[strongSwan] EAP-Radius setup not getting routes or passing traffic

C Babcock qoyagoogs at gmail.com
Mon Dec 5 05:23:27 CET 2016


Hi,

I'm setting up an IKEv2 road warrior setup with OpenWRT as clients.  I'm
using public key for server auth and radius for client auth and IP address
assignment.  I have a Phase 1 and 2 up.  I have the address I assigned to
the client router via the FRAMED-IP-ADDRESS attribute, however I cant pass
traffic to the server from the client and vice versa.  Not sure what I'm
missing.  Here's my config

Server(moon):

ipsec.conf
*config setup*
*        charondebug="cfg 3, dmn 2, ike 4, net 3, enc 1, lib 2, knl 2"*

*conn %default*
*        ikelifetime=60m*
*        keylife=20m*
*        rekeymargin=3m*
*        keyingtries=1*
*        keyexchange=ikev2*

*conn rw-eap*
*        esp=aes128-sha256!*
*        ike=aes128-sha256-modp2048!*
*        left=172.30.5.161*
*        leftsubnet=172.21.0.0/23 <http://172.21.0.0/23>*
*        leftsourceip=172.21.0.*
*        leftid=@moon*
*        leftcert=/etc/ipsec.d/public/peer.der*
*        leftauth=pubkey*
*        leftfirewall=yes*
*        rightid=*@qoya.io <rightid=*@qoya.io>*
*        rightauth=eap-radius*
*        rightsourceip=%radius*
*        rightsendcert=never*
*        eap_identity=%any*
*        right=%any*
*        rightsubnet=%any*
















































*        auto=add ip xfrm state src 172.30.5.161 dst 24.11.199.101
proto esp spi 0xc8d182d4 reqid 2 mode tunnel         replay-window 32 flag
af-unspec         auth-trunc hmac(sha256)
0x6e45c28b474140886e3ec6ad4834e0530338ea1ed768a450a8553bb06a939a1c 128
        enc cbc(aes) 0xcc66ca5ccc2f07da68ab1b690dc39849         encap type
espinudp sport 4500 dport 4500 addr 0.0.0.0         anti-replay context:
seq 0x0, oseq 0x0, bitmap 0x00000000 src 24.11.199.101 dst 172.30.5.161
        proto esp spi 0xc74c6aa8 reqid 2 mode tunnel         replay-window
32 flag af-unspec         auth-trunc hmac(sha256)
0xb130cdaa1f5a15a7564621d1b7aa4ff7a887c092ca73da8db060c4d683867a12 128
        enc cbc(aes) 0x17fd4e0567a9de2811a946ecdd2dace3         encap type
espinudp sport 4500 dport 4500 addr 0.0.0.0         anti-replay context:
seq 0x0, oseq 0x0, bitmap 0x00000000 ip xfrm policy src 0.0.0.0/32
<http://0.0.0.0/32> dst 172.21.0.0/23 <http://172.21.0.0/23>         dir
fwd priority 2855 ptype main         tmpl src 24.11.199.101 dst
172.30.5.161                 proto esp reqid 2 mode tunnel src 0.0.0.0/32
<http://0.0.0.0/32> dst 172.21.0.0/23 <http://172.21.0.0/23>         dir in
priority 2855 ptype main         tmpl src 24.11.199.101 dst 172.30.5.161
                proto esp reqid 2 mode tunnel src 172.21.0.0/23
<http://172.21.0.0/23> dst 0.0.0.0/32 <http://0.0.0.0/32>         dir out
priority 2855 ptype main         tmpl src 172.30.5.161 dst 24.11.199.101
                proto esp reqid 2 mode tunnel ip route show table 220
0.0.0.0 via 172.30.5.1 dev eth0  proto static  src 172.21.0.2 PING
172.21.0.26 (172.21.0.26) 56(84) bytes of data. From 172.21.0.2 icmp_seq=1
Destination Host Unreachable From 172.21.0.2 icmp_seq=2 Destination Host
Unreachable From 172.21.0.2 icmp_seq=3 Destination Host Unreachable ^C ---
172.21.0.26 ping statistics --- 4 packets transmitted, 0 received, +3
errors, 100% packet loss, time 3065ms PING 172.21.0.2 (172.21.0.2) 56(84)
bytes of data. 64 bytes from 172.21.0.2 <http://172.21.0.2>: icmp_seq=1
ttl=64 time=0.022 ms ^C *Client(carol)

