[strongSwan] problem with Test ikev2/rw-eap-aka-rsa

Thomas Will thomas.will at xinux.de
Tue Nov 18 11:35:57 CET 2014 

is it possible that eap-aka modul is corrupt?

i built a connection with eap-mschapv2 without problems ...

regards ...

thomas will
- xinux e.K.- networking - security - consulting - training   -
- novell certified linux professional - lpi level 2 certified -
- fon 06332 44040  - fax 06332 899227  - mobil 0170 52 18 548  -
- 66482 zweibruecken - wichernstr. 18  - http://www.xinux.de  -
- Amtsgericht  -  Registergericht  -  Zweibruecken - HRA 1518 -

Am 17.11.2014 um 22:23 schrieb Thomas Will:
> hello list ...
>
> my name is thomas and i am new on the list :-)
>
> and here is my problem ...
>
> i tried to make a connection like the
>
> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-aka-rsa/
>
> example ...
>
> loui is the server ...
>
> root at louie:~# cat /etc/ipsec.conf
> config setup
>
> conn %default
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
>     keyexchange=ikev2
>
>
> conn rw-eap-aka
>        left=192.168.244.153
>        leftsubnet=10.66.66.0/24
>        leftid=@louie.xinux.org
>        leftcert=xin-ca-louie.xinux.org.crt
>        leftauth=pubkey
>        leftfirewall=yes
>        right=%any
>        rightid=*@xinux.org
>        rightsendcert=never
>        rightauth=eap-aka
>        auto=add
>
> root at louie:~# cat /etc/ipsec.secrets
> : RSA xin-ca-louie.xinux.org.key
> thomas at xinux.org : EAP "suxer"
>
>
> root at louie:~# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.1.2, Linux 
> 3.13.0-24-generic, x86_64):
>   uptime: 41 minutes, since Nov 17 21:35:27 2014
>   malloc: sbrk 2416640, mmap 0, used 359792, free 2056848
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 0
>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random 
> nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl 
> xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default 
> stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
> Listening IP addresses:
>   192.168.244.153
>   10.66.66.1
> Connections:
>   rw-eap-aka:  192.168.244.153...%any  IKEv2
>   rw-eap-aka:   local:  [louie.xinux.org] uses public key authentication
>   rw-eap-aka:    cert:  "C=de, ST=rlp, L=zw, O=xinux, OU=it, 
> CN=louie.xinux.org"
>   rw-eap-aka:   remote: [*@xinux.org] uses EAP_AKA authentication
>   rw-eap-aka:   child:  10.66.66.0/24 === dynamic TUNNEL
> Security Associations (0 up, 0 connecting):
>   none
>
>
> root at louie:~# tail -f /var/log/syslog
> Nov 17 22:18:36 louie charon: 00[CFG] loading secrets from 
> '/etc/ipsec.secrets'
> Nov 17 22:18:36 louie charon: 00[CFG]   loaded RSA private key from 
> '/etc/ipsec.d/private/xin-ca-louie.xinux.org.key'
> Nov 17 22:18:36 louie charon: 00[CFG]   loaded EAP secret for 
> thomas at xinux.org
> Nov 17 22:18:36 louie charon: 00[LIB] loaded plugins: charon 
> test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation 
> constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr 
> ccm gcm attr kernel-netlink resolve socket-default stroke updown 
> eap-identity eap-aka eap-aka-3gpp2 addrblock
> Nov 17 22:18:36 louie charon: 00[LIB] unable to load 7 plugin features 
> (7 due to unmet dependencies)
> Nov 17 22:18:36 louie charon: 00[LIB] dropped capabilities, running as 
> uid 0, gid 0
> Nov 17 22:18:36 louie charon: 00[JOB] spawning 16 worker threads
> Nov 17 22:18:36 louie charon: 05[CFG] received stroke: add connection 
> 'rw-eap-aka'
> Nov 17 22:18:36 louie charon: 05[CFG]   loaded certificate "C=de, 
> ST=rlp, L=zw, O=xinux, OU=it, CN=louie.xinux.org" from 
> 'xin-ca-louie.xinux.org.crt'
> Nov 17 22:18:36 louie charon: 05[CFG] added configuration 'rw-eap-aka'
>
>
>
> -------
>
> maria is the client ...
>
> root at maria:~# cat /etc/ipsec.conf
> config setup
>
> conn %default
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
>     keyexchange=ikev2
>
> conn home
>     left=192.168.244.154
>         leftnexthop=%direct
>     leftid=thomas at xinux.org
>     leftauth=eap
>     leftfirewall=yes
>     right=192.168.244.153
>     rightid=@louie.xinux.org
>     rightsubnet=10.66.66.0/24
>     rightauth=pubkey
>     auto=add
>
> root at maria:~# cat /etc/ipsec.secrets
> thomas at xinux.org : EAP "suxer"
>
> root at maria:~# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.1.2, Linux 
> 3.13.0-24-generic, x86_64):
>   uptime: 18 minutes, since Nov 17 21:58:36 2014
>   malloc: sbrk 2433024, mmap 0, used 349808, free 2083216
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 0
