[strongSwan] StrongSwan as IKEv2 VPN client with EAP-TLS

Justin Michael Schwartzbeck justinmschw at gmail.com
Fri Sep 26 20:09:53 CEST 2014 

I do have the eap-tls plugin, I built strongswan with this option enabled.
When I start ipsec, I can see that the eap-tls plugin is being loaded. Here
is the exact output of "ipsec start:"

Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64,
x86_64)
Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] detected Linux 2.6.32, no
support for RTA_PREFSRC for IPv6 routes
Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] known interfaces and IP
addresses:
Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL]   lo
Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL]     127.0.0.1
Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL]     ::1
Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL]   eth0
Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL]     <local_ip>
Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL]     <mac_address>
Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG]   loaded ca certificate
"CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country,
ST=State, L=City, E=admin at domain.com" from '/etc/ipsec.d/cacerts/cacert.pem'
Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/server.key.pem'
Sep 26 12:49:48 ast-scodev-27 charon: 00[LIB] loaded plugins: charon curl
aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac
attr kernel-netlink resolve socket-default stroke vici updown eap-tls
xauth-generic xauth-noauth lookip
Sep 26 12:49:48 ast-scodev-27 charon: 00[LIB] unable to load 6 plugin
features (6 due to unmet dependencies)
Sep 26 12:49:48 ast-scodev-27 charon: 00[JOB] spawning 16 worker threads
Sep 26 12:49:48 ast-scodev-27 charon: 02[NET] waiting for data on sockets
Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] received stroke: add
connection 'client'
Sep 26 12:49:48 ast-scodev-27 charon: 05[KNL] <vpn_server_ip> is not a
local address or the interface is down
Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG]   loaded certificate
"CN=username, C=Country, ST=State, O=Company Name, OU=Organization" from
'server.crt.pem'
Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] added configuration 'client'

