[strongSwan] StrongSwan as IKEv2 VPN client with EAP-TLS
Noel Kuntze
noel at familie-kuntze.de
Fri Sep 26 21:24:42 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Justin,
Did you look at [1]? In that example, aaa_identity is set.
[1] http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tls-radius/
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 26.09.2014 um 20:09 schrieb Justin Michael Schwartzbeck:
> I do have the eap-tls plugin, I built strongswan with this option enabled. When I start ipsec, I can see that the eap-tls plugin is being loaded. Here is the exact output of "ipsec start:"
>
> Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)
> Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] detected Linux 2.6.32, no support for RTA_PREFSRC for IPv6 routes
> Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] known interfaces and IP addresses:
> Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] lo
> Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] 127.0.0.1
> Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] ::1
> Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] eth0
> Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] <local_ip>
> Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] <mac_address>
> Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loaded ca certificate "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:admin at domain.com>" from '/etc/ipsec.d/cacerts/cacert.pem'
> Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server.key.pem'
> Sep 26 12:49:48 ast-scodev-27 charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-tls xauth-generic xauth-noauth lookip
> Sep 26 12:49:48 ast-scodev-27 charon: 00[LIB] unable to load 6 plugin features (6 due to unmet dependencies)
> Sep 26 12:49:48 ast-scodev-27 charon: 00[JOB] spawning 16 worker threads
> Sep 26 12:49:48 ast-scodev-27 charon: 02[NET] waiting for data on sockets
> Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] received stroke: add connection 'client'
> Sep 26 12:49:48 ast-scodev-27 charon: 05[KNL] <vpn_server_ip> is not a local address or the interface is down
> Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] loaded certificate "CN=username, C=Country, ST=State, O=Company Name, OU=Organization" from 'server.crt.pem'
> Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] added configuration 'client'
>
> On Fri, Sep 26, 2014 at 12:57 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Justin,
>
> Please keep it on the list.
> Do you have the eap-tls plugin?
> Also, this doesn't look good:
> /EAP_IDENTITY not supported, sending EAP_NAK
>
> I don't know what causes the latter error.
>
> /Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 26.09.2014 um 19:53 schrieb Justin Michael Schwartzbeck:
> > Hi Noel.
>
> > I have tried leftauth=eap-tls and it has the exact same behavior. I get the missing realm warning with other clients as well but still have a successful connection. I am thinking that the error is somewhere in the EAP transaction, especially because of this message:
>
> > [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
> > [eap] Failed in handler
> > ++[eap] returns invalid
> > Failed to authenticate the user.
>
> > Because I get the same behavior with left-auth set to eap, eap-tls and eap-md5, I am thinking that the client is defaulting to EAP everything (without tls or md5).
>
> > On Fri, Sep 26, 2014 at 12:45 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
>
>
> > Hello Justin,
>
> > You need to set leftauth=eap-tls and the RADIUS complains about a amissing realm:/
> > [suffix] No '@' in User-Name = "username", looking up realm NULL
> > [suffix] No such realm "NULL"
>
> > /
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
>
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> > Am 26.09.2014 um 19:38 schrieb Justin Michael Schwartzbeck:
> > > Hello,
>
> > > I am trying to set up strongswan as a client to connect to a vpn server using EAP-TLS authentication. I have my connection set up as follows:
>
> > > /conn client
> > > keyexchange=ikev2
> > > right=myvpnserver.domain.com <http://myvpnserver.domain.com> <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>
> > > rightid=%myvpnserver.domain.com <http://myvpnserver.domain.com> <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>
> > > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> > > leftsourceip=%config
> > > leftauth=eap
> > > left=myclient.domain.com <http://myclient.domain.com> <http://myclient.domain.com> <http://myclient.domain.com>
> > > leftid=username
> > > leftcert=server.crt.pem
> > > auto=add/
>
> > > When I enter "ipsec up client" I get a failure on the client side:
>
> > > /initiating IKE_SA client[1] to <vpn_server_ip>
> > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708 bytes)
> > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38 bytes)
> > > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> > > peer didn't accept DH group MODP_2048, it requested MODP_1024
> > > initiating IKE_SA client[1] to <vpn_server_ip>
> > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580 bytes)
> > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381 bytes)
> > > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> > > received cert request for "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:admin at domain.com> <mailto:admin at domain.com <mailto:admin at domain.com>> <mailto:admin at domain.com <mailto:admin at domain.com> <mailto:admin at domain.com <mailto:admin at domain.com>>>"
> > > received 1 cert requests for an unknown ca
