[strongSwan] StrongSwan as IKEv2 VPN client with EAP-TLS

Noel Kuntze noel at familie-kuntze.de
Fri Sep 26 19:57:25 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Justin,

Please keep it on the list.
Do you have the eap-tls plugin?
Also, this doesn't look good:
/EAP_IDENTITY not supported, sending EAP_NAK

I don't know what causes the latter error.

/Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 26.09.2014 um 19:53 schrieb Justin Michael Schwartzbeck:
> Hi Noel.
>
> I have tried leftauth=eap-tls and it has the exact same behavior. I get the missing realm warning with other clients as well but still have a successful connection. I am thinking that the error is somewhere in the EAP transaction, especially because of this message:
>
> [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
> [eap] Failed in handler
> ++[eap] returns invalid
> Failed to authenticate the user.
>
> Because I get the same behavior with left-auth set to eap, eap-tls and eap-md5, I am thinking that the client is defaulting to EAP everything (without tls or md5).
>
> On Fri, Sep 26, 2014 at 12:45 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Justin,
>
> You need to set leftauth=eap-tls and the RADIUS complains about a amissing realm:/
> [suffix] No '@' in User-Name = "username", looking up realm NULL
> [suffix] No such realm "NULL"
>
> /
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 26.09.2014 um 19:38 schrieb Justin Michael Schwartzbeck:
> > Hello,
>
> > I am trying to set up strongswan as a client to connect to a vpn server using EAP-TLS authentication. I have my connection set up as follows:
>
> > /conn client
> >      keyexchange=ikev2
> >      right=myvpnserver.domain.com <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>
> >      rightid=%myvpnserver.domain.com <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>
> >      rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >      leftsourceip=%config
> >      leftauth=eap
> >      left=myclient.domain.com <http://myclient.domain.com> <http://myclient.domain.com>
> >      leftid=username
> >      leftcert=server.crt.pem
> >      auto=add/
>
> > When I enter "ipsec up client" I get a failure on the client side:
>
> > /initiating IKE_SA client[1] to <vpn_server_ip>
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708 bytes)
> > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38 bytes)
> > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> > peer didn't accept DH group MODP_2048, it requested MODP_1024
> > initiating IKE_SA client[1] to <vpn_server_ip>
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580 bytes)
> > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381 bytes)
> > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> > received cert request for "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:admin at domain.com> <mailto:admin at domain.com <mailto:admin at domain.com>>"
> > received 1 cert requests for an unknown ca
> > sending cert request for "CN=rootCA, CN=Common Name, O=Common Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:admin at domain.com> <mailto:admin at domain.com <mailto:admin at domain.com>>"
> > establishing CHILD_SA client
> > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
> > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380 bytes)
> > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420 bytes)
> > parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]
> > received end entity cert "CN=myvpnserver.domain.com <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, OU=Organization"
> >   using certificate "CN=myvpnserver.domain.com <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, OU=Organization"
> >   using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:admin at domain.com> <mailto:admin at domain.com <mailto:admin at domain.com>>"
> > checking certificate status of "CN=myvpnserver.domain.com <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, OU=Organization"
> > certificate status is not available
> >   reached self-signed root ca with a path length of 0
> > authentication of '<vpn_server_ip>' with RSA signature successful
