[strongSwan] problem with Test ikev2/rw-eap-aka-rsa

Thomas Will thomas.will at xinux.de
Tue Nov 18 14:22:21 CET 2014


perfect ... :-)

CHILD_SA home{2} established with SPIs c70482fe_i c35484b6_o and TS 
192.168.244.154/32 === 10.66.66.0/24
connection 'home' established successfully

thomas will
- xinux e.K.- networking - security - consulting - training   -
- novell certified linux professional - lpi level 2 certified -
- fon 06332 44040  - fax 06332 899227  - mobil 0170 52 18 548  -
- 66482 zweibruecken - wichernstr. 18  - http://www.xinux.de  -
- Amtsgericht  -  Registergericht  -  Zweibruecken - HRA 1518 -

Am 18.11.2014 um 13:12 schrieb Noel Kuntze:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Thomas,
>
> Nov 18 12:39:49 louie charon: 00[LIB] feature EAP_SERVER:AKA in plugin 'eap-aka' has unmet dependency: PRF:PRF_FIPS_SHA1_160
>
> This might be the reason it fails to load. Please supply the fips-prf plugin to strongSwan.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 18.11.2014 um 12:46 schrieb Thomas Will:
>> hello noel,
>>
>> thanks in advance :-)
>>
>> here is my server site ipsec.conf ...
>>
>> the log as attachment ...
>>
>> ----
>> config setup
>>          charondebug="lib 3, cfg 2"
>>
>> conn %default
>>          ikelifetime=60m
>>          keylife=20m
>>          rekeymargin=3m
>>          keyingtries=1
>>          keyexchange=ikev2
>>
>>
>> conn rw-eap-aka
>>         left=192.168.244.153
>>         leftsubnet=10.66.66.0/24
>>         leftid=@louie.xinux.org
>>         leftcert=xin-ca-louie.xinux.org.crt
>>         leftauth=pubkey
>>         leftfirewall=yes
>>         right=%any
>>         rightid=*@xinux.org
>>         rightsendcert=never
>>         rightauth=eap-aka
>>         auto=add
>>
>> ----
>>
>> thomas will
>> - xinux e.K.- networking - security - consulting - training   -
>> - novell certified linux professional - lpi level 2 certified -
>> - fon 06332 44040  - fax 06332 899227  - mobil 0170 52 18 548  -
>> - 66482 zweibruecken - wichernstr. 18  - http://www.xinux.de  -
>> - Amtsgericht  -  Registergericht  -  Zweibruecken - HRA 1518 -
>>
>> Am 18.11.2014 um 11:54 schrieb Noel Kuntze:
>> Hello Thomas,
>>
>> Please enable file logging [1] with cfg and lib set to 2.
>> Then please show us the log that was created.
>>
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 18.11.2014 um 11:35 schrieb Thomas Will:
>>>>> is it possible that eap-aka modul is corrupt?
>>>>>
>>>>> i built a connection with eap-mschapv2 without problems ...
>>>>>
>>>>> regards ...
>>>>>
>>>>> thomas will
>>>>> - xinux e.K.- networking - security - consulting - training   -
>>>>> - novell certified linux professional - lpi level 2 certified -
>>>>> - fon 06332 44040  - fax 06332 899227  - mobil 0170 52 18 548  -
>>>>> - 66482 zweibruecken - wichernstr. 18  - http://www.xinux.de  -
>>>>> - Amtsgericht  -  Registergericht  -  Zweibruecken - HRA 1518 -
>>>>>
>>>>> Am 17.11.2014 um 22:23 schrieb Thomas Will:
>>>>>> hello list ...
>>>>>>
>>>>>> my name is thomas and i am new on the list :-)
>>>>>>
>>>>>> and here is my problem ...
>>>>>> i tried to make a connection like the
>>>>>>
>>>>>> http://www.strongswan.org/uml/testresults/ikev2/rw-eap-aka-rsa/
>>>>>>
>>>>>> example ...
>>>>>>
>>>>>> loui is the server ...
>>>>>>
>>>>>> root at louie:~# cat /etc/ipsec.conf
>>>>>> config setup
>>>>>>
>>>>>> conn %default
>>>>>>       ikelifetime=60m
>>>>>>       keylife=20m
>>>>>>       rekeymargin=3m
>>>>>>       keyingtries=1
>>>>>>       keyexchange=ikev2
>>>>>>
>>>>>>
>>>>>> conn rw-eap-aka
>>>>>>          left=192.168.244.153
>>>>>>          leftsubnet=10.66.66.0/24
>>>>>>          leftid=@louie.xinux.org
>>>>>>          leftcert=xin-ca-louie.xinux.org.crt
>>>>>>          leftauth=pubkey
>>>>>>          leftfirewall=yes
>>>>>>          right=%any
>>>>>>          rightid=*@xinux.org
>>>>>>          rightsendcert=never
>>>>>>          rightauth=eap-aka
>>>>>>          auto=add
>>>>>>
>>>>>> root at louie:~# cat /etc/ipsec.secrets
>>>>>> : RSA xin-ca-louie.xinux.org.key
>>>>>> thomas at xinux.org : EAP "suxer"