>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random 
> nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl 
> xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default 
> stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
> Listening IP addresses:
>   192.168.244.154
>   10.55.55.1
> Connections:
>         home:  192.168.244.154...192.168.244.153  IKEv2
>         home:   local:  [thomas at xinux.org] uses EAP authentication
>         home:   remote: [louie.xinux.org] uses public key authentication
>         home:   child:  dynamic === 10.66.66.0/24 TUNNEL
> Security Associations (0 up, 0 connecting):
>   none
>
>
>
> root at maria:~# tail -f /var/log/syslog
> Nov 17 22:19:25 maria charon: 00[CFG] loading crls from 
> '/etc/ipsec.d/crls'
> Nov 17 22:19:25 maria charon: 00[CFG]   loaded crl from 
> '/etc/ipsec.d/crls/xin-ca.crl'
> Nov 17 22:19:25 maria charon: 00[CFG] loading secrets from 
> '/etc/ipsec.secrets'
> Nov 17 22:19:25 maria charon: 00[CFG]   loaded EAP secret for 
> thomas at xinux.org
> Nov 17 22:19:25 maria charon: 00[LIB] loaded plugins: charon 
> test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation 
> constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr 
> ccm gcm attr kernel-netlink resolve socket-default stroke updown 
> eap-identity eap-aka eap-aka-3gpp2 addrblock
> Nov 17 22:19:25 maria charon: 00[LIB] unable to load 7 plugin features 
> (7 due to unmet dependencies)
> Nov 17 22:19:25 maria charon: 00[LIB] dropped capabilities, running as 
> uid 0, gid 0
> Nov 17 22:19:25 maria charon: 00[JOB] spawning 16 worker threads
> Nov 17 22:19:25 maria charon: 05[CFG] received stroke: add connection 
> 'home'
> Nov 17 22:19:25 maria charon: 05[CFG] added configuration 'home'
>
> -----
>
> i think this is ok ...
>
>
> but when ist start maria (i get this)
>
> root at maria:~# ipsec up home
> initiating IKE_SA home[1] to 192.168.244.153
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.244.154[500] to 192.168.244.153[500] 
> (1212 bytes)
> received packet: from 192.168.244.153[500] to 192.168.244.154[500] 
> (440 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> N(MULT_AUTH) ]
> sending cert request for "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
> establishing CHILD_SA home
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi 
> TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] 
> (412 bytes)
> received packet: from 192.168.244.153[4500] to 192.168.244.154[4500] 
> (92 bytes)
> parsed IKE_AUTH response 1 [ IDr EAP/FAIL ]
> received EAP_FAILURE, EAP authentication failed
> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] 
> (76 bytes)
> establishing connection 'home' failed
>
>
>
>
> the log on louie shows ''loading EAP_AKA method failed"
>
> Nov 17 22:20:42 louie charon: 10[NET] received packet: from 
> 192.168.244.154[500] to 192.168.244.153[500] (1212 bytes)
> Nov 17 22:20:42 louie charon: 10[ENC] parsed IKE_SA_INIT request 0 [ 
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov 17 22:20:42 louie charon: 10[IKE] 192.168.244.154 is initiating an 
> IKE_SA
> Nov 17 22:20:42 louie charon: 10[ENC] generating IKE_SA_INIT response 
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Nov 17 22:20:42 louie charon: 10[NET] sending packet: from 
> 192.168.244.153[500] to 192.168.244.154[500] (440 bytes)
> Nov 17 22:20:43 louie charon: 11[NET] received packet: from 
> 192.168.244.154[4500] to 192.168.244.153[4500] (412 bytes)
> Nov 17 22:20:43 louie charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi 
> N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) 
> N(MULT_AUTH) N(EAP_ONLY) ]
> Nov 17 22:20:43 louie charon: 11[IKE] received cert request for "C=de, 
> ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
> Nov 17 22:20:43 louie charon: 11[CFG] looking for peer configs 
> matching 
> 192.168.244.153[louie.xinux.org]...192.168.244.154[thomas at xinux.org]
> Nov 17 22:20:43 louie charon: 11[CFG] selected peer config 'rw-eap-aka'
> Nov 17 22:20:43 louie charon: 11[IKE] loading EAP_AKA method failed
> Nov 17 22:20:43 louie charon: 11[IKE] peer supports MOBIKE
> Nov 17 22:20:43 louie charon: 11[ENC] generating IKE_AUTH response 1 [ 
> IDr EAP/FAIL ]
> Nov 17 22:20:43 louie charon: 11[NET] sending packet: from 
> 192.168.244.153[4500] to 192.168.244.154[4500] (92 bytes)
>
> ------
>
>
> i have no glue ... where the problem is :-)
>
>
> regards thomas
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

More information about the Users mailing list