> > > sending cert request for "CN=rootCA, CN=Common Name, O=Common Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:admin at domain.com> <mailto:admin at domain.com <mailto:admin at domain.com>> <mailto:admin at domain.com <mailto:admin at domain.com> <mailto:admin at domain.com <mailto:admin at domain.com>>>"
> > > establishing CHILD_SA client
> > > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
> > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380 bytes)
> > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420 bytes)
> > > parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]
> > > received end entity cert "CN=myvpnserver.domain.com <http://myvpnserver.domain.com> <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, OU=Organization"
> > > using certificate "CN=myvpnserver.domain.com <http://myvpnserver.domain.com> <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, OU=Organization"
> > > using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com <mailto:admin at domain.com> <mailto:admin at domain.com <mailto:admin at domain.com>> <mailto:admin at domain.com <mailto:admin at domain.com> <mailto:admin at domain.com <mailto:admin at domain.com>>>"
> > > checking certificate status of "CN=myvpnserver.domain.com <http://myvpnserver.domain.com> <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, OU=Organization"
> > > certificate status is not available
> > > reached self-signed root ca with a path length of 0
> > > authentication of '<vpn_server_ip>' with RSA signature successful
> > > server requested EAP_IDENTITY (id 0x3B), sending 'username'
> > > EAP_IDENTITY not supported, sending EAP_NAK
> > > generating IKE_AUTH request 2 [ EAP/RES/NAK ]
> > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76 bytes)
> > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76 bytes)
> > > parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ]
> > > received AUTHENTICATION_FAILED notify error
> > > establishing connection 'client' failed/
>
> > > On the server side, I am using remote authentication with RADIUS. The EAP request seems to be incomplete, or fails somehow:
>
> > > /rad_recv: Access-Request packet from host 10.89.150.210 port 1645, id=131, length=135
> > > Service-Type = Login-User
> > > Cisco-AVPair = "service-type=Login"
> > > Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D"
> > > User-Name = "username"
> > > EAP-Message = 0x023b0006030d
> > > Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f
> > > NAS-IP-Address = <vpn_server_ip>
> > > # Executing section authorize from file /etc/raddb/sites-enabled/default
> > > +- entering group authorize {...}
> > > ++[preprocess] returns ok
> > > ++[chap] returns noop
> > > ++[mschap] returns noop
> > > ++[digest] returns noop
> > > [suffix] No '@' in User-Name = "username", looking up realm NULL
> > > [suffix] No such realm "NULL"
> > > ++[suffix] returns noop
> > > [eap] EAP packet type response id 59 length 6
> > > [eap] No EAP Start, assuming it's an on-going EAP conversation
> > > ++[eap] returns updated
> > > [files] users: Matched entry DEFAULT at line 50
> > > ++[files] returns ok
> > > ++[expiration] returns noop
> > > ++[logintime] returns noop
> > > [pap] WARNING: Auth-Type already set. Not setting to PAP
> > > ++[pap] returns noop
> > > Found Auth-Type = EAP
> > > # Executing group from file /etc/raddb/sites-enabled/default
> > > +- entering group authenticate {...}
> > > [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
> > > [eap] Failed in handler
> > > ++[eap] returns invalid
> > > Failed to authenticate the user.
> > > Using Post-Auth-Type Reject
> > > # Executing group from file /etc/raddb/sites-enabled/default
> > > +- entering group REJECT {...}
> > > [attr_filter.access_reject] expand: %{User-Name} -> username
> > > attr_filter: Matched entry DEFAULT at line 11
> > > ++[attr_filter.access_reject] returns updated
> > > Delaying reject of request 129 for 1 seconds
> > > Going to the next request
> > > Waking up in 0.9 seconds.
> > > Sending delayed reject for request 129
> > > Sending Access-Reject of id 131 to 10.89.150.210 port 1645
> > > Waking up in 4.9 seconds.
> > > Cleaning up request 129 ID 131 with timestamp +64810
> > > Ready to process requests.
>
> > > /
> > > So here is my impression of what's happening, and correct me if I'm wrong: I think that on the strongswan side, EAP authentication is being used but there is no TLS happening. It seems like RADIUS is trying to determine whether the client is using TLS, MD5, etc. but fails to determine this. From the strongswan documentation I have gotten the idea that the client does not initiate EAP-TLS but it is enforced on the server side. Is there a way to do what I am trying to do?
>
> > > Thanks in advance.
>
>
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> > > https://lists.strongswan.org/mailman/listinfo/users
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUJb16AAoJEDg5KY9j7GZYnt8P/ie19MbuVkat5hEdSUWC8Soq
lfrSJ/YN/zBrWmQml5AjM4OIatwbwLr53IbOe4tMwRf8x6cJ02MMgspqVTe1+8cz
whjQME3U0Uxx/EFTWFjgZE4Lp322JImSJxuJoULxfA0sAVj79CiktISQHZe5sV/9
JNNtZiGQokewyRZwXvfffLoh9znYjhCpAl+49OpDSopMAWEL55Wu3T2HUa1GgwwJ
sOvKPAXTWhZH00MrWFXTJjaH2ctSexUrf9O7emmybKt38kzc7a0CI6TLcbnq/cZC
JwIGcTOOHvbA45Cxna5IEI0qO39tZkxFGlxzQm8lWT3tN5S9G+GQwsT5Yn+ayF2G
9m+T78F+FXHezyzmTXqij2ll9oeGrU/G3NP6kW7kJ9FzpiT1q89gOViOxoDaSIzr
6Cpc+3NwWlI+7YJg3+paDCnJBEAP5PHNgmb3SDpPohCGGcRbakvGG6L8jNol3nLK
H9BUZ1D5ulN9gUOajOrUkDRaFq4n762h0jvQwAY9v40txgxPtwclmsjCiy9yvqjQ
1sC6v+vbasnV6wCHsL9RJgs9M/bHDE0YgYe2QBJnfTOitY9mO59WPutZAe2b+xyA
h1HpYdWZTRBDpCR8+Bl9Azs+sVUHaOgqVG//Q6ib15mynfjuIIm51Ww2SmXgy8Pb
7jpRs3FOZv+UWxrbcSu9
=Ckbl
-----END PGP SIGNATURE-----
More information about the Users
mailing list