[strongSwan] problem with Test ikev2/rw-eap-aka-rsa
Thomas Will
thomas.will at xinux.de
Tue Nov 18 14:22:21 CET 2014
perfect ... :-)
CHILD_SA home{2} established with SPIs c70482fe_i c35484b6_o and TS
192.168.244.154/32 === 10.66.66.0/24
connection 'home' established successfully
thomas will
- xinux e.K.- networking - security - consulting - training -
- novell certified linux professional - lpi level 2 certified -
- fon 06332 44040 - fax 06332 899227 - mobil 0170 52 18 548 -
- 66482 zweibruecken - wichernstr. 18 - http://www.xinux.de -
- Amtsgericht - Registergericht - Zweibruecken - HRA 1518 -
Am 18.11.2014 um 13:12 schrieb Noel Kuntze:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Thomas,
>
> Nov 18 12:39:49 louie charon: 00[LIB] feature EAP_SERVER:AKA in plugin 'eap-aka' has unmet dependency: PRF:PRF_FIPS_SHA1_160
>
> This might be the reason it fails to load. Please supply the fips-prf plugin to strongSwan.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 18.11.2014 um 12:46 schrieb Thomas Will:
>> hello noel,
>>
>> thanks in advance :-)
>>
>> here is my server site ipsec.conf ...
>>
>> the log as attachment ...
>>
>> ----
>> config setup
>> charondebug="lib 3, cfg 2"
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>>
>>
>> conn rw-eap-aka
>> left=192.168.244.153
>> leftsubnet=10.66.66.0/24
>> leftid=@louie.xinux.org
>> leftcert=xin-ca-louie.xinux.org.crt
>> leftauth=pubkey
>> leftfirewall=yes
>> right=%any
>> rightid=*@xinux.org
>> rightsendcert=never
>> rightauth=eap-aka
>> auto=add
>>
>> ----
>>
>> thomas will
>> - xinux e.K.- networking - security - consulting - training -
>> - novell certified linux professional - lpi level 2 certified -
>> - fon 06332 44040 - fax 06332 899227 - mobil 0170 52 18 548 -
>> - 66482 zweibruecken - wichernstr. 18 - http://www.xinux.de -
>> - Amtsgericht - Registergericht - Zweibruecken - HRA 1518 -
>>
>> Am 18.11.2014 um 11:54 schrieb Noel Kuntze:
>> Hello Thomas,
>>
>> Please enable file logging [1] with cfg and lib set to 2.
>> Then please show us the log that was created.
>>
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 18.11.2014 um 11:35 schrieb Thomas Will:
>>>>> is it possible that eap-aka modul is corrupt?
>>>>>
>>>>> i built a connection with eap-mschapv2 without problems ...
>>>>>
>>>>> regards ...
>>>>>
>>>>> thomas will
>>>>> - xinux e.K.- networking - security - consulting - training -
>>>>> - novell certified linux professional - lpi level 2 certified -
>>>>> - fon 06332 44040 - fax 06332 899227 - mobil 0170 52 18 548 -
>>>>> - 66482 zweibruecken - wichernstr. 18 - http://www.xinux.de -
>>>>> - Amtsgericht - Registergericht - Zweibruecken - HRA 1518 -
>>>>>
>>>>> Am 17.11.2014 um 22:23 schrieb Thomas Will:
>>>>>> hello list ...
>>>>>>
>>>>>> my name is thomas and i am new on the list :-)
>>>>>>
>>>>>> and here is my problem ...
>>>>>> i tried to make a connection like the
>>>>>>
>>>>>> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-aka-rsa/
>>>>>>
>>>>>> example ...
>>>>>>
>>>>>> loui is the server ...
