[strongSwan] problem with Test ikev2/rw-eap-aka-rsa

Tue Nov 18 12:46:05 CET 2014

hello noel,

thanks in advance :-)

here is my server site ipsec.conf ...

the log as attachment ...

----
config setup
         charondebug="lib 3, cfg 2"

conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev2

conn rw-eap-aka
        left=192.168.244.153
        leftsubnet=10.66.66.0/24
        leftid=@louie.xinux.org
        leftcert=xin-ca-louie.xinux.org.crt
        leftauth=pubkey
        leftfirewall=yes
        right=%any
        rightid=*@xinux.org
        rightsendcert=never
        rightauth=eap-aka
        auto=add

----

thomas will
- xinux e.K.- networking - security - consulting - training   -
- novell certified linux professional - lpi level 2 certified -
- fon 06332 44040  - fax 06332 899227  - mobil 0170 52 18 548  -
- 66482 zweibruecken - wichernstr. 18  - http://www.xinux.de  -
- Amtsgericht  -  Registergericht  -  Zweibruecken - HRA 1518 -

Am 18.11.2014 um 11:54 schrieb Noel Kuntze:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Thomas,
>
> Please enable file logging [1] with cfg and lib set to 2.
> Then please show us the log that was created.
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 18.11.2014 um 11:35 schrieb Thomas Will:
>> is it possible that eap-aka modul is corrupt?
>>
>> i built a connection with eap-mschapv2 without problems ...
>>
>> regards ...
>>
>> thomas will
>> - xinux e.K.- networking - security - consulting - training   -
>> - novell certified linux professional - lpi level 2 certified -
>> - fon 06332 44040  - fax 06332 899227  - mobil 0170 52 18 548  -
>> - 66482 zweibruecken - wichernstr. 18  - http://www.xinux.de  -
>> - Amtsgericht  -  Registergericht  -  Zweibruecken - HRA 1518 -
>>
>> Am 17.11.2014 um 22:23 schrieb Thomas Will:
>>> hello list ...
>>>
>>> my name is thomas and i am new on the list :-)
>>>
>>> and here is my problem ...
>>> i tried to make a connection like the
>>>
>>> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-aka-rsa/
>>>
>>> example ...
>>>
>>> loui is the server ...
>>>
>>> root at louie:~# cat /etc/ipsec.conf
>>> config setup
>>>
>>> conn %default
>>>      ikelifetime=60m
>>>      keylife=20m
>>>      rekeymargin=3m
>>>      keyingtries=1
>>>      keyexchange=ikev2
>>>
>>>
>>> conn rw-eap-aka
>>>         left=192.168.244.153
>>>         leftsubnet=10.66.66.0/24
>>>         leftid=@louie.xinux.org
>>>         leftcert=xin-ca-louie.xinux.org.crt
>>>         leftauth=pubkey
>>>         leftfirewall=yes
>>>         right=%any
>>>         rightid=*@xinux.org
>>>         rightsendcert=never
>>>         rightauth=eap-aka
>>>         auto=add
>>>
>>> root at louie:~# cat /etc/ipsec.secrets
>>> : RSA xin-ca-louie.xinux.org.key
>>> thomas at xinux.org : EAP "suxer"
>>>
>>>
>>> root at louie:~# ipsec statusall
>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
>>>    uptime: 41 minutes, since Nov 17 21:35:27 2014
>>>    malloc: sbrk 2416640, mmap 0, used 359792, free 2056848
>>>    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>>>    loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>> Listening IP addresses:
>>>    192.168.244.153
>>>    10.66.66.1
>>> Connections:
>>>    rw-eap-aka:  192.168.244.153...%any  IKEv2
>>>    rw-eap-aka:   local:  [louie.xinux.org] uses public key authentication
>>>    rw-eap-aka:    cert:  "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=louie.xinux.org"
>>>    rw-eap-aka:   remote: [*@xinux.org] uses EAP_AKA authentication
