[strongSwan] EAP-Radius plugin can't be loaded.

Quan Zhou quanzhou822 at gmail.com
Thu Oct 20 05:36:23 CEST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I’m having a problem with eap-radius plugin, when a client initiates an
connection, charon will immediately drop it with EAP/Fail. Log and
configurations are attached.

Thank you in advance!

Oct 20 11:13:00 remote-in charon: 05[CFG] received stroke: add connection
'ikev2-in'
Oct 20 11:13:00 remote-in charon: 05[CFG] adding virtual IP address pool
192.168.7.0/24
Oct 20 11:13:00 remote-in charon: 05[CFG] added configuration 'ikev2-in'
Oct 20 11:13:13 remote-in charon: 07[NET] received packet: from
192.168.5.30[500] to *.*.*.*[500] (604 bytes)
Oct 20 11:13:13 remote-in charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 20 11:13:13 remote-in charon: 07[IKE] 192.168.5.30 is initiating an
IKE_SA
Oct 20 11:13:13 remote-in charon: 07[LIB] size of DH secret exponent: 2047
bits
Oct 20 11:13:13 remote-in charon: 07[IKE] remote host is behind NAT
Oct 20 11:13:13 remote-in charon: 07[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Oct 20 11:13:13 remote-in charon: 07[NET] sending packet: from *.*.*.*[500]
to 192.168.5.30[500] (440 bytes)
Oct 20 11:13:13 remote-in charon: 09[NET] received packet: from
192.168.5.30[41784] to *.*.*.*[4500] (528 bytes)
Oct 20 11:13:13 remote-in charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 20 11:13:13 remote-in charon: 09[CFG] looking for peer configs matching
*.*.*.*[remote-in.6]...192.168.5.30[user at remote-in.6]
Oct 20 11:13:13 remote-in charon: 09[CFG] selected peer config 'ikev2-in'
Oct 20 11:13:13 remote-in charon: 09[IKE] EAP-Identity request configured,
but not supported
Oct 20 11:13:13 remote-in charon: 09[IKE] loading EAP_RADIUS method failed
Oct 20 11:13:13 remote-in charon: 09[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 20 11:13:13 remote-in charon: 09[IKE] peer supports MOBIKE
Oct 20 11:13:13 remote-in charon: 09[ENC] generating IKE_AUTH response 1 [
IDr EAP/FAIL ]
Oct 20 11:13:13 remote-in charon: 09[NET] sending packet: from
*.*.*.*[4500] to 192.168.5.30[41784] (112 bytes)

And there's my configuration:

- ---- /etc/ipsec.conf ----
config setup
charondebug="lib 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
type=tunnel

conn ikev2-in
auto=add
#leftcert=ipsec.pem
#leftauth=pubkey
left=*.*.*.*
leftsubnet=192.168.0.0/21
leftid=@remote-in.6
leftfirewall=yes
right=%any
rightid=*@remote-in.6
rightauth=eap-radius
eap_identity=%any
rightsendcert=never
rightsourceip=192.168.7.0/24

- ---- /etc/strongswan.conf ----
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf

- ---- /etc/strongswan.d/charon/eap-radius.conf ----
eap-radius {
load = yes
primary {
secret = ******
server = 127.0.0.1
port = 18120
}
}

- ---- ipsec statusall ----
Status of IKE charon daemon (strongSwan 5.2.1, Linux 4.7.0-0.bpo.1-amd64,
x86_64):
  uptime: 13 minutes, since Oct 20 11:12:59 2016
  malloc: sbrk 2826240, mmap 0, used 629200, free 2197040
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon ldap pkcs11 aes sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm
curl attr kernel-netlink resolve socket-default stroke updown
Virtual IP pools (size/online/offline):
  192.168.7.0/24: 254/0/0
Listening IP addresses:
  *.*.*.*
  192.168.4.2
Connections:
    ikev2-in:  *.*.*.*...%any  IKEv2
    ikev2-in:   local:  [remote-in.6] uses public key authentication
    ikev2-in:   remote: [*@remote-in.6] uses EAP_RADIUS authentication with
EAP identity '%any'
    ikev2-in:   child:  192.168.0.0/21 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
  none

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYCDt/AAoJEIJzbG+rzQoPWa8P/1RRZqu8bbK3+qIne2stw3EL
3sZv/NAGnlLjnI4Q+DLLGiWwRj0anqZ4CehfDxcnNNBCvbtwVOTbVUE30i/9IYCf
wtiCNGhwYLZJVrMohBzHbZH7O4fWMyF+6RTzkDaPOM38YLsiyoe6DuiLmqm0OQPA
QksCGPVR8tsjJtv8TgO0nQ9RfaOCQlk5c9ACGBKPC7svs2QkdPpl9AMhhwn+owcz
nDyBnT0pNJWlDduLvs3gQSfRAFSdc0B7LRVidoBBC3Vw7fioUOy8WP9qaIBqIIqc
ykhrggLAqwclSt/pGlYcNwBJdDdkM9mUx1LvCpQA3FiXpeYJSFi/zhOCZ1LtLNeG
lsSqSgGhrf6/KbkP8Cqp/4s466zzvVD63qq9e+m6BZPWO5d5cHtwGBm0I+8dEQ8H
M8UVwaqiEP94dSfTurMoB0T1VBClpGsbCno8BcSTt33wyicjDk0bZlvuiO7hWZLX
DCeBOUuHxU0UkNeh99vRu0sTcxLAb/t9P4/Qaq8K04daOtUWAqUwI9/UQtBeb7Ra
knpPtwzERFYI+I13LtX+p9w2bn3jyQ2WLk/8JKX4xbnnvRlm7637/FbcP5xr3KrH
Oq+cORE6kfRL9RKZCs6yjRi1j2QKOZfuCJl0Rs0UvKbh8wRBELTyp6KoTsL+pghx
crLaCfWKhJHLP5Y47G9G
=Sp8i
-----END PGP SIGNATURE-----
-- 

Regards,

Quan Zhou
+------------------------+
|pub [expires 2019-05-04]|
|D7CF DCE8 2EBA 2766 499A|
|20DF 8273 6C6F ABCD 0A0F|
+------------------------+
|pub [revoked 2016-04-16]|
|44D2 0307 1643 E80F 2E31|
|F081 FAFA 6643 7F9F D46F|
+------------------------+
|quanzhou822 at gmail.com   |
|https://keybase.io/qzhou|
+------------------------+
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161020/03396031/attachment.html>


More information about the Users mailing list