>>>>>>
>>>>>> root at louie:~# cat /etc/ipsec.conf
>>>>>> config setup
>>>>>>
>>>>>> conn %default
>>>>>> ikelifetime=60m
>>>>>> keylife=20m
>>>>>> rekeymargin=3m
>>>>>> keyingtries=1
>>>>>> keyexchange=ikev2
>>>>>>
>>>>>>
>>>>>> conn rw-eap-aka
>>>>>> left=192.168.244.153
>>>>>> leftsubnet=10.66.66.0/24
>>>>>> leftid=@louie.xinux.org
>>>>>> leftcert=xin-ca-louie.xinux.org.crt
>>>>>> leftauth=pubkey
>>>>>> leftfirewall=yes
>>>>>> right=%any
>>>>>> rightid=*@xinux.org
>>>>>> rightsendcert=never
>>>>>> rightauth=eap-aka
>>>>>> auto=add
>>>>>>
>>>>>> root at louie:~# cat /etc/ipsec.secrets
>>>>>> : RSA xin-ca-louie.xinux.org.key
>>>>>> thomas at xinux.org : EAP "suxer"
>>>>>>
>>>>>>
>>>>>> root at louie:~# ipsec statusall
>>>>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
>>>>>> uptime: 41 minutes, since Nov 17 21:35:27 2014
>>>>>> malloc: sbrk 2416640, mmap 0, used 359792, free 2056848
>>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>>>>>> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>>> Listening IP addresses:
>>>>>> 192.168.244.153
>>>>>> 10.66.66.1
>>>>>> Connections:
>>>>>> rw-eap-aka: 192.168.244.153...%any IKEv2
>>>>>> rw-eap-aka: local: [louie.xinux.org] uses public key authentication
>>>>>> rw-eap-aka: cert: "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=louie.xinux.org"
>>>>>> rw-eap-aka: remote: [*@xinux.org] uses EAP_AKA authentication
>>>>>> rw-eap-aka: child: 10.66.66.0/24 === dynamic TUNNEL
>>>>>> Security Associations (0 up, 0 connecting):
>>>>>> none
>>>>>>
>>>>>>
>>>>>> root at louie:~# tail -f /var/log/syslog
>>>>>> Nov 17 22:18:36 louie charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>>>>> Nov 17 22:18:36 louie charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/xin-ca-louie.xinux.org.key'
>>>>>> Nov 17 22:18:36 louie charon: 00[CFG] loaded EAP secret for thomas at xinux.org
>>>>>> Nov 17 22:18:36 louie charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>>> Nov 17 22:18:36 louie charon: 00[LIB] unable to load 7 plugin features (7 due to unmet dependencies)
>>>>>> Nov 17 22:18:36 louie charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
>>>>>> Nov 17 22:18:36 louie charon: 00[JOB] spawning 16 worker threads
>>>>>> Nov 17 22:18:36 louie charon: 05[CFG] received stroke: add connection 'rw-eap-aka'
>>>>>> Nov 17 22:18:36 louie charon: 05[CFG] loaded certificate "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=louie.xinux.org" from 'xin-ca-louie.xinux.org.crt'
>>>>>> Nov 17 22:18:36 louie charon: 05[CFG] added configuration 'rw-eap-aka'
>>>>>>
>>>>>>
>>>>>>
>>>>>> -------
>>>>>>
>>>>>> maria is the client ...
>>>>>>
>>>>>> root at maria:~# cat /etc/ipsec.conf
>>>>>> config setup
>>>>>>
>>>>>> conn %default
>>>>>> ikelifetime=60m
>>>>>> keylife=20m
>>>>>> rekeymargin=3m
>>>>>> keyingtries=1
>>>>>> keyexchange=ikev2
>>>>>>
>>>>>> conn home
>>>>>> left=192.168.244.154
>>>>>> leftnexthop=%direct
>>>>>> leftid=thomas at xinux.org
>>>>>> leftauth=eap
>>>>>> leftfirewall=yes
>>>>>> right=192.168.244.153
>>>>>> rightid=@louie.xinux.org
>>>>>> rightsubnet=10.66.66.0/24
>>>>>> rightauth=pubkey
>>>>>> auto=add
>>>>>>
>>>>>> root at maria:~# cat /etc/ipsec.secrets
>>>>>> thomas at xinux.org : EAP "suxer"
>>>>>>
>>>>>> root at maria:~# ipsec statusall
>>>>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
>>>>>> uptime: 18 minutes, since Nov 17 21:58:36 2014
>>>>>> malloc: sbrk 2433024, mmap 0, used 349808, free 2083216
>>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>>>>>> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>>> Listening IP addresses:
>>>>>> 192.168.244.154
>>>>>> 10.55.55.1
>>>>>> Connections:
>>>>>> home: 192.168.244.154...192.168.244.153 IKEv2
>>>>>> home: local: [thomas at xinux.org] uses EAP authentication
>>>>>> home: remote: [louie.xinux.org] uses public key authentication
>>>>>> home: child: dynamic === 10.66.66.0/24 TUNNEL
>>>>>> Security Associations (0 up, 0 connecting):
>>>>>> none
>>>>>>
>>>>>>
>>>>>>
>>>>>> root at maria:~# tail -f /var/log/syslog
>>>>>> Nov 17 22:19:25 maria charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>>>>> Nov 17 22:19:25 maria charon: 00[CFG] loaded crl from '/etc/ipsec.d/crls/xin-ca.crl'
>>>>>> Nov 17 22:19:25 maria charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>>>>> Nov 17 22:19:25 maria charon: 00[CFG] loaded EAP secret for thomas at xinux.org
>>>>>> Nov 17 22:19:25 maria charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>>> Nov 17 22:19:25 maria charon: 00[LIB] unable to load 7 plugin features (7 due to unmet dependencies)
>>>>>> Nov 17 22:19:25 maria charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
>>>>>> Nov 17 22:19:25 maria charon: 00[JOB] spawning 16 worker threads
>>>>>> Nov 17 22:19:25 maria charon: 05[CFG] received stroke: add connection 'home'
>>>>>> Nov 17 22:19:25 maria charon: 05[CFG] added configuration 'home'
>>>>>>
>>>>>> -----
>>>>>>
>>>>>> i think this is ok ...