>>>    rw-eap-aka:   child:  10.66.66.0/24 === dynamic TUNNEL
>>> Security Associations (0 up, 0 connecting):
>>>    none
>>>
>>>
>>> root at louie:~# tail -f /var/log/syslog
>>> Nov 17 22:18:36 louie charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>> Nov 17 22:18:36 louie charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/xin-ca-louie.xinux.org.key'
>>> Nov 17 22:18:36 louie charon: 00[CFG]   loaded EAP secret for thomas at xinux.org
>>> Nov 17 22:18:36 louie charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>> Nov 17 22:18:36 louie charon: 00[LIB] unable to load 7 plugin features (7 due to unmet dependencies)
>>> Nov 17 22:18:36 louie charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
>>> Nov 17 22:18:36 louie charon: 00[JOB] spawning 16 worker threads
>>> Nov 17 22:18:36 louie charon: 05[CFG] received stroke: add connection 'rw-eap-aka'
>>> Nov 17 22:18:36 louie charon: 05[CFG]   loaded certificate "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=louie.xinux.org" from 'xin-ca-louie.xinux.org.crt'
>>> Nov 17 22:18:36 louie charon: 05[CFG] added configuration 'rw-eap-aka'
>>>
>>>
>>>
>>> -------
>>>
>>> maria is the client ...
>>>
>>> root at maria:~# cat /etc/ipsec.conf
>>> config setup
>>>
>>> conn %default
>>>      ikelifetime=60m
>>>      keylife=20m
>>>      rekeymargin=3m
>>>      keyingtries=1
>>>      keyexchange=ikev2
>>>
>>> conn home
>>>      left=192.168.244.154
>>>          leftnexthop=%direct
>>>      leftid=thomas at xinux.org
>>>      leftauth=eap
>>>      leftfirewall=yes
>>>      right=192.168.244.153
>>>      rightid=@louie.xinux.org
>>>      rightsubnet=10.66.66.0/24
>>>      rightauth=pubkey
>>>      auto=add
>>>
>>> root at maria:~# cat /etc/ipsec.secrets
>>> thomas at xinux.org : EAP "suxer"
>>>
>>> root at maria:~# ipsec statusall
>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
>>>    uptime: 18 minutes, since Nov 17 21:58:36 2014
>>>    malloc: sbrk 2433024, mmap 0, used 349808, free 2083216
>>>    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>>>    loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>> Listening IP addresses:
>>>    192.168.244.154
>>>    10.55.55.1
>>> Connections:
>>>          home:  192.168.244.154...192.168.244.153  IKEv2
>>>          home:   local:  [thomas at xinux.org] uses EAP authentication
>>>          home:   remote: [louie.xinux.org] uses public key authentication
>>>          home:   child:  dynamic === 10.66.66.0/24 TUNNEL
>>> Security Associations (0 up, 0 connecting):
>>>    none
>>>
>>>
>>>
>>> root at maria:~# tail -f /var/log/syslog
>>> Nov 17 22:19:25 maria charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>> Nov 17 22:19:25 maria charon: 00[CFG]   loaded crl from '/etc/ipsec.d/crls/xin-ca.crl'
>>> Nov 17 22:19:25 maria charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>> Nov 17 22:19:25 maria charon: 00[CFG]   loaded EAP secret for thomas at xinux.org
>>> Nov 17 22:19:25 maria charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>> Nov 17 22:19:25 maria charon: 00[LIB] unable to load 7 plugin features (7 due to unmet dependencies)
>>> Nov 17 22:19:25 maria charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
>>> Nov 17 22:19:25 maria charon: 00[JOB] spawning 16 worker threads
>>> Nov 17 22:19:25 maria charon: 05[CFG] received stroke: add connection 'home'
>>> Nov 17 22:19:25 maria charon: 05[CFG] added configuration 'home'
>>>
>>> -----
>>>
>>> i think this is ok ...
>>>
>>>
>>> but when ist start maria (i get this)
>>>
