[strongSwan] Error with EAP-PEAP connection

Ygor Amadeo Sartori Regados ygor.regados at yahoo.com.br
Tue May 13 01:51:59 CEST 2014 

Hi,


I am trying to setup a IKEv2 server with EAP-PEAP authentication, but
the connection doesn't go beyond phase1. The log reports no TLS public
keys being found. Using an StartCom-issued certificate on the server.
What's wrong with my setup?

Client setup: 

> conn rw-ikev2-eap
>         keyexchange=ikev2
>         compress=yes
>         rightid=%fromcert
>         right=vpn.zanardo.com.br
>         rightsubnet=0.0.0.0/0
>         rightauth=eap-peap
>         rightsourceip=%config
>         left=%defaultroute
>         leftauth=eap-peap
>         leftid=ygor
>         leftsendcert=never
>         auto=add



ipsec statusall: 

> Status of IKE charon daemon (strongSwan 5.1.1, Linux 3.11.10-7-desktop, x86_64):
>   uptime: 2 minutes, since May 12 20:39:47 2014
>   malloc: sbrk 2985984, mmap 0, used 611424, free 2374560
>   worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>   loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
> Listening IP addresses:
>   192.168.1.10
>   2001:1291:23b:0:22cf:30ff:fef0:fad1
> Connections:
> rw-ikev2-eap:  %any...vpn.zanardo.com.br  IKEv2
> rw-ikev2-eap:   local:  [ygor] uses EAP_PEAP authentication
> rw-ikev2-eap:   remote: [fromcert] uses EAP_PEAP authentication
> rw-ikev2-eap:   child:  dynamic === 0.0.0.0/0 TUNNEL
> Security Associations (0 up, 0 connecting):
>   none



Log:

> initiating IKE_SA rw-ikev2-eap[1] to 200.178.219.170
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.1.10[500] to 200.178.219.170[500] (1212 bytes)
> received packet: from 200.178.219.170[500] to 192.168.1.10[500] (440 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> local host is behind NAT, sending keep alives
> sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA"
> sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
> establishing CHILD_SA rw-ikev2-eap
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (428 bytes)
> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (204 bytes)
> parsed IKE_AUTH response 1 [ IDr EAP/REQ/PEAP ]
> server requested EAP_PEAP authentication (id 0x80)
> EAP_PEAP version is v0
> allow mutual EAP-only authentication
> generating IKE_AUTH request 2 [ EAP/RES/PEAP ]
> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (236 bytes)
> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
> parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
> generating IKE_AUTH request 3 [ EAP/RES/PEAP ]
> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
> parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ]
> generating IKE_AUTH request 4 [ EAP/RES/PEAP ]
> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
> parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ]
> generating IKE_AUTH request 5 [ EAP/RES/PEAP ]
> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (1100 bytes)
> parsed IKE_AUTH response 5 [ EAP/REQ/PEAP ]
> generating IKE_AUTH request 6 [ EAP/RES/PEAP ]
> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (396 bytes)
> parsed IKE_AUTH response 6 [ EAP/REQ/PEAP ]
> negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> received TLS server certificate 'D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br'
> received TLS intermediate certificate 'C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA'
>   using certificate "D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br"
>   using trusted intermediate ca certificate "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA"
> checking certificate status of "D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br"
>   requesting ocsp status from 'http://ocsp.startssl.com/sub/class1/server/ca' ...
>   using certificate "C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer"
>   using trusted intermediate ca certificate "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA"
>   using trusted ca certificate "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
>   reached self-signed root ca with a path length of 1
>   ocsp response correctly signed by "C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer"
>   ocsp response is valid: until May 14 20:40:05 2014
> certificate status is good
> policy 2.23.140.1.2.1 missing in issuing certificate 'C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA'
> no TLS public key found for server 'D=0FKpeSCSnLtP7r7P, C=BR, CN=vpn.zanardo.com.br, E=webmaster at zanardo.com.br'
> sending fatal TLS alert 'certificate unknown'
> generating IKE_AUTH request 7 [ EAP/RES/PEAP ]
> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (92 bytes)
> received packet: from 200.178.219.170[4500] to 192.168.1.10[4500] (76 bytes)
> parsed IKE_AUTH response 7 [ EAP/FAIL ]
> received EAP_FAILURE, EAP authentication failed
> generating INFORMATIONAL request 8 [ N(AUTH_FAILED) ]
> sending packet: from 192.168.1.10[4500] to 200.178.219.170[4500] (76 bytes)
> establishing connection 'rw-ikev2-eap' failed


Thanks,
Ygor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140512/096c0d1c/attachment-0001.html>

More information about the Users mailing list