[strongSwan] WG: unable to connect via Ubuntu 12.04 / strongswan-nm / eap-radius

Martin Shemon Martin.Shemon at parship.com
Fri May 16 11:21:09 CEST 2014


Hi all,

i now collected some Logs on the SWAN Server. Maybe you can see something what I have overseen.
For me it looks like that the TLS connection to the radius server is not working as expected.
The other side is, that a Windows Client works as expected.

May 16 10:24:46 psdeprodswan01 charon: 13[NET] received packet: from 2.240.209.118[54149] to 10.10.39.2[500] (712 bytes)
May 16 10:24:46 psdeprodswan01 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] 2.240.209.118 is initiating an IKE_SA
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] IKE_SA (unnamed)[185] state change: CREATED => CONNECTING
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] natd_chunk => 22 bytes @ 0x7f3718025bd0
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: 53 06 1B 1E 26 F0 62 48 00 00 00 00 00 00 00 00  S...&.bH........
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: 0A 0A 27 02 01 F4                                ..'...
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] natd_hash => 20 bytes @ 0x7f371800fd50
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: AD 7B FD EF 10 12 23 F4 5A 6D EE 06 8B 61 17 B9  .{....#.Zm...a..
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: 07 0E CD 2C                                      ...,
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] natd_chunk => 22 bytes @ 0x7f3718025bd0
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: 53 06 1B 1E 26 F0 62 48 00 00 00 00 00 00 00 00  S...&.bH........
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: 02 F0 D1 76 D3 85                                ...v..
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] natd_hash => 20 bytes @ 0x7f3718016eb0
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: ED D3 CC 6E 30 B3 4C 06 3F 2B DB 0F 51 2B 79 B3  ...n0.L.?+..Q+y.
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: 9D B3 0C 8E                                      ....
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] precalculated src_hash => 20 bytes @ 0x7f3718016eb0
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: ED D3 CC 6E 30 B3 4C 06 3F 2B DB 0F 51 2B 79 B3  ...n0.L.?+..Q+y.
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: 9D B3 0C 8E                                      ....
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] precalculated dst_hash => 20 bytes @ 0x7f371800fd50
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: AD 7B FD EF 10 12 23 F4 5A 6D EE 06 8B 61 17 B9  .{....#.Zm...a..
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: 07 0E CD 2C                                      ...,
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] received src_hash => 20 bytes @ 0x7f3718011d40
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: 04 AE 4E 97 B8 D6 09 2C 28 10 C1 0C B8 36 91 F8  ..N....,(....6..
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: 62 2B 8C 4A                                      b+.J
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] received dst_hash => 20 bytes @ 0x7f3718011870
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: AA BD ED AC 45 C6 5B 1E AA 0F 55 B0 F3 C5 8C 47  ....E.[...U....G
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: 5D AE 0D 20                                      ]..
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] local host is behind NAT, sending keep alives
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] remote host is behind NAT
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] natd_chunk => 22 bytes @ 0x7f3718025660
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: 53 06 1B 1E 26 F0 62 48 6C 57 EA A9 98 50 BC B1  S...&.bHlW...P..
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: 0A 0A 27 02 01 F4                                ..'...
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] natd_hash => 20 bytes @ 0x7f371801e280
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: 75 E2 B2 1D 6A FA 2B 95 D0 43 4A F2 42 7E 7C D9  u...j.+..CJ.B~|.
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: 71 19 24 F1                                      q.$.
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] natd_chunk => 22 bytes @ 0x7f3718024060
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: 53 06 1B 1E 26 F0 62 48 6C 57 EA A9 98 50 BC B1  S...&.bHlW...P..
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: 02 F0 D1 76 D3 85                                ...v..
May 16 10:24:46 psdeprodswan01 charon: 13[IKE] natd_hash => 20 bytes @ 0x7f371801e280
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]    0: 4C 95 2A F1 88 E7 2C 63 33 9E F8 90 E1 6B E2 52  L.*...,c3....k.R
May 16 10:24:46 psdeprodswan01 charon: 13[IKE]   16: AE F7 EC 5F                                      ..._
May 16 10:24:46 psdeprodswan01 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 16 10:24:46 psdeprodswan01 charon: 13[NET] sending packet: from 10.10.39.2[500] to 2.240.209.118[54149] (312 bytes)
May 16 10:24:46 psdeprodswan01 charon: 10[NET] received packet: from 2.240.209.118[4500] to 10.10.39.2[4500] (3356 bytes)
May 16 10:24:46 psdeprodswan01 charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[IKE] received cert request for unknown ca with keyid

.
. (several unknown certificates here)
.