>>>>>>
>>>>>>
>>>>>> but when ist start maria (i get this)
>>>>>>
>>>>>> root at maria:~# ipsec up home
>>>>>> initiating IKE_SA home[1] to 192.168.244.153
>>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>>>>> sending packet: from 192.168.244.154[500] to 192.168.244.153[500] (1212 bytes)
>>>>>> received packet: from 192.168.244.153[500] to 192.168.244.154[500] (440 bytes)
>>>>>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>>>>>> sending cert request for "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
>>>>>> establishing CHILD_SA home
>>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>>>>> sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (412 bytes)
>>>>>> received packet: from 192.168.244.153[4500] to 192.168.244.154[4500] (92 bytes)
>>>>>> parsed IKE_AUTH response 1 [ IDr EAP/FAIL ]
>>>>>> received EAP_FAILURE, EAP authentication failed
>>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>>>>>> sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (76 bytes)
>>>>>> establishing connection 'home' failed
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> the log on louie shows ''loading EAP_AKA method failed"
>>>>>>
>>>>>> Nov 17 22:20:42 louie charon: 10[NET] received packet: from 192.168.244.154[500] to 192.168.244.153[500] (1212 bytes)
>>>>>> Nov 17 22:20:42 louie charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>>>>> Nov 17 22:20:42 louie charon: 10[IKE] 192.168.244.154 is initiating an IKE_SA
>>>>>> Nov 17 22:20:42 louie charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>>>>>> Nov 17 22:20:42 louie charon: 10[NET] sending packet: from 192.168.244.153[500] to 192.168.244.154[500] (440 bytes)
>>>>>> Nov 17 22:20:43 louie charon: 11[NET] received packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (412 bytes)
>>>>>> Nov 17 22:20:43 louie charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>>>>> Nov 17 22:20:43 louie charon: 11[IKE] received cert request for "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
>>>>>> Nov 17 22:20:43 louie charon: 11[CFG] looking for peer configs matching 192.168.244.153[louie.xinux.org]...192.168.244.154[thomas at xinux.org]
>>>>>> Nov 17 22:20:43 louie charon: 11[CFG] selected peer config 'rw-eap-aka'
>>>>>> Nov 17 22:20:43 louie charon: 11[IKE] loading EAP_AKA method failed
>>>>>> Nov 17 22:20:43 louie charon: 11[IKE] peer supports MOBIKE
>>>>>> Nov 17 22:20:43 louie charon: 11[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]
>>>>>> Nov 17 22:20:43 louie charon: 11[NET] sending packet: from 192.168.244.153[4500] to 192.168.244.154[4500] (92 bytes)
>>>>>>
>>>>>> ------
>>>>>>
>>>>>>
>>>>>> i have no glue ... where the problem is :-)
>>>>>>
>>>>>>
>>>>>> regards thomas
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBAgAGBQJUazebAAoJEDg5KY9j7GZYRYgP/ihum/Gs4OjbPJaS2aQduXNm
> Zqtez5ng2w6xMinwRIwLLPeQksUvTEo0KVh4yTi3mTJxC38WzhzqFhH+howob83K
> DnLMqn4oE2G4vmvoAYacv50vlJZ+j8A64MN3KKsMJRuRguk5cx24ofO59YkN24lF
> Ha4rE6lSrca16npxridO2JVPsyF9+BsM+/05VbCjRvALsm4WdR8i3CpCaHJxJB0e
> Lf2R1E9HltCfgOchTjoBbf0IGMAmxVHkqLWyvADehaEBZ8ami9bgcAO8yE4v3aAn
> TKbbThWzMzI0Sdwk69VeIG7vKiUzxe8q2ljLYcWqfyI5cgWL5e4NTlFRVOOm6Mlc
> axupWCgnxI+hlbfD+/mkZYB7Y7mds1Nj2IbvfUU1aS04iirCLU6KqVebwyTLWkS5
> R1uUTCQfoOeaieQiUySfwgOddTe2rOxaimiBn3w4osMMF1AgcljFJ+rIyqIxnOWA
> pCMIvsXM1DX5qdz5viIgJRJg1w8Dz1gU62cIEsg4+2i3junCip2u7t2BrgEI3jZS
> Awf4+Ig1otfEtuCpDv1DlOVcj8y2BazOqTpv6CsHTFM4KSwMKHB32aVQU1a5v9Pt
> lxT6C5/dOMRP35RWXB5nuUYwkYe4ebWFXL0TKxA8XbZm6mZnarrES9zadXIbvjVY
> t8Hp3nnGkeZckFvcL0Qr
> =qM/E
> -----END PGP SIGNATURE-----
More information about the Users
mailing list