[strongSwan] I have some questions about strongswan configuration.

Noel Kuntze noel at familie-kuntze.de
Tue Aug 18 21:41:19 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

> *<Server configuration>*
>
> 1) ipsec.conf
> [...]
> conn rw-eap
>     rightauth=eap-md5
> [...]

That tells strongSwan to try to authenticate the other side using eap-md5.
This doesn't make sense, if you want to delegate the eap authentication
to a RADIUS server. You need to set that value to eap-radius.

Judging from your diagram and the configs, you want to authenticate the server
to the client using a cerificate and delegate the EAP authentication,
which happens after the certificate authentication, to a RADIUS server?

In that case, strongSwan only relays the EAP messages in the IKE exchange to
the RADIUS server and does not do any EAP exchanges with the client.
Therefore you need to tell it to use the eap-radius plugin for authenticating the client.
If you had followed the configuration file[1] for moon correctly, you had seen that:

> [...]
> conn rw-eap
>     rightauth=eap-radius
> [...]

Also, the auth.log file on the server tells you the problem:

> Aug 18 16:21:23 radSer charon: 06[CFG] selected peer config 'rw-eap'
> Aug 18 16:21:23 radSer charon: 06[IKE] loading EAP_MD5 method failed
> Aug 18 16:21:23 radSer charon: 06[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]




[1] https://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-radius/moon.ipsec.conf

- --
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV04pcAAoJEDg5KY9j7GZYT2MP/iJr11MEX4AyiouOqODaW9yD
BnBJeIb+kRInQSs1HW00sX06mwvoXSZRHjBEhwFNiSyangpsrjITeNMEk1BK++Sx
ZQnEP99FwPOUiJz4gKeZQ/5bqbJpI/MX7UHGj24aqGZEjOfUdso/Tk4dA0QuH7oy
vjYLJObaNIxERCMey1Aqwe4/Msja6S3WNqO/CGxaMCdGj7kd3VN5H97r06ZnQRTY
LbruPPeBYqGpcEshu1DuYwdwf2yK0MKEQ/JuKOmRKx/yDVGhKQxVk/MEEKnIQfWx
hIrYLr2gma4guLCFiKgKrrV5dpE5VVffhCJrkg948QQVDNDNpQiVG3q2SkwM0TEV
4CEA6y84V6rcuhBSXjw5QQoaIW/E2zk9T1ItqtRReDRxRt1B9ATR/+3C0fYIgCNn
cJaxjeUaj/9DCC0gq+vlEoEx4D4L2CBRU53qohyiAersRwLZaMRqHuibDWsDOyJF
hLSpRHz+AzvXTgl1xBMx2Amiai/QzasEo175LsC3iro2iNVEd0XnCJfZYy3Kso9E
EGkN/fdv+T+P3E9XIqvLrM2tkdVEiqDvQZ8azPeadC1Bte5g+aeNGjkuzb7aWG41
/QW6oSEf7Ns8QZww6swKFyIVEFPtw1Cqq7pGE8ay3MXAhPsAVqKL22a+vYcVNTC2
5nMt6eS37EXmDUzAkdH8
=fzqJ
-----END PGP SIGNATURE-----




More information about the Users mailing list