[strongSwan] I have some questions about strongswan configuration.
Hyun-Jin Kim
be.successor at gmail.com
Tue Aug 18 10:31:02 CEST 2015
Excuse me.
I have some troubles on strongswan settings.
I want to set network like this.
[image: 본문 이미지 1]
Upper picture is that G/W ===== G/W connection added the certificate
verification server.
I success G/W ==== G/W connection like this.
[image: 본문 이미지 2]
So, I referenced this configuration : Test ikev2/rw-eap-md5-radius
https://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-radius/index.html
[image: alice carol moon]
*FreeRadius ------------ moon = server(G/W) ----------------- sun =
client(G/W)*
but, I can set this network..
who can solve this problem??
please help me.
*<Server configuration>*
1) ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn rw-eap
left=192.168.0.1
leftsubnet=129.254.72.0/24
leftcert=moon.pem
leftid=strongswan moon
leftauth=pubkey
leftfirewall=yes
rightid=strongswan sun
rightauth=eap-md5
rightsendcert=never
right=192.168.0.2
auto=add
2) strongswan.conf
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl
revocation hmac xcbc stroke kernel-netlink socket-default fips-prf
eap-radius updown
plugins {
eap-radius {
secret = testing123
server = 129.254.72.87
}
}
}
3) ipsec.secrets
: RSA moon.key "1p2p3p"
: RSA ca.key "1p2p3p"
4) ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.13.0-61-generic,
x86_64):
uptime: 26 minutes, since Aug 18 15:53:48 2015
malloc: sbrk 2428928, mmap 0, used 210880, free 2218048
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce
x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf
updown
Listening IP addresses:
192.168.0.1
129.254.73.189
Connections:
rw-eap: 192.168.0.1...192.168.0.2 IKEv2
rw-eap: local: [C=KR, ST=Some-State, O=Etri, CN=strongswan moon]
uses public key authentication
rw-eap: cert: "C=KR, ST=Some-State, O=Etri, CN=strongswan moon"
rw-eap: remote: [strongswan sun] uses EAP_MD5 authentication
rw-eap: child: 129.254.72.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
5) tail -f /var/log/syslog /var/log/auth.log
root at radSer:~# tail -f /var/log/syslog /var/log/auth.log
==> /var/log/syslog <==
Aug 18 16:21:23 radSer charon: 10[IKE] 192.168.0.2 is initiating an IKE_SA
Aug 18 16:21:23 radSer charon: 10[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Aug 18 16:21:23 radSer charon: 10[NET] sending packet: from
192.168.0.1[500] to 192.168.0.2[500] (440 bytes)
Aug 18 16:21:23 radSer charon: 06[NET] received packet: from
192.168.0.2[500] to 192.168.0.1[500] (428 bytes)
Aug 18 16:21:23 radSer charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Aug 18 16:21:23 radSer charon: 06[CFG] looking for peer configs matching
192.168.0.1[C=KR, ST=Some-State, O=Etri, CN=strongswan
moon]...192.168.0.2[strongswan sun]
Aug 18 16:21:23 radSer charon: 06[CFG] selected peer config 'rw-eap'
Aug 18 16:21:23 radSer charon: 06[IKE] loading EAP_MD5 method failed
Aug 18 16:21:23 radSer charon: 06[ENC] generating IKE_AUTH response 1 [ IDr
EAP/FAIL ]
Aug 18 16:21:23 radSer charon: 06[NET] sending packet: from
192.168.0.1[500] to 192.168.0.2[500] (156 bytes)
==> /var/log/auth.log <==
Aug 18 15:54:12 radSer charon: 07[IKE] 192.168.0.2 is initiating an IKE_SA
Aug 18 15:55:57 radSer charon: 13[IKE] 192.168.0.2 is initiating an IKE_SA