>>> root at maria:~# ipsec up home
>>> initiating IKE_SA home[1] to 192.168.244.153
>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> sending packet: from 192.168.244.154[500] to 192.168.244.153[500] (1212 bytes)
>>> received packet: from 192.168.244.153[500] to 192.168.244.154[500] (440 bytes)
>>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>>> sending cert request for "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
>>> establishing CHILD_SA home
>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>> sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (412 bytes)
>>> received packet: from 192.168.244.153[4500] to 192.168.244.154[4500] (92 bytes)
>>> parsed IKE_AUTH response 1 [ IDr EAP/FAIL ]
>>> received EAP_FAILURE, EAP authentication failed
>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>>> sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (76 bytes)
>>> establishing connection 'home' failed
>>>
>>>
>>>
>>>
>>> the log on louie shows ''loading EAP_AKA method failed"
>>>
>>> Nov 17 22:20:42 louie charon: 10[NET] received packet: from 192.168.244.154[500] to 192.168.244.153[500] (1212 bytes)
>>> Nov 17 22:20:42 louie charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> Nov 17 22:20:42 louie charon: 10[IKE] 192.168.244.154 is initiating an IKE_SA
>>> Nov 17 22:20:42 louie charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>>> Nov 17 22:20:42 louie charon: 10[NET] sending packet: from 192.168.244.153[500] to 192.168.244.154[500] (440 bytes)
>>> Nov 17 22:20:43 louie charon: 11[NET] received packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (412 bytes)
>>> Nov 17 22:20:43 louie charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>> Nov 17 22:20:43 louie charon: 11[IKE] received cert request for "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
>>> Nov 17 22:20:43 louie charon: 11[CFG] looking for peer configs matching 192.168.244.153[louie.xinux.org]...192.168.244.154[thomas at xinux.org]
>>> Nov 17 22:20:43 louie charon: 11[CFG] selected peer config 'rw-eap-aka'
>>> Nov 17 22:20:43 louie charon: 11[IKE] loading EAP_AKA method failed
>>> Nov 17 22:20:43 louie charon: 11[IKE] peer supports MOBIKE
>>> Nov 17 22:20:43 louie charon: 11[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]
>>> Nov 17 22:20:43 louie charon: 11[NET] sending packet: from 192.168.244.153[4500] to 192.168.244.154[4500] (92 bytes)
>>>
>>> ------
>>>
>>>
>>> i have no glue ... where the problem is :-)
>>>
>>>
>>> regards thomas
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBAgAGBQJUayVfAAoJEDg5KY9j7GZY3HwQAIChjymT6HtQ/rPckxk+rl53
> hdXJSxCEQln6rGizktOSONImQz0PASFPpPYvH0V/GLIj3W/ZCpnCvWY3HnwEekn8
> EZuu5Ma2LN7Jmz8O9UVa6HWAG0ItAYb11d48ZegLr+sOtZYiDlkSluBiuqDORQz0
> yAOLMYUDyp+XmWzuz8u1L9lxnwzAZHTlr4vrwNpAO+mZ5kUQKBpgNO13uhSPe2d8
> 3KDdjygHDS/u0bLoZ9G9EFwmFwGWGfPZ/Nr+Cit8t++Bmr/Ol7mZZnwEgiI//8nZ
> wRcBMnxD86nrqiDMQqOLXMlXmAJPb8GsiFnfT9yOEyEcr+tcL/ozBO48pYAcPnd+
> JEQx/jEgwBSAAsaikhrkueMVyQj6XdCZ1t2ymvQ+XU4aAFJwij6VWj3uxrQt1c0K
> 2O3nDmsmKrvx1HjsqnOLEILN8GE7+XDb7+OP3RQKfQpVWfqsNKzkSFDgKDVbkQYn
> oG2DgHUdNxItANU6JNqnleQjOnL0ojrnqyWOB91tw304QcGDsSzDsTYuortkeI0G
> N9RkNVi+h6SFYsdNdDs7buwrMSB6fRa6hILphUVndV9kKBelci4Ks3Whyi6+rRDo
> EvyZI81/TiCSWtYj34taUzwEKHzwd/KqHwZuFjxTaj4Dtbu+oDrNgrI3aG1J0oG0
> CTOcSzY4l0ZoS1e4iNkI
> =65nA
> -----END PGP SIGNATURE-----
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec-aka.log
Type: text/x-log
Size: 48373 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141118/c4a9c2c3/attachment-0001.bin>