[strongSwan] EAP-MD5 failed with "inacceptable: constraint checking failed"

yuko ktr k10lie.gm at gmail.com
Tue Oct 13 17:10:45 CEST 2015 

Hi, Andreas

Thanks! I see.
Excuse me, could you confirm my understanding please?

I changed "psk" to "pubkey" based on the configuration introduced on
the following strongswan site:
https://www.strongswan.org/testing/testresults/ikev2/rw-eap-md5-radius/index.html
> strongSwan KVM Tests / ikev2 / rw-eap-md5-radius

I think strongswan can't handshake with the challenge from Freeradius.
> Oct 13 23:51:46 test charon: 04[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

In freeradius, md5 for eap is set as default on HOME$raddb/mods-available/eap
eap {
        #  Invoke the default supported EAP type when
        #  EAP-Identity response is received.
(snip)
#  If the EAP-Type attribute is set by another module,
        #  then that EAP type takes precedence over the
        #  default type configured here.
        #
        default_eap_type = md5

And I changed as follows (filter_username) not to follow NAI.
HOME$raddb/sites-available/default
authorize {
        #
        #  Take a User-Name, and perform some checks on it, for spaces and other
        #  invalid characters.  If the User-Name appears invalid, reject the
        #  request.
        #
        #  See policy.d/filter for the definition of the filter_username policy.
        #
        #filter_username

Could you check ipsec.conf attached in the end of this mail please?

root at test:/usr/local/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.19.0-25-generic, x86_64):
  uptime: 4 minutes, since Oct 13 23:51:44 2015
  malloc: sbrk 1486848, mmap 0, used 350768, free 1136080
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 rdrand
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac sqlite attr
kernel-netlink resolve socket-default stroke updown eap-identity
eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym
eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls
eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam
xauth-noauth tnc-tnccs

root at test:/usr/local/etc# dpkg -l | grep md5
ii  strongswan-plugin-eap-md5           5.1.2-0ubuntu2.3
  amd64        strongSwan plugin for EAP-MD5 protocol handler

(13) Received Access-Request Id 73 from 192.168.1.2:64384 to
192.168.1.10:1812 length 131
(13)   User-Name = "test at xxx"
(13)   User-Password = "tester"
(13)   Acct-Session-Id = "11.33.116.1-9.17.196.10:500-1444747899"
(13)   EAP-Message = 0x0200001201796b61746f72693140616c756a
(13)   Message-Authenticator = 0xe65b01b08a963b82c76ad40653c90e74
(13) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(13)   authorize {
(13)     [preprocess] = ok

(snip)

(13) Sent Access-Challenge Id 73 from 192.168.1.10:1812 to
192.168.1.2:64384 length 0
(13)   EAP-Message = 0x0101001604108fd3419ff7ab9e57c4b681a6c38e898d
(13)   Message-Authenticator = 0x00000000000000000000000000000000
(13)   State = 0x7654e5577655e11a3fb34d4297110fbd
(13) Finished request
Waking up in 4.9 seconds.
(13) Cleaning up request packet ID 73 with timestamp +81342
Ready to process requests

Oct 13 23:51:46 test charon: 04[IKE] authentication of '11.33.116.1'
with pre-shared key successful
Oct 13 23:51:46 test charon: 04[CFG] constraint requires public key
authentication, but pre-shared key was used
Oct 13 23:51:46 test charon: 04[CFG] selected peer config
'eap-md5-rsa' inacceptable: constraint checking failed
Oct 13 23:51:46 test charon: 04[CFG] no alternative config found
Oct 13 23:51:46 test charon: 04[ENC] generating INFORMATIONAL request
2 [ N(AUTH_FAILED) ]
Oct 13 23:51:46 test charon: 04[NET] sending packet: from
9.17.196.10[500] to 11.33.116.1[500] (76 bytes)
Oct 13 23:51:46 test charon: 04[IKE] IKE_SA eap-md5-rsa[1] state
change: CONNECTING => DESTROYING

conn %default
        ikelifetime=180m
        keylife=90m
        keyexchange=ikev2
        ike = aes128-sha1-modp1024
        esp = aes128-sha1
        mobike = no
        reauth = no

conn eap-md5-rsa
        left=9.17.196.10
        leftsourceip=%config
        leftid=test at xxx
        leftauth=eap
        right=11.33.116.1
        rightsubnet=3.1.1.1/32
        rightid=CA6 <<< this is
        rightauth=pubkey
        auto=add

Any comment would be really appreciated.

Regards,

Yuko

More information about the Users mailing list