[strongSwan] StrongSwan as IKEv2 VPN client with EAP-TLS

Andreas Steffen andreas.steffen at strongswan.org
Sat Sep 27 20:42:51 CEST 2014 

Hi,

you must enable and load the eap-identity plugin on the client side.
And if the EAP identity does not equal the IKEv2 identity you must
define the EAP Identity with

  eap_identity=....

in ipsec.conf in the client configuration.

Regards

Andreas

On 09/26/2014 07:38 PM, Justin Michael Schwartzbeck wrote:
> Hello,
> 
> I am trying to set up strongswan as a client to connect to a vpn server
> using EAP-TLS authentication. I have my connection set up as follows:
> 
> /conn client
>      keyexchange=ikev2
>      right=myvpnserver.domain.com <http://myvpnserver.domain.com>
>      rightid=%myvpnserver.domain.com <http://myvpnserver.domain.com>
>      rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>      leftsourceip=%config
>      leftauth=eap
>      left=myclient.domain.com <http://myclient.domain.com>
>      leftid=username
>      leftcert=server.crt.pem
>      auto=add/
> 
> When I enter "ipsec up client" I get a failure on the client side:
> 
> /initiating IKE_SA client[1] to <vpn_server_ip>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708 bytes)
> received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38 bytes)
> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> peer didn't accept DH group MODP_2048, it requested MODP_1024
> initiating IKE_SA client[1] to <vpn_server_ip>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580 bytes)
> received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ ]
> received cert request for "CN=rootCA, CN=Common Name, O=Company Name,
> OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com
> <mailto:admin at domain.com>"
> received 1 cert requests for an unknown ca
> sending cert request for "CN=rootCA, CN=Common Name, O=Common Name,
> OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com
> <mailto:admin at domain.com>"
> establishing CHILD_SA client
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR
> DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
> sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380 bytes)
> received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420
> bytes)
> parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]
> received end entity cert "CN=myvpnserver.domain.com
> <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company,
> OU=Organization"
>   using certificate "CN=myvpnserver.domain.com
> <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company,
> OU=Organization"
>   using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company
> Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com
> <mailto:admin at domain.com>"
> checking certificate status of "CN=myvpnserver.domain.com
> <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company,
> OU=Organization"
> certificate status is not available
>   reached self-signed root ca with a path length of 0
> authentication of '<vpn_server_ip>' with RSA signature successful
> server requested EAP_IDENTITY (id 0x3B), sending 'username'
> EAP_IDENTITY not supported, sending EAP_NAK
> generating IKE_AUTH request 2 [ EAP/RES/NAK ]
> sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76 bytes)
> received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76 bytes)
> parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> establishing connection 'client' failed/
> 
> On the server side, I am using remote authentication with RADIUS. The
> EAP request seems to be incomplete, or fails somehow:
> 
> /rad_recv: Access-Request packet from host 10.89.150.210 port 1645,
> id=131, length=135
>     Service-Type = Login-User
>     Cisco-AVPair = "service-type=Login"
>     Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D"
>     User-Name = "username"
>     EAP-Message = 0x023b0006030d
>     Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f
>     NAS-IP-Address = <vpn_server_ip>
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "username", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 59 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry DEFAULT at line 50
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
> [eap] Failed in handler
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> username
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 129 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 129
> Sending Access-Reject of id 131 to 10.89.150.210 port 1645
> Waking up in 4.9 seconds.
> Cleaning up request 129 ID 131 with timestamp +64810
> Ready to process requests.
> 
> /
> So here is my impression of what's happening, and correct me if I'm
> wrong: I think that on the strongswan side, EAP authentication is being
> used but there is no TLS happening. It seems like RADIUS is trying to
> determine whether the client is using TLS, MD5, etc. but fails to
> determine this. From the strongswan documentation I have gotten the idea
> that the client does not initiate EAP-TLS but it is enforced on the
> server side. Is there a way to do what I am trying to do?
> 
> Thanks in advance.
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140927/d320e6b9/attachment.bin>

More information about the Users mailing list