[strongSwan] StrongSwan as IKEv2 VPN client with EAP-TLS

Justin Michael Schwartzbeck justinmschw at gmail.com
Fri Sep 26 19:38:42 CEST 2014 

Hello,

I am trying to set up strongswan as a client to connect to a vpn server
using EAP-TLS authentication. I have my connection set up as follows:











*conn client     keyexchange=ikev2     right=myvpnserver.domain.com
<http://myvpnserver.domain.com>     rightid=%myvpnserver.domain.com
<http://myvpnserver.domain.com>     rightsubnet=0.0.0.0/0
<http://0.0.0.0/0>     leftsourceip=%config     leftauth=eap
left=myclient.domain.com <http://myclient.domain.com>
leftid=username     leftcert=server.crt.pem     auto=add*

When I enter "ipsec up client" I get a failure on the client side:


































*initiating IKE_SA client[1] to <vpn_server_ip>generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]sending packet: from
<client_ip>[500] to <vpn_server_ip>[500] (708 bytes)received packet: from
<vpn_server_ip>[500] to <client_ip>[500] (38 bytes)parsed IKE_SA_INIT
response 0 [ N(INVAL_KE) ]peer didn't accept DH group MODP_2048, it
requested MODP_1024initiating IKE_SA client[1] to <vpn_server_ip>generating
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]sending packet:
from <client_ip>[500] to <vpn_server_ip>[500] (580 bytes)received packet:
from <vpn_server_ip>[500] to <client_ip>[500] (381 bytes)parsed IKE_SA_INIT
response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]received cert
request for "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization,
C=Country, ST=State, L=City, E=admin at domain.com <admin at domain.com>"received
1 cert requests for an unknown casending cert request for "CN=rootCA,
CN=Common Name, O=Common Name, OU=Organization, C=Country, ST=State,
L=City, E=admin at domain.com <admin at domain.com>"establishing CHILD_SA
clientgenerating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR
DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]sending packet:
from <client_ip>[4500] to <vpn_server_ip>[4500] (380 bytes)received packet:
from <vpn_server_ip>[4500] to <client_ip>[4500] (1420 bytes)parsed IKE_AUTH
response 1 [ V IDr CERT AUTH EAP/REQ/ID ]received end entity cert
"CN=myvpnserver.domain.com <http://myvpnserver.domain.com>, C=Country,
ST=State, O=Company, OU=Organization"  using certificate
"CN=myvpnserver.domain.com <http://myvpnserver.domain.com>, C=Country,
ST=State, O=Company, OU=Organization"  using trusted ca certificate
"CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country,
ST=State, L=City, E=admin at domain.com <admin at domain.com>"checking
certificate status of "CN=myvpnserver.domain.com
<http://myvpnserver.domain.com>, C=Country, ST=State, O=Company,
OU=Organization"certificate status is not available  reached self-signed
root ca with a path length of 0authentication of '<vpn_server_ip>' with RSA
signature successfulserver requested EAP_IDENTITY (id 0x3B), sending
'username'EAP_IDENTITY not supported, sending EAP_NAKgenerating IKE_AUTH
request 2 [ EAP/RES/NAK ]sending packet: from <client_ip>[4500] to
<vpn_server_ip>[4500] (76 bytes)received packet: from <vpn_server_ip>[4500]
to <client_ip>[4500] (76 bytes)parsed IKE_AUTH response 2 [ N(AUTH_FAILED)
]received AUTHENTICATION_FAILED notify errorestablishing connection
'client' failed*

On the server side, I am using remote authentication with RADIUS. The EAP
request seems to be incomplete, or fails somehow:

















































*rad_recv: Access-Request packet from host 10.89.150.210 port 1645, id=131,
length=135    Service-Type = Login-User    Cisco-AVPair =
"service-type=Login"    Calling-Station-Id =
"L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D"    User-Name = "username"
EAP-Message = 0x023b0006030d    Message-Authenticator =
0xf62fa0a5eaba2ea387bd90c3cfe46c7f    NAS-IP-Address = <vpn_server_ip>#
Executing section authorize from file /etc/raddb/sites-enabled/default+-
entering group authorize {...}++[preprocess] returns ok++[chap] returns
noop++[mschap] returns noop++[digest] returns noop[suffix] No '@' in
User-Name = "username", looking up realm NULL[suffix] No such realm
"NULL"++[suffix] returns noop[eap] EAP packet type response id 59 length
6[eap] No EAP Start, assuming it's an on-going EAP conversation++[eap]
returns updated[files] users: Matched entry DEFAULT at line 50++[files]
returns ok++[expiration] returns noop++[logintime] returns noop[pap]
WARNING: Auth-Type already set.  Not setting to PAP++[pap] returns
noopFound Auth-Type = EAP# Executing group from file
/etc/raddb/sites-enabled/default+- entering group authenticate {...}[eap]
Either EAP-request timed out OR EAP-response to an unknown EAP-request[eap]
Failed in handler++[eap] returns invalidFailed to authenticate the
user.Using Post-Auth-Type Reject# Executing group from file
/etc/raddb/sites-enabled/default+- entering group REJECT
{...}[attr_filter.access_reject]     expand: %{User-Name} ->
usernameattr_filter: Matched entry DEFAULT at line
11++[attr_filter.access_reject] returns updatedDelaying reject of request
129 for 1 secondsGoing to the next requestWaking up in 0.9 seconds.Sending
delayed reject for request 129Sending Access-Reject of id 131 to
10.89.150.210 port 1645Waking up in 4.9 seconds.Cleaning up request 129 ID
131 with timestamp +64810Ready to process requests.*
So here is my impression of what's happening, and correct me if I'm wrong:
I think that on the strongswan side, EAP authentication is being used but
there is no TLS happening. It seems like RADIUS is trying to determine
whether the client is using TLS, MD5, etc. but fails to determine this.
>From the strongswan documentation I have gotten the idea that the client
does not initiate EAP-TLS but it is enforced on the server side. Is there a
way to do what I am trying to do?

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140926/68872430/attachment-0001.html>

More information about the Users mailing list