May 16 10:24:46 [here DNS Name Swan Server] charon: 10[IKE] received cert request for unknown ca with keyid a5:c5:f2:eb:2d:7a:72:5e:a3:ab:37:c5:8a:5a:4f:c7:31:7d:3a:1d
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[IKE] received 152 cert requests for an unknown ca
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[CFG] looking for peer configs matching 10.10.39.2[%any]...2.240.209.118[DOMAIN\user]
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[CFG] selected peer config 'win7rad'
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[IKE] processing INTERNAL_IP4_DNS attribute
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[IKE] processing INTERNAL_IP4_NBNS attribute
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[IKE] peer supports MOBIKE

May 16 10:24:46 [here DNS Name Swan Server] charon: 10[IKE] authentication of '[here DNS Name]' (myself) with RSA signature successful
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[IKE] sending end entity cert "C=[country], ST=[town], O=[organization], OU=[anon], CN=[here DNS Name]"
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May 16 10:24:46 [here DNS Name Swan Server] charon: 10[NET] sending packet: from 10.10.39.2[4500] to 2.240.209.118[4500] (1164 bytes)
May 16 10:24:46 [here DNS Name Swan Server] charon: 15[NET] received packet: from 2.240.209.118[4500] to 10.10.39.2[4500] (92 bytes)
May 16 10:24:46 [here DNS Name Swan Server] charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
May 16 10:24:46 [here DNS Name Swan Server] charon: 15[IKE] received EAP identity '[DOMAIN\username]'
May 16 10:24:46 [here DNS Name Swan Server] charon: 15[CFG] sending RADIUS Access-Request to server '[here DNS Name RADIUS]'
May 16 10:24:46 [here DNS Name Swan Server] charon: 15[CFG] received RADIUS Access-Challenge from server '[here DNS Name RADIUS]'
May 16 10:24:46 [here DNS Name Swan Server] charon: 15[IKE] EAP_PEAP payload => 6 bytes @ 0x7f371801c970
May 16 10:24:46 [here DNS Name Swan Server] charon: 15[IKE]    0: 01 01 00 06 19 20                                .....
May 16 10:24:46 [here DNS Name Swan Server] charon: 15[IKE] initiating EAP_PEAP method (id 0x01)
May 16 10:24:46 [here DNS Name Swan Server] charon: 15[ENC] generating IKE_AUTH response 2 [ EAP/REQ/PEAP ]
May 16 10:24:46 [here DNS Name Swan Server] charon: 15[NET] sending packet: from 10.10.39.2[4500] to 2.240.209.118[4500] (76 bytes)
May 16 10:24:46 [here DNS Name Swan Server] charon: 07[NET] received packet: from 2.240.209.118[4500] to 10.10.39.2[4500] (284 bytes)
May 16 10:24:46 [here DNS Name Swan Server] charon: 07[ENC] parsed IKE_AUTH request 3 [ EAP/RES/PEAP ]
May 16 10:24:46 [here DNS Name Swan Server] charon: 07[IKE] EAP_PEAP payload => 211 bytes @ 0x7f3718005cb0

May 16 10:24:46 [here DNS Name Swan Server] charon: 07[CFG] sending RADIUS Access-Request to server '[here DNS Name RADIUS]'
May 16 10:24:46 [here DNS Name Swan Server] charon: 07[CFG] received RADIUS Access-Challenge from server '[here DNS Name RADIUS]'
May 16 10:24:46 [here DNS Name Swan Server] charon: 07[IKE] EAP_PEAP payload => 1024 bytes @ 0x7f371802b6f0

