[strongSwan] EAP extraction issue and universal config for different clients

Oleksandr Yermolenko aae at sumix.com
Tue Nov 29 10:54:51 CET 2016 

Hi,


Environment: strongswan+freeradius/ldap(389-DS).

Currently there are two clients' categories: strongswan clients and 
Windows7-10
For strongswan clients EAP messages (profile rw-eap or link98) extracted 
by strongswan,

But Windows EAP (profile win7) extracted by freeradius.

Two questions
the first one:
is it possible to unify/update configuration to always extract EAP by 
strongswan?
For what? In this case I will have more control for win7 (ttls+EAP/pap).
I mean I could use separate rightid and leftsubnet for them.
This is because unresolved request https://wiki.strongswan.org/issues/1082

and the second question:
how to update my config to accept connection from PSK+xauth (mikrotik hEX)?
Trying to follow 
https://strongswan.org/testing/testresults4/ikev1/xauth-psk/index.html 
without success
conn pskxauth
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev1
     authby=xauthpsk
     xauth=server
     leftsubnet=10.31.0.0/16
     leftfirewall=yes

permanently have
Nov 29 10:39:49 vpn10.hetz.crp charon: 06[CFG] looking for XAuthInitPSK 
peer configs matching 10.31.1.157...193.X.X.X[10.20.9.189]
Nov 29 10:39:49 vpn10.hetz.crp charon: 06[CFG]   candidate "pskxauth", 
match: 1/1/1052 (me/other/ike)
Nov 29 10:39:49 vpn10.hetz.crp charon: 06[IKE] found 1 matching config, 
but none allows XAuthInitPSK authentication using Main Mode
Nov 29 10:39:49 vpn10.hetz.crp charon: 06[ENC] generating 
INFORMATIONAL_V1 request 1342320020 [ HASH N(AUTH_FAILED) ]

PSK the same ... :-(
may someone have idea ...



my strongswan server configs:
--- ipsec.conf -------------------------------
config setup
     uniqueids=never
     charondebug="cfg 2, tls 1"

conn %default
     ikelifetime=3h
     lifetime=1h
     keyexchange=ikev2
     dpddelay=30s
     dpdaction=clear
     left=193.X.X.X
     leftauth=pubkey
     leftid=@nvp10-4.link.vpn
     leftcert=nvp10-4.link.vpn.pem
     right=%any
     rightauth=eap-radius
     auto=add

conn rw-eap
leftsubnet=10.20.1.11[udp/domain],10.20.1.20[tcp/http],10.20.1.20[tcp/https],10.20.1.167[tcp/webcache],10.20.1.157
     leftfirewall=no
     rightsourceip=%radius
     rightid=*@link.vpn
     rightsendcert=never

conn link98
     leftsubnet=10.20.0.0/16,10.21.0.0/16
     leftfirewall=yes
     rightsourceip=10.20.252.240/28
     rightid=*@link98.vpn
     rightsendcert=never

conn win7
     leftsubnet=10.31.1.39/32
     leftfirewall=yes
     rightsourceip=10.20.252.192/28
     rightsendcert=never   # see note
     eap_identity=%any
-------------------------------------------
---- strongswan.conf --------
charon {
   load = aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 
curl revocation hmac stroke kernel-netlink socket-default eap-radius 
xauth updown
   multiple_authentication=no
   plugins {
     eap-radius {
       secret = rtbldknflb
       server = 127.0.0.1
       auth_port = 1812
       acct_port = 1813
       accounting=yes
       nas_identifier = VPN-gateway
     }
     attr {
       dns = 10.31.1.11
     }
   }
}
-----------------------------------------
---- ipsec.secrets ----------------------
: RSA nvp10-4.link.vpn.pem

nvp10-4.link.vpn %any : PSK "erkgvndflrjvdbkfljnvb"

3rgfvldfknvl : XAUTH "erlkgvbdnfl"
------------------------------------------

More information about the Users mailing list