Aug 18 16:04:23 radSer charon: 08[IKE] 192.168.0.2 is initiating an IKE_SA
Aug 18 16:06:31 radSer charon: 07[IKE] 192.168.0.2 is initiating an IKE_SA
Aug 18 16:09:01 radSer CRON[13186]: pam_unix(cron:session): session opened
for user root by (uid=0)
Aug 18 16:09:01 radSer CRON[13186]: pam_unix(cron:session): session closed
for user root
Aug 18 16:09:05 radSer charon: 12[IKE] 192.168.0.2 is initiating an IKE_SA
Aug 18 16:17:01 radSer CRON[13201]: pam_unix(cron:session): session opened
for user root by (uid=0)
Aug 18 16:17:01 radSer CRON[13201]: pam_unix(cron:session): session closed
for user root
Aug 18 16:21:23 radSer charon: 10[IKE] 192.168.0.2 is initiating an IKE_SA
==> /var/log/syslog <==
Aug 18 16:21:32 radSer charon: 07[NET] received packet: from
192.168.0.2[500] to 192.168.0.1[500] (692 bytes)
Aug 18 16:21:32 radSer charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Aug 18 16:21:32 radSer charon: 07[IKE] 192.168.0.2 is initiating an IKE_SA
==> /var/log/auth.log <==
Aug 18 16:21:32 radSer charon: 07[IKE] 192.168.0.2 is initiating an IKE_SA
==> /var/log/syslog <==
Aug 18 16:21:32 radSer charon: 07[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Aug 18 16:21:32 radSer charon: 07[NET] sending packet: from
192.168.0.1[500] to 192.168.0.2[500] (440 bytes)
Aug 18 16:21:32 radSer charon: 08[NET] received packet: from
192.168.0.2[500] to 192.168.0.1[500] (428 bytes)
Aug 18 16:21:32 radSer charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Aug 18 16:21:32 radSer charon: 08[CFG] looking for peer configs matching
192.168.0.1[C=KR, ST=Some-State, O=Etri, CN=strongswan
moon]...192.168.0.2[strongswan sun]
Aug 18 16:21:32 radSer charon: 08[CFG] selected peer config 'rw-eap'
Aug 18 16:21:32 radSer charon: 08[IKE] loading EAP_MD5 method failed
Aug 18 16:21:32 radSer charon: 08[ENC] generating IKE_AUTH response 1 [ IDr
EAP/FAIL ]
Aug 18 16:21:32 radSer charon: 08[NET] sending packet: from
192.168.0.1[500] to 192.168.0.2[500] (156 bytes)
*<Client configuration>*
1) ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn home
left=192.168.0.2
leftid=strongswan sun
leftauth=eap
leftfirewall=yes
right=192.168.0.1
rightcert=moon.pem
rightid=strongswan moon
rightsubnet=129.254.72.0/24
rightauth=pubkey
auto=add
2) strongswan.conf
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl
revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5
updown
}
3) ipsec.secrets
: RSA sun.key "1p2p3p"
: RSA moon.key "1p2p3p"
: EAP "testing123"
4) ipsec statusall
root at radClient:/usr/local/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.13.0-57-generic,
x86_64):
uptime: 27 minutes, since Aug 18 15:57:06 2015
malloc: sbrk 266240, mmap 0, used 160160, free 106080
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce
x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf
updown
Listening IP addresses:
192.168.0.55
192.168.0.2
129.254.73.188
Connections:
home: 192.168.0.2...192.168.0.1 IKEv2
home: local: [strongswan sun] uses EAP authentication
home: remote: [C=KR, ST=Some-State, O=Etri, CN=strongswan moon]
uses public key authentication
home: cert: "C=KR, ST=Some-State, O=Etri, CN=strongswan moon"
home: child: dynamic === 129.254.72.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
none
