[strongSwan] problem with Test ikev2/rw-eap-aka-rsa
Noel Kuntze
noel at familie-kuntze.de
Tue Nov 18 13:12:13 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Thomas,
Nov 18 12:39:49 louie charon: 00[LIB] feature EAP_SERVER:AKA in plugin 'eap-aka' has unmet dependency: PRF:PRF_FIPS_SHA1_160
This might be the reason it fails to load. Please supply the fips-prf plugin to strongSwan.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 18.11.2014 um 12:46 schrieb Thomas Will:
> hello noel,
>
> thanks in advance :-)
>
> here is my server site ipsec.conf ...
>
> the log as attachment ...
>
> ----
> config setup
> charondebug="lib 3, cfg 2"
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
>
>
> conn rw-eap-aka
> left=192.168.244.153
> leftsubnet=10.66.66.0/24
> leftid=@louie.xinux.org
> leftcert=xin-ca-louie.xinux.org.crt
> leftauth=pubkey
> leftfirewall=yes
> right=%any
> rightid=*@xinux.org
> rightsendcert=never
> rightauth=eap-aka
> auto=add
>
> ----
>
> thomas will
> - xinux e.K.- networking - security - consulting - training -
> - novell certified linux professional - lpi level 2 certified -
> - fon 06332 44040 - fax 06332 899227 - mobil 0170 52 18 548 -
> - 66482 zweibruecken - wichernstr. 18 - http://www.xinux.de -
> - Amtsgericht - Registergericht - Zweibruecken - HRA 1518 -
>
> Am 18.11.2014 um 11:54 schrieb Noel Kuntze:
> Hello Thomas,
>
> Please enable file logging [1] with cfg and lib set to 2.
> Then please show us the log that was created.
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 18.11.2014 um 11:35 schrieb Thomas Will:
>>>> is it possible that eap-aka modul is corrupt?
>>>>
>>>> i built a connection with eap-mschapv2 without problems ...
>>>>
>>>> regards ...
>>>>
>>>> thomas will
>>>> - xinux e.K.- networking - security - consulting - training -
>>>> - novell certified linux professional - lpi level 2 certified -
>>>> - fon 06332 44040 - fax 06332 899227 - mobil 0170 52 18 548 -
>>>> - 66482 zweibruecken - wichernstr. 18 - http://www.xinux.de -
>>>> - Amtsgericht - Registergericht - Zweibruecken - HRA 1518 -
>>>>
>>>> Am 17.11.2014 um 22:23 schrieb Thomas Will:
>>>>> hello list ...
>>>>>
>>>>> my name is thomas and i am new on the list :-)
>>>>>
>>>>> and here is my problem ...
>>>>> i tried to make a connection like the
>>>>>
>>>>> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-aka-rsa/
>>>>>
>>>>> example ...
>>>>>
>>>>> loui is the server ...
>>>>>
>>>>> root at louie:~# cat /etc/ipsec.conf
>>>>> config setup
>>>>>
>>>>> conn %default
>>>>> ikelifetime=60m
>>>>> keylife=20m
>>>>> rekeymargin=3m
>>>>> keyingtries=1
>>>>> keyexchange=ikev2
>>>>>
>>>>>
>>>>> conn rw-eap-aka
>>>>> left=192.168.244.153
>>>>> leftsubnet=10.66.66.0/24
>>>>> leftid=@louie.xinux.org
>>>>> leftcert=xin-ca-louie.xinux.org.crt
>>>>> leftauth=pubkey
>>>>> leftfirewall=yes
>>>>> right=%any
>>>>> rightid=*@xinux.org
>>>>> rightsendcert=never
>>>>> rightauth=eap-aka
>>>>> auto=add
>>>>>
>>>>> root at louie:~# cat /etc/ipsec.secrets
>>>>> : RSA xin-ca-louie.xinux.org.key
>>>>> thomas at xinux.org : EAP "suxer"
>>>>>
>>>>>
>>>>> root at louie:~# ipsec statusall
>>>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
>>>>> uptime: 41 minutes, since Nov 17 21:35:27 2014
>>>>> malloc: sbrk 2416640, mmap 0, used 359792, free 2056848
>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>>>>> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>> Listening IP addresses:
>>>>> 192.168.244.153
>>>>> 10.66.66.1
>>>>> Connections:
>>>>> rw-eap-aka: 192.168.244.153...%any IKEv2
>>>>> rw-eap-aka: local: [louie.xinux.org] uses public key authentication