>>>>>>
>>>>>>
>>>>>> root at louie:~# ipsec statusall
>>>>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
>>>>>>     uptime: 41 minutes, since Nov 17 21:35:27 2014
>>>>>>     malloc: sbrk 2416640, mmap 0, used 359792, free 2056848
>>>>>>     worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>>>>>>     loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>>> Listening IP addresses:
>>>>>>     192.168.244.153
>>>>>>     10.66.66.1
>>>>>> Connections:
>>>>>>     rw-eap-aka:  192.168.244.153...%any  IKEv2
>>>>>>     rw-eap-aka:   local:  [louie.xinux.org] uses public key authentication
>>>>>>     rw-eap-aka:    cert:  "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=louie.xinux.org"
>>>>>>     rw-eap-aka:   remote: [*@xinux.org] uses EAP_AKA authentication
>>>>>>     rw-eap-aka:   child:  10.66.66.0/24 === dynamic TUNNEL
>>>>>> Security Associations (0 up, 0 connecting):
>>>>>>     none
>>>>>>
>>>>>>
>>>>>> root at louie:~# tail -f /var/log/syslog
>>>>>> Nov 17 22:18:36 louie charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>>>>> Nov 17 22:18:36 louie charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/xin-ca-louie.xinux.org.key'
>>>>>> Nov 17 22:18:36 louie charon: 00[CFG]   loaded EAP secret for thomas at xinux.org
>>>>>> Nov 17 22:18:36 louie charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>>> Nov 17 22:18:36 louie charon: 00[LIB] unable to load 7 plugin features (7 due to unmet dependencies)
>>>>>> Nov 17 22:18:36 louie charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
>>>>>> Nov 17 22:18:36 louie charon: 00[JOB] spawning 16 worker threads
>>>>>> Nov 17 22:18:36 louie charon: 05[CFG] received stroke: add connection 'rw-eap-aka'
>>>>>> Nov 17 22:18:36 louie charon: 05[CFG]   loaded certificate "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=louie.xinux.org" from 'xin-ca-louie.xinux.org.crt'
>>>>>> Nov 17 22:18:36 louie charon: 05[CFG] added configuration 'rw-eap-aka'
>>>>>>
>>>>>>
>>>>>>
>>>>>> -------
>>>>>>
>>>>>> maria is the client ...
>>>>>>
>>>>>> root at maria:~# cat /etc/ipsec.conf
>>>>>> config setup
>>>>>>
>>>>>> conn %default
>>>>>>       ikelifetime=60m
>>>>>>       keylife=20m
>>>>>>       rekeymargin=3m
>>>>>>       keyingtries=1
>>>>>>       keyexchange=ikev2
>>>>>>
>>>>>> conn home
>>>>>>       left=192.168.244.154
>>>>>>           leftnexthop=%direct
>>>>>>       leftid=thomas at xinux.org
>>>>>>       leftauth=eap
>>>>>>       leftfirewall=yes
>>>>>>       right=192.168.244.153
>>>>>>       rightid=@louie.xinux.org
>>>>>>       rightsubnet=10.66.66.0/24
>>>>>>       rightauth=pubkey
>>>>>>       auto=add
>>>>>>
>>>>>> root at maria:~# cat /etc/ipsec.secrets
>>>>>> thomas at xinux.org : EAP "suxer"
>>>>>>
>>>>>> root at maria:~# ipsec statusall
>>>>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
>>>>>>     uptime: 18 minutes, since Nov 17 21:58:36 2014
>>>>>>     malloc: sbrk 2433024, mmap 0, used 349808, free 2083216
>>>>>>     worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>>>>>>     loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>>> Listening IP addresses:
>>>>>>     192.168.244.154
>>>>>>     10.55.55.1
>>>>>> Connections:
>>>>>>           home:  192.168.244.154...192.168.244.153  IKEv2
>>>>>>           home:   local:  [thomas at xinux.org] uses EAP authentication
>>>>>>           home:   remote: [louie.xinux.org] uses public key authentication
>>>>>>           home:   child:  dynamic === 10.66.66.0/24 TUNNEL
>>>>>> Security Associations (0 up, 0 connecting):
>>>>>>     none
>>>>>>
>>>>>>
>>>>>>
>>>>>> root at maria:~# tail -f /var/log/syslog
>>>>>> Nov 17 22:19:25 maria charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>>>>> Nov 17 22:19:25 maria charon: 00[CFG]   loaded crl from '/etc/ipsec.d/crls/xin-ca.crl'
>>>>>> Nov 17 22:19:25 maria charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>>>>> Nov 17 22:19:25 maria charon: 00[CFG]   loaded EAP secret for thomas at xinux.org
>>>>>> Nov 17 22:19:25 maria charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
