[strongSwan] StrongSwan as IKEv2 VPN client with EAP-TLS

Justin Michael Schwartzbeck justinmschw at gmail.com
Mon Sep 29 02:38:52 CEST 2014


Hi Andreas,

That was my problem. Thanks for the tip. I was beginning to lose hope. :P

-Justin

On Sat, Sep 27, 2014 at 1:42 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi,
>
> you must enable and load the eap-identity plugin on the client side.
> And if the EAP identity does not equal the IKEv2 identity you must
> define the EAP Identity with
>
>   eap_identity=....
>
> in ipsec.conf in the client configuration.
>
> Regards
>
> Andreas
>
> On 09/26/2014 07:38 PM, Justin Michael Schwartzbeck wrote:
> > Hello,
> >
> > I am trying to set up strongswan as a client to connect to a vpn server
> > using EAP-TLS authentication. I have my connection set up as follows:
> >
> > /conn client
> >      keyexchange=ikev2
> >      right=myvpnserver.domain.com <http://myvpnserver.domain.com>
> >      rightid=%myvpnserver.domain.com <http://myvpnserver.domain.com>
> >      rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> >      leftsourceip=%config
> >      leftauth=eap
> >      left=myclient.domain.com <http://myclient.domain.com>
> >      leftid=username
> >      leftcert=server.crt.pem
> >      auto=add/
> >
> > When I enter "ipsec up client" I get a failure on the client side:
> >
> > /initiating IKE_SA client[1] to <vpn_server_ip>
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708 bytes)
> > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38 bytes)
> > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> > peer didn't accept DH group MODP_2048, it requested MODP_1024
> > initiating IKE_SA client[1] to <vpn_server_ip>
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580 bytes)
> > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381
> bytes)
> > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
> > CERTREQ ]
> > received cert request for "CN=rootCA, CN=Common Name, O=Company Name,
> > OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com
> > <mailto:admin at domain.com>"
> > received 1 cert requests for an unknown ca
> > sending cert request for "CN=rootCA, CN=Common Name, O=Common Name,
> > OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com
> > <mailto:admin at domain.com>"
> > establishing CHILD_SA client
> > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR
> > DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
> > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380
> bytes)
> > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420
> > bytes)
> > parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]
> > received end entity cert "CN=myvpnserver.domain.com
> > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company,
> > OU=Organization"
> >   using certificate "CN=myvpnserver.domain.com
> > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company,
> > OU=Organization"
> >   using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company
> > Name, OU=Organization, C=Country, ST=State, L=City, E=admin at domain.com
> > <mailto:admin at domain.com>"
> > checking certificate status of "CN=myvpnserver.domain.com
> > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company,
> > OU=Organization"
> > certificate status is not available
> >   reached self-signed root ca with a path length of 0
> > authentication of '<vpn_server_ip>' with RSA signature successful
> > server requested EAP_IDENTITY (id 0x3B), sending 'username'
> > EAP_IDENTITY not supported, sending EAP_NAK
> > generating IKE_AUTH request 2 [ EAP/RES/NAK ]
> > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76
> bytes)
> > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76
> bytes)
> > parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ]
> > received AUTHENTICATION_FAILED notify error
> > establishing connection 'client' failed/
> >
> > On the server side, I am using remote authentication with RADIUS. The
> > EAP request seems to be incomplete, or fails somehow:
> >
> > /rad_recv: Access-Request packet from host 10.89.150.210 port 1645,
> > id=131, length=135
> >     Service-Type = Login-User
> >     Cisco-AVPair = "service-type=Login"
> >     Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D"
> >     User-Name = "username"
> >     EAP-Message = 0x023b0006030d
> >     Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f
> >     NAS-IP-Address = <vpn_server_ip>
> > # Executing section authorize from file /etc/raddb/sites-enabled/default
> > +- entering group authorize {...}
> > ++[preprocess] returns ok
> > ++[chap] returns noop
> > ++[mschap] returns noop
> > ++[digest] returns noop
> > [suffix] No '@' in User-Name = "username", looking up realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] returns noop
> > [eap] EAP packet type response id 59 length 6
> > [eap] No EAP Start, assuming it's an on-going EAP conversation
> > ++[eap] returns updated
> > [files] users: Matched entry DEFAULT at line 50
> > ++[files] returns ok
> > ++[expiration] returns noop
> > ++[logintime] returns noop
> > [pap] WARNING: Auth-Type already set.  Not setting to PAP
> > ++[pap] returns noop
> > Found Auth-Type = EAP
> > # Executing group from file /etc/raddb/sites-enabled/default
> > +- entering group authenticate {...}
> > [eap] Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> > [eap] Failed in handler
> > ++[eap] returns invalid
> > Failed to authenticate the user.
> > Using Post-Auth-Type Reject
> > # Executing group from file /etc/raddb/sites-enabled/default
> > +- entering group REJECT {...}
> > [attr_filter.access_reject]     expand: %{User-Name} -> username
> > attr_filter: Matched entry DEFAULT at line 11
> > ++[attr_filter.access_reject] returns updated
> > Delaying reject of request 129 for 1 seconds
> > Going to the next request
> > Waking up in 0.9 seconds.
> > Sending delayed reject for request 129
> > Sending Access-Reject of id 131 to 10.89.150.210 port 1645
> > Waking up in 4.9 seconds.
> > Cleaning up request 129 ID 131 with timestamp +64810
> > Ready to process requests.
> >
> > /
> > So here is my impression of what's happening, and correct me if I'm
> > wrong: I think that on the strongswan side, EAP authentication is being
> > used but there is no TLS happening. It seems like RADIUS is trying to
> > determine whether the client is using TLS, MD5, etc. but fails to
> > determine this. From the strongswan documentation I have gotten the idea
> > that the client does not initiate EAP-TLS but it is enforced on the
> > server side. Is there a way to do what I am trying to do?
> >
> > Thanks in advance.
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140928/53d806ae/attachment.html>


More information about the Users mailing list