>>>>> rw-eap-aka: cert: "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=louie.xinux.org"
>>>>> rw-eap-aka: remote: [*@xinux.org] uses EAP_AKA authentication
>>>>> rw-eap-aka: child: 10.66.66.0/24 === dynamic TUNNEL
>>>>> Security Associations (0 up, 0 connecting):
>>>>> none
>>>>>
>>>>>
>>>>> root at louie:~# tail -f /var/log/syslog
>>>>> Nov 17 22:18:36 louie charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>>>> Nov 17 22:18:36 louie charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/xin-ca-louie.xinux.org.key'
>>>>> Nov 17 22:18:36 louie charon: 00[CFG] loaded EAP secret for thomas at xinux.org
>>>>> Nov 17 22:18:36 louie charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>> Nov 17 22:18:36 louie charon: 00[LIB] unable to load 7 plugin features (7 due to unmet dependencies)
>>>>> Nov 17 22:18:36 louie charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
>>>>> Nov 17 22:18:36 louie charon: 00[JOB] spawning 16 worker threads
>>>>> Nov 17 22:18:36 louie charon: 05[CFG] received stroke: add connection 'rw-eap-aka'
>>>>> Nov 17 22:18:36 louie charon: 05[CFG] loaded certificate "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=louie.xinux.org" from 'xin-ca-louie.xinux.org.crt'
>>>>> Nov 17 22:18:36 louie charon: 05[CFG] added configuration 'rw-eap-aka'
>>>>>
>>>>>
>>>>>
>>>>> -------
>>>>>
>>>>> maria is the client ...
>>>>>
>>>>> root at maria:~# cat /etc/ipsec.conf
>>>>> config setup
>>>>>
>>>>> conn %default
>>>>> ikelifetime=60m
>>>>> keylife=20m
>>>>> rekeymargin=3m
>>>>> keyingtries=1
>>>>> keyexchange=ikev2
>>>>>
>>>>> conn home
>>>>> left=192.168.244.154
>>>>> leftnexthop=%direct
>>>>> leftid=thomas at xinux.org
>>>>> leftauth=eap
>>>>> leftfirewall=yes
>>>>> right=192.168.244.153
>>>>> rightid=@louie.xinux.org
>>>>> rightsubnet=10.66.66.0/24
>>>>> rightauth=pubkey
>>>>> auto=add
>>>>>
>>>>> root at maria:~# cat /etc/ipsec.secrets
>>>>> thomas at xinux.org : EAP "suxer"
>>>>>
>>>>> root at maria:~# ipsec statusall
>>>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
>>>>> uptime: 18 minutes, since Nov 17 21:58:36 2014
>>>>> malloc: sbrk 2433024, mmap 0, used 349808, free 2083216
>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>>>>> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>> Listening IP addresses:
>>>>> 192.168.244.154
>>>>> 10.55.55.1
>>>>> Connections:
>>>>> home: 192.168.244.154...192.168.244.153 IKEv2
>>>>> home: local: [thomas at xinux.org] uses EAP authentication
>>>>> home: remote: [louie.xinux.org] uses public key authentication
>>>>> home: child: dynamic === 10.66.66.0/24 TUNNEL
>>>>> Security Associations (0 up, 0 connecting):
>>>>> none
>>>>>
>>>>>
>>>>>
>>>>> root at maria:~# tail -f /var/log/syslog
>>>>> Nov 17 22:19:25 maria charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>>>> Nov 17 22:19:25 maria charon: 00[CFG] loaded crl from '/etc/ipsec.d/crls/xin-ca.crl'
>>>>> Nov 17 22:19:25 maria charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>>>> Nov 17 22:19:25 maria charon: 00[CFG] loaded EAP secret for thomas at xinux.org
>>>>> Nov 17 22:19:25 maria charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>> Nov 17 22:19:25 maria charon: 00[LIB] unable to load 7 plugin features (7 due to unmet dependencies)
>>>>> Nov 17 22:19:25 maria charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
>>>>> Nov 17 22:19:25 maria charon: 00[JOB] spawning 16 worker threads
>>>>> Nov 17 22:19:25 maria charon: 05[CFG] received stroke: add connection 'home'
>>>>> Nov 17 22:19:25 maria charon: 05[CFG] added configuration 'home'
>>>>>
>>>>> -----
>>>>>
>>>>> i think this is ok ...