>>>>>> Nov 17 22:19:25 maria charon: 00[LIB] unable to load 7 plugin features (7 due to unmet dependencies)
>>>>>> Nov 17 22:19:25 maria charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
>>>>>> Nov 17 22:19:25 maria charon: 00[JOB] spawning 16 worker threads
>>>>>> Nov 17 22:19:25 maria charon: 05[CFG] received stroke: add connection 'home'
>>>>>> Nov 17 22:19:25 maria charon: 05[CFG] added configuration 'home'
>>>>>>
>>>>>> -----
>>>>>>
>>>>>> i think this is ok ...
>>>>>>
>>>>>>
>>>>>> but when ist start maria (i get this)
>>>>>>
>>>>>> root at maria:~# ipsec up home
>>>>>> initiating IKE_SA home[1] to 192.168.244.153
>>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>>>>> sending packet: from 192.168.244.154[500] to 192.168.244.153[500] (1212 bytes)
>>>>>> received packet: from 192.168.244.153[500] to 192.168.244.154[500] (440 bytes)
>>>>>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>>>>>> sending cert request for "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
>>>>>> establishing CHILD_SA home
>>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>>>>> sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (412 bytes)
>>>>>> received packet: from 192.168.244.153[4500] to 192.168.244.154[4500] (92 bytes)
>>>>>> parsed IKE_AUTH response 1 [ IDr EAP/FAIL ]
>>>>>> received EAP_FAILURE, EAP authentication failed
>>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>>>>>> sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (76 bytes)
>>>>>> establishing connection 'home' failed
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> the log on louie shows ''loading EAP_AKA method failed"
>>>>>>
>>>>>> Nov 17 22:20:42 louie charon: 10[NET] received packet: from 192.168.244.154[500] to 192.168.244.153[500] (1212 bytes)
>>>>>> Nov 17 22:20:42 louie charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>>>>> Nov 17 22:20:42 louie charon: 10[IKE] 192.168.244.154 is initiating an IKE_SA
>>>>>> Nov 17 22:20:42 louie charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>>>>>> Nov 17 22:20:42 louie charon: 10[NET] sending packet: from 192.168.244.153[500] to 192.168.244.154[500] (440 bytes)
>>>>>> Nov 17 22:20:43 louie charon: 11[NET] received packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (412 bytes)
>>>>>> Nov 17 22:20:43 louie charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>>>>> Nov 17 22:20:43 louie charon: 11[IKE] received cert request for "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
>>>>>> Nov 17 22:20:43 louie charon: 11[CFG] looking for peer configs matching 192.168.244.153[louie.xinux.org]...192.168.244.154[thomas at xinux.org]
>>>>>> Nov 17 22:20:43 louie charon: 11[CFG] selected peer config 'rw-eap-aka'
>>>>>> Nov 17 22:20:43 louie charon: 11[IKE] loading EAP_AKA method failed
>>>>>> Nov 17 22:20:43 louie charon: 11[IKE] peer supports MOBIKE
>>>>>> Nov 17 22:20:43 louie charon: 11[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]
>>>>>> Nov 17 22:20:43 louie charon: 11[NET] sending packet: from 192.168.244.153[4500] to 192.168.244.154[4500] (92 bytes)
>>>>>>
>>>>>> ------
>>>>>>
>>>>>>
>>>>>> i have no glue ... where the problem is :-)
>>>>>>
>>>>>>
>>>>>> regards thomas
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBAgAGBQJUazebAAoJEDg5KY9j7GZYRYgP/ihum/Gs4OjbPJaS2aQduXNm
> Zqtez5ng2w6xMinwRIwLLPeQksUvTEo0KVh4yTi3mTJxC38WzhzqFhH+howob83K
> DnLMqn4oE2G4vmvoAYacv50vlJZ+j8A64MN3KKsMJRuRguk5cx24ofO59YkN24lF
> Ha4rE6lSrca16npxridO2JVPsyF9+BsM+/05VbCjRvALsm4WdR8i3CpCaHJxJB0e
> Lf2R1E9HltCfgOchTjoBbf0IGMAmxVHkqLWyvADehaEBZ8ami9bgcAO8yE4v3aAn
> TKbbThWzMzI0Sdwk69VeIG7vKiUzxe8q2ljLYcWqfyI5cgWL5e4NTlFRVOOm6Mlc
> axupWCgnxI+hlbfD+/mkZYB7Y7mds1Nj2IbvfUU1aS04iirCLU6KqVebwyTLWkS5
> R1uUTCQfoOeaieQiUySfwgOddTe2rOxaimiBn3w4osMMF1AgcljFJ+rIyqIxnOWA
> pCMIvsXM1DX5qdz5viIgJRJg1w8Dz1gU62cIEsg4+2i3junCip2u7t2BrgEI3jZS
> Awf4+Ig1otfEtuCpDv1DlOVcj8y2BazOqTpv6CsHTFM4KSwMKHB32aVQU1a5v9Pt
> lxT6C5/dOMRP35RWXB5nuUYwkYe4ebWFXL0TKxA8XbZm6mZnarrES9zadXIbvjVY
> t8Hp3nnGkeZckFvcL0Qr
> =qM/E
> -----END PGP SIGNATURE-----



More information about the Users mailing list