[strongSwan] Ikev2 with eap-radius does not work.

배철수 ceo at linuxlab.kr
Fri Mar 24 02:01:43 CET 2017


Hello.

I am novice here.
I am a Korean , 
I am clumsy in English, so forgive me if I make misstyping.

I have installed IKEv2 server on debian jessie. (strongswan-5.5.1)

I have complied as belows

./configure --prefix=/usr --sysconfdir=/etc  --enable-openssl \
--disable-mysql --disable-ldap  \
--disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 \
--enable-eap-aka --enable-eap-aka-3gpp2  --enable-eap-gtc \
--enable-eap-identity --enable-eap-md5 --enable-eap-peap \
--enable-eap-radius --enable-eap-sim --enable-eap-sim-file \
--enable-eap-simaka-pseudonym --enable-eap-simaka-reauth \
--enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls


I can connect to my ikev2 server  from Windows and IPad using ipsec.secrets.(eap-mschapv2)

1) ipsec.conf

config setup
        charondebug="ike 2, cfg 2"
        strictcrlpolicy=no
        uniqueids = no

conn %default
        mobike=yes
        dpdaction=restart
        closeaction=restart
        dpddelay=40s
        dpdtimeout=160s
        fragmentation=yes
        rekey=no
        reauth=yes
        keyexchange=ikev2
        auto=add

conn window
        forceencaps=yes
        #left=%any
        left=ibex.coreavpn.net
        leftsubnet=0.0.0.0/0
        leftauth=pubkey
        leftcert=/etc/ssl/private/vpn-server.crt
        leftsendcert=always
        right=%any
        rightsourceip=172.25.2.0/16
        rightauth=eap-mschapv2       
        rightsendcert=never
        rightdns=168.126.63.1,203.248.252.2
        eap_identity=%any
        leftupdown=/etc/strongswan.d/proxyndp.updown

conn ios
        left=%any
        leftsubnet=0.0.0.0/0
        leftauth=psk
        leftid=ibex.coreavpn.server
        right=%any
        rightsourceip=172.25.10.0/24
        rightauth=eap-mschapv2
        rightid=%any
        eap_identity=%any

2. ipsec.secrets

include /var/lib/strongswan/ipsec.secrets.inc

%any %any : PSK "korea"

# startssl key
: RSA /etc/ipsec.d/private/privatekey.pem

churl  : EAP "eunsol001"
churl2 : EAP "eunsol001"

-------------------------------------------------
But because I want to service ikev2 to many, 
I am trying to use freeradius server to authorize users.

I have installed freeradius-3.0.14

and when I test radius , it is ok.

/usr/bin/radtest -t mschap -4 churl eunsol001 127.0.0.1 10 Korea


Sent Access-Request Id 121 from 0.0.0.0:36605 to 127.0.0.1:1812 length 131
        User-Name = "churl"
        MS-CHAP-Password = "eunsol001"
        NAS-IP-Address = 192.168.0.200
        NAS-Port = 10
        Message-Authenticator = 0x00
        Cleartext-Password = "eunsol001"
        MS-CHAP-Challenge = 0xf3d8c2f26a62a9de
        MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000a934
ba3b3497d80246c74a769837ad615db380220677bcaa
Received Access-Accept Id 121 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
        MS-CHAP-MPPE-Keys = 0xa73cfdd5b6b82abd9519ba2ab1528f24767f2c03b64941ae
        MS-MPPE-Encryption-Policy = Encryption-Allowed
        MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

So I changed ipsec.conf

rightauth=eap-mschapv2        -> rightauth=eap-radius

3) strongswan.conf

      
plugins {
                include strongswan.d/charon/*.conf

                eap-radius {
                         class_group = yes
                         eap_start = yes
                         servers {
                                 primary {
                                         address = 127.0.0.1
                                         secret = Corea
                                         nas_identifer = ipsec-gateway
                                         sockets = 20
                                         preference = 99
                                 }
                           }
                }

        }

4)  /etc/freeradius/users

   churl   Cleartext-Password := "eunsol001"

5)  /etc/freeradius/clients.conf

  ipaddr = 127.0.0.1
secret = Corea

After changing, I can not connect Ike server from both windows and ios.

Below is error log.

1. ike server log


-----
Mar 24 09:52:27 lynx charon: 11[CFG] RADIUS server 'primary' is candidate: 199
Mar 24 09:52:27 lynx charon: 11[CFG] sending RADIUS Access-Request to server 'primary'
Mar 24 09:52:29 lynx charon: 11[CFG] retransmit 1 of RADIUS Access-Request (timeout:
2.8s)
Mar 24 09:52:30 lynx charon: 14[MGR] ignoring request with ID 2, already processing
Mar 24 09:52:32 lynx charon: 11[CFG] retransmit 2 of RADIUS Access-Request (timeout:
3.9s)
Mar 24 09:52:33 lynx charon: 05[MGR] ignoring request with ID 2, already processing
Mar 24 09:52:35 lynx charon: 11[CFG] retransmit 3 of RADIUS Access-Request (timeout:
5.5s)
Mar 24 09:52:36 lynx charon: 07[MGR] ignoring request with ID 2, already processing
Mar 24 09:52:41 lynx charon: 11[CFG] RADIUS Access-Request timed out after 4 attempts
Mar 24 09:52:41 lynx charon: 11[IKE] initiating EAP_RADIUS method failed
Mar 24 09:52:41 lynx charon: 11[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
Mar 24 09:52:41 lynx charon: 11[NET] sending packet: from 220.93.109.90[4500] to 14.4
0.64.197[4500] (68 bytes)
Mar 24 09:52:41 lynx charon: 11[IKE] IKE_SA ios[5] state change: CONNECTING => DESTRO
YING

 
2.   radius.log


Fri Mar 24 08:55:37 2017 : Info: Dropping packet without response because of error: P
ossible DoS attack from host 127.0.0.1: Too many attributes in request (received 201,
max 200 are allowed).
Fri Mar 24 08:55:39 2017 : Info: Dropping packet without response because of error: P
ossible DoS attack from host 127.0.0.1: Too many attributes in request (received 201,
max 200 are allowed).
Fri Mar 24 08:55:42 2017 : Info: Dropping packet without response because of error: P
ossible DoS attack from host 127.0.0.1: Too many attributes in request (received 201,
max 200 are allowed).
Fri Mar 24 08:55:45 2017 : Info: Dropping packet without response because of error: P
ossible DoS attack from host 127.0.0.1: Too many attributes in request (received 201,
max 200 are allowed).

What is wrong?


-----------------------------
Bae Churlsu
http://linuxlab.kr, http://pptp.kr
================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170324/c11d9bd4/attachment.html>


More information about the Users mailing list