On Fri, Sep 26, 2014 at 12:57 PM, Noel Kuntze <noel at familie-kuntze.de>
wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Justin,
>
> Please keep it on the list.
> Do you have the eap-tls plugin?
> Also, this doesn't look good:
> /EAP_IDENTITY not supported, sending EAP_NAK
>
> I don't know what causes the latter error.
>
> /Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 26.09.2014 um 19:53 schrieb Justin Michael Schwartzbeck:
> > Hi Noel.
> >
> > I have tried leftauth=eap-tls and it has the exact same behavior. I get
> the missing realm warning with other clients as well but still have a
> successful connection. I am thinking that the error is somewhere in the EAP
> transaction, especially because of this message:
> >
> > [eap] Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> > [eap] Failed in handler
> > ++[eap] returns invalid
> > Failed to authenticate the user.
> >
> > Because I get the same behavior with left-auth set to eap, eap-tls and
> eap-md5, I am thinking that the client is defaulting to EAP everything
> (without tls or md5).
> >
> > On Fri, Sep 26, 2014 at 12:45 PM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
> >
> >
> > Hello Justin,
> >
> > You need to set leftauth=eap-tls and the RADIUS complains about a
> amissing realm:/
> > [suffix] No '@' in User-Name = "username", looking up realm NULL
> > [suffix] No such realm "NULL"
> >
> > /
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> > Am 26.09.2014 um 19:38 schrieb Justin Michael Schwartzbeck:
> > > Hello,
> >
> > > I am trying to set up strongswan as a client to connect to a vpn
> server using EAP-TLS authentication. I have my connection set up as follows:
> >
> > > /conn client
> > >      keyexchange=ikev2
> > >      right=myvpnserver.domain.com <http://myvpnserver.domain.com> <
> http://myvpnserver.domain.com>
> > >      rightid=%myvpnserver.domain.com <http://myvpnserver.domain.com> <
> http://myvpnserver.domain.com>
> > >      rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > >      leftsourceip=%config
> > >      leftauth=eap
> > >      left=myclient.domain.com <http://myclient.domain.com> <
> http://myclient.domain.com>
> > >      leftid=username
> > >      leftcert=server.crt.pem
> > >      auto=add/
> >
> > > When I enter "ipsec up client" I get a failure on the client side:
> >
> > > /initiating IKE_SA client[1] to <vpn_server_ip>
> > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708
> bytes)
> > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38
> bytes)
> > > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> > > peer didn't accept DH group MODP_2048, it requested MODP_1024
> > > initiating IKE_SA client[1] to <vpn_server_ip>
> > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580
> bytes)
> > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381
> bytes)
> > > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ ]
> > > received cert request for "CN=rootCA, CN=Common Name, O=Company Name,
> OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:
> admin at domain.com> <mailto:admin at domain.com <mailto:admin at domain.com>>"
> > > received 1 cert requests for an unknown ca
> > > sending cert request for "CN=rootCA, CN=Common Name, O=Common Name,
> OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:
> admin at domain.com> <mailto:admin at domain.com <mailto:admin at domain.com>>"
> > > establishing CHILD_SA client
> > > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR
> DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
> > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380
> bytes)
> > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420
> bytes)
> > > parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]
> > > received end entity cert "CN=myvpnserver.domain.com <
> http://myvpnserver.domain.com> <http://myvpnserver.domain.com>,
> C=Country, ST=State, O=Company, OU=Organization"
> > >   using certificate "CN=myvpnserver.domain.com <
> http://myvpnserver.domain.com> <http://myvpnserver.domain.com>,
> C=Country, ST=State, O=Company, OU=Organization"
> > >   using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company
> Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com
> <mailto:admin at domain.com> <mailto:admin at domain.com <mailto:
> admin at domain.com>>"
> > > checking certificate status of "CN=myvpnserver.domain.com <
> http://myvpnserver.domain.com> <http://myvpnserver.domain.com>,
> C=Country, ST=State, O=Company, OU=Organization"
> > > certificate status is not available
> > >   reached self-signed root ca with a path length of 0
> > > authentication of '<vpn_server_ip>' with RSA signature successful
> > > server requested EAP_IDENTITY (id 0x3B), sending 'username'
> > > EAP_IDENTITY not supported, sending EAP_NAK
> > > generating IKE_AUTH request 2 [ EAP/RES/NAK ]
> > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76
> bytes)
> > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76
> bytes)
> > > parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ]
> > > received AUTHENTICATION_FAILED notify error
> > > establishing connection 'client' failed/
> >
> > > On the server side, I am using remote authentication with RADIUS. The
> EAP request seems to be incomplete, or fails somehow:
> >
> > > /rad_recv: Access-Request packet from host 10.89.150.210 port 1645,
> id=131, length=135
> > >     Service-Type = Login-User
> > >     Cisco-AVPair = "service-type=Login"
> > >     Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D"
> > >     User-Name = "username"
> > >     EAP-Message = 0x023b0006030d
> > >     Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f
> > >     NAS-IP-Address = <vpn_server_ip>
> > > # Executing section authorize from file
> /etc/raddb/sites-enabled/default
> > > +- entering group authorize {...}
> > > ++[preprocess] returns ok
> > > ++[chap] returns noop
> > > ++[mschap] returns noop
> > > ++[digest] returns noop
> > > [suffix] No '@' in User-Name = "username", looking up realm NULL
> > > [suffix] No such realm "NULL"
> > > ++[suffix] returns noop
> > > [eap] EAP packet type response id 59 length 6
> > > [eap] No EAP Start, assuming it's an on-going EAP conversation
> > > ++[eap] returns updated
> > > [files] users: Matched entry DEFAULT at line 50
> > > ++[files] returns ok
> > > ++[expiration] returns noop
> > > ++[logintime] returns noop
> > > [pap] WARNING: Auth-Type already set.  Not setting to PAP
> > > ++[pap] returns noop
> > > Found Auth-Type = EAP
> > > # Executing group from file /etc/raddb/sites-enabled/default
> > > +- entering group authenticate {...}
> > > [eap] Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> > > [eap] Failed in handler
> > > ++[eap] returns invalid
> > > Failed to authenticate the user.
> > > Using Post-Auth-Type Reject
> > > # Executing group from file /etc/raddb/sites-enabled/default
> > > +- entering group REJECT {...}
> > > [attr_filter.access_reject]     expand: %{User-Name} -> username
> > > attr_filter: Matched entry DEFAULT at line 11
> > > ++[attr_filter.access_reject] returns updated
> > > Delaying reject of request 129 for 1 seconds
> > > Going to the next request
> > > Waking up in 0.9 seconds.
> > > Sending delayed reject for request 129
> > > Sending Access-Reject of id 131 to 10.89.150.210 port 1645
> > > Waking up in 4.9 seconds.
> > > Cleaning up request 129 ID 131 with timestamp +64810
> > > Ready to process requests.
> >
> > > /
> > > So here is my impression of what's happening, and correct me if I'm
> wrong: I think that on the strongswan side, EAP authentication is being
> used but there is no TLS happening. It seems like RADIUS is trying to
> determine whether the client is using TLS, MD5, etc. but fails to determine
> this. From the strongswan documentation I have gotten the idea that the
> client does not initiate EAP-TLS but it is enforced on the server side. Is
> there a way to do what I am trying to do?
> >
> > > Thanks in advance.
> >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >     _______________________________________________
> >     Users mailing list
> >     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >     https://lists.strongswan.org/mailman/listinfo/users
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUJakFAAoJEDg5KY9j7GZY+/cQAJWpsLjjWyVkD8Y6RQYBVFPp
> XVCLeKsFxn5RPVzj1DxLltMiREBQ0LVMzp/Ibq6X/NvsPvdASEyguq/741rxGEle
> 5aX+DpLhqROqo2J9V5xvAZjEIaF793h4eSBK2N13PUl53s9KDVUQ72xfP/9mDUDR
> aSAi1lehciO8soeLVrYhH4QYZ0c1cwYQ+/mk8XSYBFSLGUbHlWuUo3X/yI7olPqw
> +KosIOOlEMM5nuUuxdUZy3InvyAHVFSZruG/PofC/l5UA+L6VOmD6mOP+jdodCL4
> jvM/KB/LXbVLUoy1yQPBISgTDyxlwxOK8mXs2vIHrYc66h7hp4NdEE+d+QEsa9c5
> GEXnUi/DANVSIjWc0e2fiMwFaQH3SPXJeAenEdvZSA4zr5qRyUzPAVuZwe7UbCCL
> +0d5lJp6t1hdWWVFMtXcuCxLLmmNUniDIrQXwL0WvirYPN8qTI7DIaDlvNLEwB1c
> HnnvJ4Vz6bt2nLWh9kEZktbbpiVpNa2HZ/cLGG2rIflXSYTfEfRd2O1qCIjS+42d
> dfaSZvTZ8pwy0YItvsZkFkLMPCRWRRe1YaK0m5OjgbPg4vO/SwurSfKw7zI6d7Aj
> OAmOZIiFdT1x01dHDcHokRNkvviMqtTadSt4R6FKz5CfJ9e1mUsAEgjYHmbDJeZs
> /0Ne3OSZKlz+h3O61NCL
> =/Jbp
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140926/78c1b2e8/attachment-0001.html>

More information about the Users mailing list