5) tail -f /var/log/syslog /var/log/auth.log
root at radClient:~# tail -f /var/log/syslog /var/log/auth.log
==> /var/log/syslog <==
Aug 18 16:24:52 radClient charon: 04[ENC] generating IKE_AUTH response 1 [
IDr SA TSi TSr N(AUTH_LFT) ]
Aug 18 16:24:52 radClient charon: 04[NET] sending packet: from
192.168.0.2[500] to 192.168.0.1[500] (188 bytes)
Aug 18 16:24:52 radClient charon: 06[NET] received packet: from
192.168.0.1[500] to 192.168.0.2[500] (76 bytes)
Aug 18 16:24:52 radClient charon: 06[ENC] parsed INFORMATIONAL request 2 [
N(AUTH_FAILED) ]
Aug 18 16:24:52 radClient charon: 06[IKE] received DELETE for IKE_SA home[7]
Aug 18 16:24:52 radClient charon: 06[IKE] deleting IKE_SA home[7] between
192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri,
CN=strongswan moon]
Aug 18 16:24:52 radClient charon: 06[IKE] IKE_SA deleted
Aug 18 16:24:52 radClient vpn: - C=KR, ST=Some-State, O=Etri, CN=strongswan
moon 129.254.72.0/24 == 192.168.0.1 -- 192.168.0.2
Aug 18 16:24:52 radClient charon: 06[ENC] generating INFORMATIONAL response
2 [ ]
Aug 18 16:24:52 radClient charon: 06[NET] sending packet: from
192.168.0.2[500] to 192.168.0.1[500] (76 bytes)
==> /var/log/auth.log <==
Aug 18 16:17:01 radClient CRON[21944]: pam_unix(cron:session): session
closed for user root
Aug 18 16:22:36 radClient charon: 10[IKE] initiating IKE_SA home[5] to
192.168.0.1
Aug 18 16:22:36 radClient charon: 11[IKE] establishing CHILD_SA home
Aug 18 16:22:45 radClient charon: 05[IKE] initiating IKE_SA home[6] to
192.168.0.1
Aug 18 16:22:45 radClient charon: 07[IKE] establishing CHILD_SA home
Aug 18 16:24:52 radClient charon: 11[IKE] 192.168.0.1 is initiating an
IKE_SA
Aug 18 16:24:52 radClient charon: 04[IKE] IKE_SA home[7] established
between 192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State,
O=Etri, CN=strongswan moon]
Aug 18 16:24:52 radClient charon: 04[IKE] CHILD_SA home{7} established with
SPIs cf138193_i c6249d33_o and TS 192.168.0.2/32 === 129.254.72.0/24
Aug 18 16:24:52 radClient charon: 06[IKE] deleting IKE_SA home[7] between
192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri,
CN=strongswan moon]
Aug 18 16:24:52 radClient charon: 06[IKE] IKE_SA deleted
==> /var/log/syslog <==
Aug 18 16:25:06 radClient charon: 15[NET] received packet: from
192.168.0.1[500] to 192.168.0.2[500] (692 bytes)
Aug 18 16:25:06 radClient charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Aug 18 16:25:06 radClient charon: 15[IKE] 192.168.0.1 is initiating an
IKE_SA
==> /var/log/auth.log <==
Aug 18 16:25:06 radClient charon: 15[IKE] 192.168.0.1 is initiating an
IKE_SA
==> /var/log/syslog <==
Aug 18 16:25:06 radClient charon: 15[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Aug 18 16:25:06 radClient charon: 15[NET] sending packet: from
192.168.0.2[500] to 192.168.0.1[500] (440 bytes)
Aug 18 16:25:06 radClient charon: 05[NET] received packet: from
192.168.0.1[500] to 192.168.0.2[500] (556 bytes)
Aug 18 16:25:06 radClient charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Aug 18 16:25:06 radClient charon: 05[CFG] looking for peer configs matching
192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri,
CN=strongswan moon]
Aug 18 16:25:06 radClient charon: 05[CFG] selected peer config 'home'
Aug 18 16:25:06 radClient charon: 05[CFG] no issuer certificate found for
