[strongSwan] Ikev2 with eap-radius does not work.
배철수
ceo at linuxlab.kr
Fri Mar 24 02:01:43 CET 2017
Hello.
I am novice here.
I am a Korean ,
I am clumsy in English, so forgive me if I make misstyping.
I have installed IKEv2 server on debian jessie. (strongswan-5.5.1)
I have complied as belows
./configure --prefix=/usr --sysconfdir=/etc --enable-openssl \
--disable-mysql --disable-ldap \
--disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 \
--enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc \
--enable-eap-identity --enable-eap-md5 --enable-eap-peap \
--enable-eap-radius --enable-eap-sim --enable-eap-sim-file \
--enable-eap-simaka-pseudonym --enable-eap-simaka-reauth \
--enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls
I can connect to my ikev2 server from Windows and IPad using ipsec.secrets.(eap-mschapv2)
1) ipsec.conf
config setup
charondebug="ike 2, cfg 2"
strictcrlpolicy=no
uniqueids = no
conn %default
mobike=yes
dpdaction=restart
closeaction=restart
dpddelay=40s
dpdtimeout=160s
fragmentation=yes
rekey=no
reauth=yes
keyexchange=ikev2
auto=add
conn window
forceencaps=yes
#left=%any
left=ibex.coreavpn.net
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=/etc/ssl/private/vpn-server.crt
leftsendcert=always
right=%any
rightsourceip=172.25.2.0/16
rightauth=eap-mschapv2
rightsendcert=never
rightdns=168.126.63.1,203.248.252.2
eap_identity=%any
leftupdown=/etc/strongswan.d/proxyndp.updown
conn ios
left=%any
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=ibex.coreavpn.server
right=%any
rightsourceip=172.25.10.0/24
rightauth=eap-mschapv2
rightid=%any
eap_identity=%any
2. ipsec.secrets
include /var/lib/strongswan/ipsec.secrets.inc
%any %any : PSK "korea"
# startssl key
: RSA /etc/ipsec.d/private/privatekey.pem
churl : EAP "eunsol001"
churl2 : EAP "eunsol001"
-------------------------------------------------
But because I want to service ikev2 to many,
I am trying to use freeradius server to authorize users.
I have installed freeradius-3.0.14
and when I test radius , it is ok.
/usr/bin/radtest -t mschap -4 churl eunsol001 127.0.0.1 10 Korea
Sent Access-Request Id 121 from 0.0.0.0:36605 to 127.0.0.1:1812 length 131
User-Name = "churl"
MS-CHAP-Password = "eunsol001"
NAS-IP-Address = 192.168.0.200
NAS-Port = 10
Message-Authenticator = 0x00
Cleartext-Password = "eunsol001"
MS-CHAP-Challenge = 0xf3d8c2f26a62a9de
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000a934
ba3b3497d80246c74a769837ad615db380220677bcaa
Received Access-Accept Id 121 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
MS-CHAP-MPPE-Keys = 0xa73cfdd5b6b82abd9519ba2ab1528f24767f2c03b64941ae
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
So I changed ipsec.conf
rightauth=eap-mschapv2 -> rightauth=eap-radius
3) strongswan.conf
plugins {
include strongswan.d/charon/*.conf
eap-radius {
class_group = yes
eap_start = yes
servers {
primary {
address = 127.0.0.1
secret = Corea
nas_identifer = ipsec-gateway
sockets = 20
preference = 99
}
}
}
}
4) /etc/freeradius/users
churl Cleartext-Password := "eunsol001"
5) /etc/freeradius/clients.conf
ipaddr = 127.0.0.1
secret = Corea
After changing, I can not connect Ike server from both windows and ios.
Below is error log.
1. ike server log
-----
Mar 24 09:52:27 lynx charon: 11[CFG] RADIUS server 'primary' is candidate: 199
Mar 24 09:52:27 lynx charon: 11[CFG] sending RADIUS Access-Request to server 'primary'
Mar 24 09:52:29 lynx charon: 11[CFG] retransmit 1 of RADIUS Access-Request (timeout:
2.8s)
Mar 24 09:52:30 lynx charon: 14[MGR] ignoring request with ID 2, already processing
Mar 24 09:52:32 lynx charon: 11[CFG] retransmit 2 of RADIUS Access-Request (timeout:
3.9s)
Mar 24 09:52:33 lynx charon: 05[MGR] ignoring request with ID 2, already processing
Mar 24 09:52:35 lynx charon: 11[CFG] retransmit 3 of RADIUS Access-Request (timeout:
5.5s)
Mar 24 09:52:36 lynx charon: 07[MGR] ignoring request with ID 2, already processing
Mar 24 09:52:41 lynx charon: 11[CFG] RADIUS Access-Request timed out after 4 attempts
Mar 24 09:52:41 lynx charon: 11[IKE] initiating EAP_RADIUS method failed
Mar 24 09:52:41 lynx charon: 11[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
Mar 24 09:52:41 lynx charon: 11[NET] sending packet: from 220.93.109.90[4500] to 14.4
0.64.197[4500] (68 bytes)
Mar 24 09:52:41 lynx charon: 11[IKE] IKE_SA ios[5] state change: CONNECTING => DESTRO
YING
2. radius.log
Fri Mar 24 08:55:37 2017 : Info: Dropping packet without response because of error: P
ossible DoS attack from host 127.0.0.1: Too many attributes in request (received 201,
max 200 are allowed).
Fri Mar 24 08:55:39 2017 : Info: Dropping packet without response because of error: P
ossible DoS attack from host 127.0.0.1: Too many attributes in request (received 201,
max 200 are allowed).
Fri Mar 24 08:55:42 2017 : Info: Dropping packet without response because of error: P
ossible DoS attack from host 127.0.0.1: Too many attributes in request (received 201,
max 200 are allowed).
Fri Mar 24 08:55:45 2017 : Info: Dropping packet without response because of error: P
ossible DoS attack from host 127.0.0.1: Too many attributes in request (received 201,
max 200 are allowed).
What is wrong?
-----------------------------
Bae Churlsu
http://linuxlab.kr, http://pptp.kr
================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170324/c11d9bd4/attachment.html>
More information about the Users
mailing list