>>>>>
>>>>>
>>>>> but when ist start maria (i get this)
>>>>>
>>>>> root at maria:~# ipsec up home
>>>>> initiating IKE_SA home[1] to 192.168.244.153
>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>>>> sending packet: from 192.168.244.154[500] to 192.168.244.153[500] (1212 bytes)
>>>>> received packet: from 192.168.244.153[500] to 192.168.244.154[500] (440 bytes)
>>>>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>>>>> sending cert request for "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
>>>>> establishing CHILD_SA home
>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>>>> sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (412 bytes)
>>>>> received packet: from 192.168.244.153[4500] to 192.168.244.154[4500] (92 bytes)
>>>>> parsed IKE_AUTH response 1 [ IDr EAP/FAIL ]
>>>>> received EAP_FAILURE, EAP authentication failed
>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>>>>> sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (76 bytes)
>>>>> establishing connection 'home' failed
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> the log on louie shows ''loading EAP_AKA method failed"
>>>>>
>>>>> Nov 17 22:20:42 louie charon: 10[NET] received packet: from 192.168.244.154[500] to 192.168.244.153[500] (1212 bytes)
>>>>> Nov 17 22:20:42 louie charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>>>> Nov 17 22:20:42 louie charon: 10[IKE] 192.168.244.154 is initiating an IKE_SA
>>>>> Nov 17 22:20:42 louie charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>>>>> Nov 17 22:20:42 louie charon: 10[NET] sending packet: from 192.168.244.153[500] to 192.168.244.154[500] (440 bytes)
>>>>> Nov 17 22:20:43 louie charon: 11[NET] received packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (412 bytes)
>>>>> Nov 17 22:20:43 louie charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>>>> Nov 17 22:20:43 louie charon: 11[IKE] received cert request for "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
>>>>> Nov 17 22:20:43 louie charon: 11[CFG] looking for peer configs matching 192.168.244.153[louie.xinux.org]...192.168.244.154[thomas at xinux.org]
>>>>> Nov 17 22:20:43 louie charon: 11[CFG] selected peer config 'rw-eap-aka'
>>>>> Nov 17 22:20:43 louie charon: 11[IKE] loading EAP_AKA method failed
>>>>> Nov 17 22:20:43 louie charon: 11[IKE] peer supports MOBIKE
>>>>> Nov 17 22:20:43 louie charon: 11[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]
>>>>> Nov 17 22:20:43 louie charon: 11[NET] sending packet: from 192.168.244.153[4500] to 192.168.244.154[4500] (92 bytes)
>>>>>
>>>>> ------
>>>>>
>>>>>
>>>>> i have no glue ... where the problem is :-)
>>>>>
>>>>>
>>>>> regards thomas
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBAgAGBQJUazebAAoJEDg5KY9j7GZYRYgP/ihum/Gs4OjbPJaS2aQduXNm
Zqtez5ng2w6xMinwRIwLLPeQksUvTEo0KVh4yTi3mTJxC38WzhzqFhH+howob83K
DnLMqn4oE2G4vmvoAYacv50vlJZ+j8A64MN3KKsMJRuRguk5cx24ofO59YkN24lF
Ha4rE6lSrca16npxridO2JVPsyF9+BsM+/05VbCjRvALsm4WdR8i3CpCaHJxJB0e
Lf2R1E9HltCfgOchTjoBbf0IGMAmxVHkqLWyvADehaEBZ8ami9bgcAO8yE4v3aAn
TKbbThWzMzI0Sdwk69VeIG7vKiUzxe8q2ljLYcWqfyI5cgWL5e4NTlFRVOOm6Mlc
axupWCgnxI+hlbfD+/mkZYB7Y7mds1Nj2IbvfUU1aS04iirCLU6KqVebwyTLWkS5
R1uUTCQfoOeaieQiUySfwgOddTe2rOxaimiBn3w4osMMF1AgcljFJ+rIyqIxnOWA
pCMIvsXM1DX5qdz5viIgJRJg1w8Dz1gU62cIEsg4+2i3junCip2u7t2BrgEI3jZS
Awf4+Ig1otfEtuCpDv1DlOVcj8y2BazOqTpv6CsHTFM4KSwMKHB32aVQU1a5v9Pt
lxT6C5/dOMRP35RWXB5nuUYwkYe4ebWFXL0TKxA8XbZm6mZnarrES9zadXIbvjVY
t8Hp3nnGkeZckFvcL0Qr
=qM/E
-----END PGP SIGNATURE-----
More information about the Users
mailing list