May 16 10:24:46 [here DNS Name Swan Server] charon: 07[ENC] generating IKE_AUTH response 3 [ EAP/REQ/PEAP ]
May 16 10:24:46 [here DNS Name Swan Server] charon: 07[NET] sending packet: from 10.10.39.2[4500] to 2.240.209.118[4500] (1100 bytes)
May 16 10:24:46 [here DNS Name Swan Server] charon: 16[NET] received packet: from 2.240.209.118[4500] to 10.10.39.2[4500] (76 bytes)
May 16 10:24:46 [here DNS Name Swan Server] charon: 16[ENC] parsed IKE_AUTH request 4 [ EAP/RES/PEAP ]
May 16 10:24:46 [here DNS Name Swan Server] charon: 16[IKE] EAP_PEAP payload => 6 bytes @ 0x2006cc0
May 16 10:24:46 [here DNS Name Swan Server] charon: 16[IKE]    0: 02 02 00 06 19 00                                ......
May 16 10:24:46 [here DNS Name Swan Server] charon: 16[CFG] sending RADIUS Access-Request to server '[here DNS Name RADIUS]'
May 16 10:24:46 [here DNS Name Swan Server] charon: 16[CFG] received RADIUS Access-Challenge from server '[here DNS Name RADIUS]'
May 16 10:24:46 [here DNS Name Swan Server] charon: 16[IKE] EAP_PEAP payload => 1020 bytes @ 0x20096a0
May 16 10:24:46 [here DNS Name Swan Server] charon: 16[ENC] generating IKE_AUTH response 4 [ EAP/REQ/PEAP ]
May 16 10:24:46 [here DNS Name Swan Server] charon: 16[NET] sending packet: from 10.10.39.2[4500] to 2.240.209.118[4500] (1100 bytes)
May 16 10:24:46 [here DNS Name Swan Server] charon: 05[NET] received packet: from 2.240.209.118[4500] to 10.10.39.2[4500] (76 bytes)
May 16 10:24:46 [here DNS Name Swan Server] charon: 05[ENC] parsed IKE_AUTH request 5 [ EAP/RES/PEAP ]
May 16 10:24:46 [here DNS Name Swan Server] charon: 05[IKE] EAP_PEAP payload => 6 bytes @ 0x7f3718024290
May 16 10:24:46 [here DNS Name Swan Server] charon: 05[IKE]    0: 02 03 00 06 19 00                                ......
May 16 10:24:46 [here DNS Name Swan Server] charon: 05[CFG] sending RADIUS Access-Request to server '[here DNS Name RADIUS]'
May 16 10:24:46 [here DNS Name Swan Server] charon: 05[CFG] received RADIUS Access-Challenge from server '[here DNS Name RADIUS]'
May 16 10:24:46 [here DNS Name Swan Server] charon: 05[IKE] EAP_PEAP payload => 747 bytes @ 0x7f37180088c0
May 16 10:24:46 [here DNS Name Swan Server] charon: 05[ENC] generating IKE_AUTH response 5 [ EAP/REQ/PEAP ]
May 16 10:24:46 [here DNS Name Swan Server] charon: 05[NET] sending packet: from 10.10.39.2[4500] to 2.240.209.118[4500] (812 bytes)
May 16 10:24:46 [here DNS Name Swan Server] charon: 11[NET] received packet: from 2.240.209.118[4500] to 10.10.39.2[4500] (92 bytes)
May 16 10:24:46 [here DNS Name Swan Server] charon: 11[ENC] parsed IKE_AUTH request 6 [ EAP/RES/PEAP ]
May 16 10:24:46 [here DNS Name Swan Server] charon: 11[IKE] EAP_PEAP payload => 13 bytes @ 0x2009c70
May 16 10:24:46 [here DNS Name Swan Server] charon: 11[IKE]    0: 02 04 00 0D 19 00 15 03 01 00 02 02 31           ............1
May 16 10:24:46 [here DNS Name Swan Server] charon: 11[CFG] sending RADIUS Access-Request to server '[here DNS Name RADIUS]'
May 16 10:24:47 [here DNS Name Swan Server] charon: 11[CFG] received RADIUS Access-Reject from server '[here DNS Name RADIUS]'
May 16 10:24:47 [here DNS Name Swan Server] charon: 11[IKE] RADIUS authentication of '[DOMAIN\username]' failed
May 16 10:24:47 [here DNS Name Swan Server] charon: 11[IKE] EAP method EAP_PEAP failed for peer [DOMAIN\username]
May 16 10:24:47 [here DNS Name Swan Server] charon: 11[ENC] generating IKE_AUTH response 6 [ EAP/FAIL ]
May 16 10:24:47 [here DNS Name Swan Server] charon: 11[NET] sending packet: from 10.10.39.2[4500] to 2.240.209.118[4500] (76 bytes)
May 16 10:24:47 [here DNS Name Swan Server] charon: 11[IKE] IKE_SA win7rad[185] state change: CONNECTING => DESTROYING



________________________________
From: Martin Shemon<mailto:Martin.Shemon at parship.com>
Sent: ‎14/‎05/‎2014 18:13
To: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: [strongSwan] unable to connect via Ubuntu 12.04 / strongswan-nm / eap-radius
Hi all,

after testing the whole day around there is still no working solution for me.

What we have here:

1 Strongswan Server with IKEv2
1 FreeRadius Server
1 DHCP Server
1 Active Directory Server which is behind the RADIUS Server

Authentication via eap-radius and one type of connection which is working for the most clients.

Goal is to connect and authenticate all clients with the same connectionconfiguration

Working Clients:

Windows 7 x64
Android
MacOS X 10.9

Not working Clients:

Ubuntu 10.04 / 12.04

One question: has anybody such a configuration running ? Problem is that the Ubuntu Clients (with strongswan-nm plugin) do not cconnect cause the phase 2 (EAP-radius) is not working like the windows connection. For me it looks like the eap-tls tunnel is not coming up cause of a not accepted certificate. The certificates work fine on all the other clients.

ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=[hiddenCauseOfPrivacy].pem
    leftid= [hiddenCauseOfPrivacy].net --> DNS Name
    leftfirewall=yes

conn win7rad
    right=%any
    rightsourceip=%dhcp
    rightauth=eap-radius
    eap_identity=%identity
    rightsendcert=never
    auto=add


What can we do to analyze this problem in deep.

Regards
Martin Shemon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140516/a16d1e3a/attachment-0001.html>


More information about the Users mailing list