"C=KR, ST=Some-State, O=Etri, CN=strongswan moon"
Aug 18 16:25:06 radClient charon: 05[CFG] using trusted certificate
"C=KR, ST=Some-State, O=Etri, CN=strongswan moon"
Aug 18 16:25:06 radClient charon: 05[IKE] authentication of 'C=KR,
ST=Some-State, O=Etri, CN=strongswan moon' with RSA signature successful
Aug 18 16:25:06 radClient charon: 05[IKE] IKE_SA home[8] established
between 192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State,
O=Etri, CN=strongswan moon]
==> /var/log/auth.log <==
Aug 18 16:25:06 radClient charon: 05[IKE] IKE_SA home[8] established
between 192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State,
O=Etri, CN=strongswan moon]
==> /var/log/syslog <==
Aug 18 16:25:06 radClient charon: 05[IKE] scheduling reauthentication in
3301s
Aug 18 16:25:06 radClient charon: 05[IKE] maximum IKE_SA lifetime 3481s
==> /var/log/auth.log <==
Aug 18 16:25:06 radClient charon: 05[IKE] CHILD_SA home{8} established with
SPIs ced18686_i c80415b6_o and TS 192.168.0.2/32 === 129.254.72.0/24
==> /var/log/syslog <==
Aug 18 16:25:06 radClient charon: 05[IKE] CHILD_SA home{8} established with
SPIs ced18686_i c80415b6_o and TS 192.168.0.2/32 === 129.254.72.0/24
Aug 18 16:25:06 radClient vpn: + C=KR, ST=Some-State, O=Etri, CN=strongswan
moon 129.254.72.0/24 == 192.168.0.1 -- 192.168.0.2
Aug 18 16:25:06 radClient charon: 05[ENC] generating IKE_AUTH response 1 [
IDr SA TSi TSr N(AUTH_LFT) ]
Aug 18 16:25:06 radClient charon: 05[NET] sending packet: from
192.168.0.2[500] to 192.168.0.1[500] (188 bytes)
Aug 18 16:25:06 radClient charon: 12[NET] received packet: from
192.168.0.1[500] to 192.168.0.2[500] (76 bytes)
Aug 18 16:25:06 radClient charon: 12[ENC] parsed INFORMATIONAL request 2 [
N(AUTH_FAILED) ]
Aug 18 16:25:06 radClient charon: 12[IKE] received DELETE for IKE_SA home[8]
Aug 18 16:25:06 radClient charon: 12[IKE] deleting IKE_SA home[8] between
192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri,
CN=strongswan moon]
==> /var/log/auth.log <==
Aug 18 16:25:06 radClient charon: 12[IKE] deleting IKE_SA home[8] between
192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri,
CN=strongswan moon]
Aug 18 16:25:06 radClient charon: 12[IKE] IKE_SA deleted
==> /var/log/syslog <==
Aug 18 16:25:06 radClient charon: 12[IKE] IKE_SA deleted
==> /var/log/auth.log <==
==> /var/log/syslog <==
Aug 18 16:25:06 radClient vpn: - C=KR, ST=Some-State, O=Etri, CN=strongswan
moon 129.254.72.0/24 == 192.168.0.1 -- 192.168.0.2
Aug 18 16:25:06 radClient charon: 12[ENC] generating INFORMATIONAL response
2 [ ]
Aug 18 16:25:06 radClient charon: 12[NET] sending packet: from
192.168.0.2[500] to 192.168.0.1[500] (76 bytes)
------------------------------------
Hyun-jin Kim, Master's course
Information Security Laboratory
ChungNam National University
E: be.successor at gmail.com
Tel : +82-10-4410-4292 / +82-42-821-7443
------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150818/160e1303/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 45182 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150818/160e1303/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 72068 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150818/160e1303/attachment-0003.png>
More information about the Users
mailing list