> > server requested EAP_IDENTITY (id 0x3B), sending 'username'
> > EAP_IDENTITY not supported, sending EAP_NAK
> > generating IKE_AUTH request 2 [ EAP/RES/NAK ]
> > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76 bytes)
> > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76 bytes)
> > parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ]
> > received AUTHENTICATION_FAILED notify error
> > establishing connection 'client' failed/
>
> > On the server side, I am using remote authentication with RADIUS. The EAP request seems to be incomplete, or fails somehow:
>
> > /rad_recv: Access-Request packet from host 10.89.150.210 port 1645, id=131, length=135
> >     Service-Type = Login-User
> >     Cisco-AVPair = "service-type=Login"
> >     Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D"
> >     User-Name = "username"
> >     EAP-Message = 0x023b0006030d
> >     Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f
> >     NAS-IP-Address = <vpn_server_ip>
> > # Executing section authorize from file /etc/raddb/sites-enabled/default
> > +- entering group authorize {...}
> > ++[preprocess] returns ok
> > ++[chap] returns noop
> > ++[mschap] returns noop
> > ++[digest] returns noop
> > [suffix] No '@' in User-Name = "username", looking up realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] returns noop
> > [eap] EAP packet type response id 59 length 6
> > [eap] No EAP Start, assuming it's an on-going EAP conversation
> > ++[eap] returns updated
> > [files] users: Matched entry DEFAULT at line 50
> > ++[files] returns ok
> > ++[expiration] returns noop
> > ++[logintime] returns noop
> > [pap] WARNING: Auth-Type already set.  Not setting to PAP
> > ++[pap] returns noop
> > Found Auth-Type = EAP
> > # Executing group from file /etc/raddb/sites-enabled/default
> > +- entering group authenticate {...}
> > [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
> > [eap] Failed in handler
> > ++[eap] returns invalid
> > Failed to authenticate the user.
> > Using Post-Auth-Type Reject
> > # Executing group from file /etc/raddb/sites-enabled/default
> > +- entering group REJECT {...}
> > [attr_filter.access_reject]     expand: %{User-Name} -> username
> > attr_filter: Matched entry DEFAULT at line 11
> > ++[attr_filter.access_reject] returns updated
> > Delaying reject of request 129 for 1 seconds
> > Going to the next request
> > Waking up in 0.9 seconds.
> > Sending delayed reject for request 129
> > Sending Access-Reject of id 131 to 10.89.150.210 port 1645
> > Waking up in 4.9 seconds.
> > Cleaning up request 129 ID 131 with timestamp +64810
> > Ready to process requests.
>
> > /
> > So here is my impression of what's happening, and correct me if I'm wrong: I think that on the strongswan side, EAP authentication is being used but there is no TLS happening. It seems like RADIUS is trying to determine whether the client is using TLS, MD5, etc. but fails to determine this. From the strongswan documentation I have gotten the idea that the client does not initiate EAP-TLS but it is enforced on the server side. Is there a way to do what I am trying to do?
>
> > Thanks in advance.
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>     https://lists.strongswan.org/mailman/listinfo/users
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUJakFAAoJEDg5KY9j7GZY+/cQAJWpsLjjWyVkD8Y6RQYBVFPp
XVCLeKsFxn5RPVzj1DxLltMiREBQ0LVMzp/Ibq6X/NvsPvdASEyguq/741rxGEle
5aX+DpLhqROqo2J9V5xvAZjEIaF793h4eSBK2N13PUl53s9KDVUQ72xfP/9mDUDR
aSAi1lehciO8soeLVrYhH4QYZ0c1cwYQ+/mk8XSYBFSLGUbHlWuUo3X/yI7olPqw
+KosIOOlEMM5nuUuxdUZy3InvyAHVFSZruG/PofC/l5UA+L6VOmD6mOP+jdodCL4
jvM/KB/LXbVLUoy1yQPBISgTDyxlwxOK8mXs2vIHrYc66h7hp4NdEE+d+QEsa9c5
GEXnUi/DANVSIjWc0e2fiMwFaQH3SPXJeAenEdvZSA4zr5qRyUzPAVuZwe7UbCCL
+0d5lJp6t1hdWWVFMtXcuCxLLmmNUniDIrQXwL0WvirYPN8qTI7DIaDlvNLEwB1c
HnnvJ4Vz6bt2nLWh9kEZktbbpiVpNa2HZ/cLGG2rIflXSYTfEfRd2O1qCIjS+42d
dfaSZvTZ8pwy0YItvsZkFkLMPCRWRRe1YaK0m5OjgbPg4vO/SwurSfKw7zI6d7Aj
OAmOZIiFdT1x01dHDcHokRNkvviMqtTadSt4R6FKz5CfJ9e1mUsAEgjYHmbDJeZs
/0Ne3OSZKlz+h3O61NCL
=/Jbp
-----END PGP SIGNATURE-----

More information about the Users mailing list