[strongSwan] EAP-MD5 failed with "inacceptable: constraint checking failed"

yuko ktr k10lie.gm at gmail.com
Wed Oct 14 18:17:36 CEST 2015


Hi,

I succeeded in setup with EAP-MD5.
rightauth=psk

But I modified SeGW configuration too.

Regards,

On 14 October 2015 at 00:10, yuko ktr <k10lie.gm at gmail.com> wrote:
> Hi, Andreas
>
> Thanks! I see.
> Excuse me, could you confirm my understanding please?
>
> I changed "psk" to "pubkey" based on the configuration introduced on
> the following strongswan site:
> https://www.strongswan.org/testing/testresults/ikev2/rw-eap-md5-radius/index.html
>> strongSwan KVM Tests / ikev2 / rw-eap-md5-radius
>
> I think strongswan can't handshake with the challenge from Freeradius.
>> Oct 13 23:51:46 test charon: 04[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>
> In freeradius, md5 for eap is set as default on HOME$raddb/mods-available/eap
> eap {
>         #  Invoke the default supported EAP type when
>         #  EAP-Identity response is received.
> (snip)
> #  If the EAP-Type attribute is set by another module,
>         #  then that EAP type takes precedence over the
>         #  default type configured here.
>         #
>         default_eap_type = md5
>
> And I changed as follows (filter_username) not to follow NAI.
> HOME$raddb/sites-available/default
> authorize {
>         #
>         #  Take a User-Name, and perform some checks on it, for spaces and other
>         #  invalid characters.  If the User-Name appears invalid, reject the
>         #  request.
>         #
>         #  See policy.d/filter for the definition of the filter_username policy.
>         #
>         #filter_username
>
> Could you check ipsec.conf attached in the end of this mail please?
>
> root at test:/usr/local/etc# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.19.0-25-generic, x86_64):
>   uptime: 4 minutes, since Oct 13 23:51:44 2015
>   malloc: sbrk 1486848, mmap 0, used 350768, free 1136080
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 rdrand
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
> pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac sqlite attr
> kernel-netlink resolve socket-default stroke updown eap-identity
> eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym
> eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls
> eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam
> xauth-noauth tnc-tnccs
>
> root at test:/usr/local/etc# dpkg -l | grep md5
> ii  strongswan-plugin-eap-md5           5.1.2-0ubuntu2.3
>   amd64        strongSwan plugin for EAP-MD5 protocol handler
>
> (13) Received Access-Request Id 73 from 192.168.1.2:64384 to
> 192.168.1.10:1812 length 131
> (13)   User-Name = "test at xxx"
> (13)   User-Password = "tester"
> (13)   Acct-Session-Id = "11.33.116.1-9.17.196.10:500-1444747899"
> (13)   EAP-Message = 0x0200001201796b61746f72693140616c756a
> (13)   Message-Authenticator = 0xe65b01b08a963b82c76ad40653c90e74
> (13) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (13)   authorize {
> (13)     [preprocess] = ok
>
> (snip)
>
> (13) Sent Access-Challenge Id 73 from 192.168.1.10:1812 to
> 192.168.1.2:64384 length 0
> (13)   EAP-Message = 0x0101001604108fd3419ff7ab9e57c4b681a6c38e898d
> (13)   Message-Authenticator = 0x00000000000000000000000000000000
> (13)   State = 0x7654e5577655e11a3fb34d4297110fbd
> (13) Finished request
> Waking up in 4.9 seconds.
> (13) Cleaning up request packet ID 73 with timestamp +81342
> Ready to process requests
>
> Oct 13 23:51:46 test charon: 04[IKE] authentication of '11.33.116.1'
> with pre-shared key successful
> Oct 13 23:51:46 test charon: 04[CFG] constraint requires public key
> authentication, but pre-shared key was used
> Oct 13 23:51:46 test charon: 04[CFG] selected peer config
> 'eap-md5-rsa' inacceptable: constraint checking failed
> Oct 13 23:51:46 test charon: 04[CFG] no alternative config found
> Oct 13 23:51:46 test charon: 04[ENC] generating INFORMATIONAL request
> 2 [ N(AUTH_FAILED) ]
> Oct 13 23:51:46 test charon: 04[NET] sending packet: from
> 9.17.196.10[500] to 11.33.116.1[500] (76 bytes)
> Oct 13 23:51:46 test charon: 04[IKE] IKE_SA eap-md5-rsa[1] state
> change: CONNECTING => DESTROYING
>
> conn %default
>         ikelifetime=180m
>         keylife=90m
>         keyexchange=ikev2
>         ike = aes128-sha1-modp1024
>         esp = aes128-sha1
>         mobike = no
>         reauth = no
>
> conn eap-md5-rsa
>         left=9.17.196.10
>         leftsourceip=%config
>         leftid=test at xxx
>         leftauth=eap
>         right=11.33.116.1
>         rightsubnet=3.1.1.1/32
>         rightid=CA6 <<< this is
>         rightauth=pubkey
>         auto=add
>
> Any comment would be really appreciated.
>
> Regards,
>
> Yuko


More information about the Users mailing list