[strongSwan] problem with Test ikev2/rw-eap-aka-rsa
Thomas Will
thoma.will at xinux.de
Mon Nov 17 22:23:21 CET 2014
hello list ...
my name is thomas and i am new on the list :-)
and here is my problem ...
i tried to make a connection like the
http://www.strongswan.org/uml/testresults/ikev2/rw-eap-aka-rsa/
example ...
loui is the server ...
root at louie:~# cat /etc/ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-eap-aka
left=192.168.244.153
leftsubnet=10.66.66.0/24
leftid=@louie.xinux.org
leftcert=xin-ca-louie.xinux.org.crt
leftauth=pubkey
leftfirewall=yes
right=%any
rightid=*@xinux.org
rightsendcert=never
rightauth=eap-aka
auto=add
root at louie:~# cat /etc/ipsec.secrets
: RSA xin-ca-louie.xinux.org.key
thomas at xinux.org : EAP "suxer"
root at louie:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic,
x86_64):
uptime: 41 minutes, since Nov 17 21:35:27 2014
malloc: sbrk 2416640, mmap 0, used 359792, free 2056848
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl
xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default
stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
Listening IP addresses:
192.168.244.153
10.66.66.1
Connections:
rw-eap-aka: 192.168.244.153...%any IKEv2
rw-eap-aka: local: [louie.xinux.org] uses public key authentication
rw-eap-aka: cert: "C=de, ST=rlp, L=zw, O=xinux, OU=it,
CN=louie.xinux.org"
rw-eap-aka: remote: [*@xinux.org] uses EAP_AKA authentication
rw-eap-aka: child: 10.66.66.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
root at louie:~# tail -f /var/log/syslog
Nov 17 22:18:36 louie charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Nov 17 22:18:36 louie charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/xin-ca-louie.xinux.org.key'
Nov 17 22:18:36 louie charon: 00[CFG] loaded EAP secret for
thomas at xinux.org
Nov 17 22:18:36 louie charon: 00[LIB] loaded plugins: charon
test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation
constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm
gcm attr kernel-netlink resolve socket-default stroke updown
eap-identity eap-aka eap-aka-3gpp2 addrblock
Nov 17 22:18:36 louie charon: 00[LIB] unable to load 7 plugin features
(7 due to unmet dependencies)
Nov 17 22:18:36 louie charon: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Nov 17 22:18:36 louie charon: 00[JOB] spawning 16 worker threads
Nov 17 22:18:36 louie charon: 05[CFG] received stroke: add connection
'rw-eap-aka'
Nov 17 22:18:36 louie charon: 05[CFG] loaded certificate "C=de,
ST=rlp, L=zw, O=xinux, OU=it, CN=louie.xinux.org" from
'xin-ca-louie.xinux.org.crt'
Nov 17 22:18:36 louie charon: 05[CFG] added configuration 'rw-eap-aka'
-------
maria is the client ...
root at maria:~# cat /etc/ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=192.168.244.154
leftnexthop=%direct
leftid=thomas at xinux.org
leftauth=eap
leftfirewall=yes
right=192.168.244.153
rightid=@louie.xinux.org
rightsubnet=10.66.66.0/24
rightauth=pubkey
auto=add
root at maria:~# cat /etc/ipsec.secrets
thomas at xinux.org : EAP "suxer"
root at maria:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic,
x86_64):
uptime: 18 minutes, since Nov 17 21:58:36 2014
malloc: sbrk 2433024, mmap 0, used 349808, free 2083216
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl
xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default
stroke updown eap-identity eap-aka eap-aka-3gpp2 addrblock
Listening IP addresses:
192.168.244.154
10.55.55.1
Connections:
home: 192.168.244.154...192.168.244.153 IKEv2
home: local: [thomas at xinux.org] uses EAP authentication
home: remote: [louie.xinux.org] uses public key authentication
home: child: dynamic === 10.66.66.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
none
root at maria:~# tail -f /var/log/syslog
Nov 17 22:19:25 maria charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 17 22:19:25 maria charon: 00[CFG] loaded crl from
'/etc/ipsec.d/crls/xin-ca.crl'
Nov 17 22:19:25 maria charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Nov 17 22:19:25 maria charon: 00[CFG] loaded EAP secret for
thomas at xinux.org
Nov 17 22:19:25 maria charon: 00[LIB] loaded plugins: charon
test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation
constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm
gcm attr kernel-netlink resolve socket-default stroke updown
eap-identity eap-aka eap-aka-3gpp2 addrblock
Nov 17 22:19:25 maria charon: 00[LIB] unable to load 7 plugin features
(7 due to unmet dependencies)
Nov 17 22:19:25 maria charon: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Nov 17 22:19:25 maria charon: 00[JOB] spawning 16 worker threads
Nov 17 22:19:25 maria charon: 05[CFG] received stroke: add connection 'home'
Nov 17 22:19:25 maria charon: 05[CFG] added configuration 'home'
-----
i think this is ok ...
but when ist start maria (i get this)
root at maria:~# ipsec up home
initiating IKE_SA home[1] to 192.168.244.153
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.244.154[500] to 192.168.244.153[500] (1212
bytes)
received packet: from 192.168.244.153[500] to 192.168.244.154[500] (440
bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
sending cert request for "C=de, ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi
TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (412
bytes)
received packet: from 192.168.244.153[4500] to 192.168.244.154[4500] (92
bytes)
parsed IKE_AUTH response 1 [ IDr EAP/FAIL ]
received EAP_FAILURE, EAP authentication failed
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.244.154[4500] to 192.168.244.153[4500] (76
bytes)
establishing connection 'home' failed
the log on louie shows ''loading EAP_AKA method failed"
Nov 17 22:20:42 louie charon: 10[NET] received packet: from
192.168.244.154[500] to 192.168.244.153[500] (1212 bytes)
Nov 17 22:20:42 louie charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 17 22:20:42 louie charon: 10[IKE] 192.168.244.154 is initiating an
IKE_SA
Nov 17 22:20:42 louie charon: 10[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 17 22:20:42 louie charon: 10[NET] sending packet: from
192.168.244.153[500] to 192.168.244.154[500] (440 bytes)
Nov 17 22:20:43 louie charon: 11[NET] received packet: from
192.168.244.154[4500] to 192.168.244.153[4500] (412 bytes)
Nov 17 22:20:43 louie charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Nov 17 22:20:43 louie charon: 11[IKE] received cert request for "C=de,
ST=rlp, L=zw, O=xinux, OU=it, CN=xin-ca"
Nov 17 22:20:43 louie charon: 11[CFG] looking for peer configs matching
192.168.244.153[louie.xinux.org]...192.168.244.154[thomas at xinux.org]
Nov 17 22:20:43 louie charon: 11[CFG] selected peer config 'rw-eap-aka'
Nov 17 22:20:43 louie charon: 11[IKE] loading EAP_AKA method failed
Nov 17 22:20:43 louie charon: 11[IKE] peer supports MOBIKE
Nov 17 22:20:43 louie charon: 11[ENC] generating IKE_AUTH response 1 [
IDr EAP/FAIL ]
Nov 17 22:20:43 louie charon: 11[NET] sending packet: from
192.168.244.153[4500] to 192.168.244.154[4500] (92 bytes)
------
i have no glue ... where the problem is :-)
regards thomas
More information about the Users
mailing list