[strongSwan] WG: unable to connect via Ubuntu 12.04 / strongswan-nm / eap-radius

Martin Shemon Martin.Shemon at parship.com
Thu May 15 09:14:04 CEST 2014 

Hi Ian,

sure, it looks like that i am not the only one with this problem… found a lot of stuff in other postings but no proper solution.
(other people used certificates) but I want to use my radius server for authentication without certificates.
Lets see if we find a solution, i´ll post the results and configs here then.

Regards
Martin


Von: Ian McDonald [mailto:iam at st-andrews.ac.uk]
Gesendet: Mittwoch, 14. Mai 2014 19:37
An: Martin Shemon
Betreff: RE: [strongSwan] unable to connect via Ubuntu 12.04 / strongswan-nm / eap-radius

If you get this working, would love a copy of your configs with sensitive bits redacted, and if it's not too much trouble how the client side is setup.

Thanks

--
ian

Sent from my phone, please excuse brevity and misspelling.
________________________________
From: Martin Shemon<mailto:Martin.Shemon at parship.com>
Sent: ‎14/‎05/‎2014 18:13
To: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: [strongSwan] unable to connect via Ubuntu 12.04 / strongswan-nm / eap-radius
Hi all,

after testing the whole day around there is still no working solution for me.

What we have here:

1 Strongswan Server with IKEv2
1 FreeRadius Server
1 DHCP Server
1 Active Directory Server which is behind the RADIUS Server

Authentication via eap-radius and one type of connection which is working for the most clients.

Goal is to connect and authenticate all clients with the same connectionconfiguration

Working Clients:

Windows 7 x64
Android
MacOS X 10.9

Not working Clients:

Ubuntu 10.04 / 12.04

One question: has anybody such a configuration running ? Problem is that the Ubuntu Clients (with strongswan-nm plugin) do not cconnect cause the phase 2 (EAP-radius) is not working like the windows connection. For me it looks like the eap-tls tunnel is not coming up cause of a not accepted certificate. The certificates work fine on all the other clients.

ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=[hiddenCauseOfPrivacy].pem
    leftid= [hiddenCauseOfPrivacy].net --> DNS Name
    leftfirewall=yes

conn win7rad
    right=%any
    rightsourceip=%dhcp
    rightauth=eap-radius
    eap_identity=%identity
    rightsendcert=never
    auto=add


What can we do to analyze this problem in deep.

Regards
Martin Shemon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140515/ae7879b6/attachment.html>

More information about the Users mailing list