*conn %default*
*        ikelifetime=60m*
*        keylife=20m*
*        rekeymargin=3m*
*        keyingtries=1*
*        keyexchange=ikev2*

*conn AWS-EAST-NAT1-IKE2-TUN*
*        esp=aes128-sha256!*
*        ike=aes128-sha256-modp2048!*
*        left=%any*
*        leftsubnet=%any*
*        leftid=carol at test.io <leftid=carol at test.io>*
*        eap_identity=carol*
*        leftauth=eap*
*        leftsourceip=%config4*
*        leftfirewall=yes*
*        right=54.209.117.209*
*        rightid=@AwsEastNat1.qoya.io <rightid=@AwsEastNat1.qoya.io>*
*        rightcert=/etc/ipsec.d/certs/peerCert.der*
*        rightrsasigkey=/etc/ipsec.d/public/peerKey.der*
*        rightsubnet=172.21.0.0/23 <http://172.21.0.0/23>*
*        #rightsourceip=%config*
*        rightauth=pubkey*
*        auto=start*

*root at Need-Config:/etc# ip xfrm state*
*src 10.100.0.116 dst 54.209.117.209*
*        proto esp spi 0xc757dc0a reqid 1 mode tunnel*
*        replay-window 0 flag af-unspec*
*        auth-trunc hmac(sha256)
0x001ea2c1a506deb3f4b59c5f4e2f2a1acb118ae717d3ecbb1fccb86633cd1e3a 128*
*        enc cbc(aes) 0x19728a8358b8ddd57d0bef53ce777c2e*
*        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0*
*        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000*
*src 54.209.117.209 dst 10.100.0.116*
*        proto esp spi 0xc37bd7ca reqid 1 mode tunnel*
*        replay-window 32 flag af-unspec*
*        auth-trunc hmac(sha256)
0x62bf6b3df7b454b3c0552d8f82dbc779c576848369528783fb564a57cec064ba 128*
*        enc cbc(aes) 0x3918a72567cfb59bca059472bd4f77a6*
*        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0*
*        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000*

*root at Need-Config:/etc# ip xfrm  policy*
*src 172.21.0.0/23 <http://172.21.0.0/23> dst 0.0.0.0/32
<http://0.0.0.0/32>*
*        dir fwd priority 185920*
*        tmpl src 54.209.117.209 dst 10.100.0.116*
*                proto esp reqid 1 mode tunnel*
*src 172.21.0.0/23 <http://172.21.0.0/23> dst 0.0.0.0/32
<http://0.0.0.0/32>*
*        dir in priority 185920*
*        tmpl src 54.209.117.209 dst 10.100.0.116*
*                proto esp reqid 1 mode tunnel*
*src 0.0.0.0/32 <http://0.0.0.0/32> dst 172.21.0.0/23
<http://172.21.0.0/23>*
*        dir out priority 185920*
*        tmpl src 10.100.0.116 dst 54.209.117.209*
*                proto esp reqid 1 mode tunnel*

*root at Need-Config:/etc# ip route show table 220*
*root at Need-Config:/etc#*

*root at Need-Config:/etc# ip addr | grep 172.21*
*    inet 172.21.0.26/32 <http://172.21.0.26/32> scope global eth0.2
<---------------Note: IP is radius assigned from FRAMED-IP-ADDRESS*
*root at Need-Config:/etc#*

*root at Need-Config:/etc# ping 172.21.0.2*
*PING 172.21.0.2 (172.21.0.2): 56 data bytes*
*^C*
*--- 172.21.0.2 ping statistics ---*
*3 packets transmitted, 0 packets received, 100% packet loss*
*root at Need-Config:/etc# ping 172.21.0.26*
*PING 172.21.0.26 (172.21.0.26): 56 data bytes*
*64 bytes from 172.21.0.26 <http://172.21.0.26>: seq=0 ttl=64 time=0.360 ms*
*64 bytes from 172.21.0.26 <http://172.21.0.26>: seq=1 ttl=64 time=0.320 ms*
*^C*
*--- 172.21.0.26 ping statistics ---*
*2 packets transmitted, 2 packets received, 0% packet loss*
*round-trip min/avg/max = 0.320/0.340/0.360 ms*


Any thoughts?  Thanks!

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161204/d65ebf76/attachment.html>


More information about the Users mailing list