[strongSwan] Cannot get eap-radius working on Strongswan 5

Fri Feb 20 14:46:36 CET 2015

Hi,

I have a working strongswan 4.4.1 setup with ikev2 and eap-radius which
I am trying to replicate on strongswan 5.2.0 without success.

My configuration is as follows:

ipsec.conf:

conn ipsec-ikev2
        type=tunnel
        keyexchange=ikev2
        left=left_ip_address
        leftsubnet=0.0.0.0/0
        leftauth=pubkey
	leftcert=left_cert.crt
	right=%any
        rightsourceip=10.1.0.0/23
        rightauth=eap-radius
        rightsendcert=never
        eap_identity=%any
        auto=add

strongswan.conf:

charon {
	load_modular = yes
	plugins {
                eap-radius {
                        accounting = yes
			load = yes
                        servers {
                                server-a {
                                        address = the_radius_ip_address
                                        port = 1818
                                        secret = the_shared_secret
                                        nas_identifier = strongSwan
                                }
                        }
                }
		include strongswan.d/charon/*.conf
	}
}

include strongswan.d/*.conf

I have compiled strongswan with --enable-eap-radius and eap-radius
module gets loaded on strongswan startup. However authentication on
client fails and running the radius server in debug mode shows that
strongswan doesn't even contact the radius server. Trying to
authenticate to the radius server from the same machine with radtest
works fine. The same configuration works fine with strongswan 4.4.1. I
am probably missing something new in ver.5, but I cannot figure what. I
think I have implemented everything the Wiki suggests. Any help would be
appreciated. This is the strongswan log for reference:

Feb 20 06:42:45 server1 charon: 02[NET] received packet: from
1.2.3.4[1024] to 5.6.7.8[500] (528 bytes)
Feb 20 06:42:45 server1 charon: 02[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 20 06:42:45 server1 charon: 02[IKE] 1.2.3.4 is initiating an IKE_SA
Feb 20 06:42:45 server1 charon: 02[IKE] remote host is behind NAT
Feb 20 06:42:45 server1 charon: 02[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 20 06:42:45 server1 charon: 02[NET] sending packet: from
5.6.7.8[500] to 1.2.3.4[1024] (308 bytes)
Feb 20 06:42:46 server1 charon: 07[NET] received packet: from
1.2.3.4[4500] to 5.6.7.8[4500] (1028 bytes)
Feb 20 06:42:46 server1 charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi
CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Feb 20 06:42:46 server1 charon: 07[IKE] received cert request for "C=US,
ST=ANY, L=My City, O=MyO, OU=My VPN, CN=My CA, E=support at server1"
Feb 20 06:42:46 server1 charon: 07[IKE] received 34 cert requests for an
unknown ca
Feb 20 06:42:46 server1 charon: 07[CFG] looking for peer configs
matching 5.6.7.8[%any]...1.2.3.4[192.168.122.54]
Feb 20 06:42:46 server1 charon: 07[CFG] selected peer config 'ipsec-ikev2'
Feb 20 06:42:46 server1 charon: 07[IKE] initiating EAP_IDENTITY method
(id 0x00)
Feb 20 06:42:46 server1 charon: 07[IKE] peer supports MOBIKE
Feb 20 06:42:46 server1 charon: 07[IKE] authentication of 'C=US, ST=ANY,
L=My City, O=MyO, OU=My VPN, CN=*.vpn.server1.com, E=support at server1'
(myself) with RSA signature successful
Feb 20 06:42:46 server1 charon: 07[IKE] sending end entity cert "C=US,
ST=ANY, L=My City, O=MyO, OU=My VPN, CN=*.vpn.server1.com,
E=support at server1"
Feb 20 06:42:46 server1 charon: 07[ENC] generating IKE_AUTH response 1 [
IDr CERT AUTH EAP/REQ/ID ]
Feb 20 06:42:46 server1 charon: 07[NET] sending packet: from
5.6.7.8[4500] to 1.2.3.4[4500] (1380 bytes)
Feb 20 06:43:15 server1 charon: 08[JOB] deleting half open IKE_SA after
timeout

Regards,
Milen