10jEREsD1NZRLF6NwkKhQtDZO8sIifzG4
lmkt2vc0lrjkEn8qzOGcQS4zDi99ZAEbXeyIoGLHYV5lpX13U97RmZ7ZyDtUDzfL
a9NSELhUMg0n07ukJJTiH/h/OND+9PJN5NgtTwWFkQjlmVv8xCbUnkTpR7jh7bF9
llwFYcqvO9O91pByp90iWgONVokYXo4NMBsLAU62YLgEDT0HSux5cHSrltBd+wsf
wgs6+1L7tkUaykw5toyDC07kIdWKPzKe1aXbPS/J9jymyOg6pLTJsPukKg6uwC8/
2o8ilTiCzIhZfGVdKx49I0er2r9vEtzjLq1kUPNlqkOq2SRUhMQT6/c5HSG9huWE
dw0RDoyYoIbvItitOnm0cW9YYm6jPPgcRrfd59dQVCke/kYr6EQMZ6WDo4ioBNAZ
HI38nMVuVMMy1a/V/YwN
=qPZ0
-----END PGP SIGNATURE-----




More information about the Users mailing list