[strongSwan] StrongSwan and EAP (FreeRadius)

Houman houmie at gmail.com
Wed Nov 15 08:24:34 CET 2017 

Hi,

I'm new to the concept of EAP and might be misunderstanding something.
Apologies up front.

I have finally been able to install FreeRadius and enable the SQL module.
I have created a user in the database and was hoping to establish a VPN
connection via that user.

INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
('houman','Cleartext-Password',':=','test123');


When I try to connect from my MacBook into the StrongSwan server I get this
log. It looks promising but eventually, it says initiating EAP_RADIUS
method failed.

I'm not quite sure if this has failed due a bad configuration on my side or
it is for other reasons that I don't quite understand how EAP should work.

Please be so kind and advise,
Thanks,
Houman


Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is initiating
an IKE_SA
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
sending keep alives
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type (25)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs
matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config
'roadwarrior'
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY
method (id 0x00)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of 'vpn2.t.com'
(myself) with RSA signature successful
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert "CN=
vpn2.t.com"
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with
length of 3334 bytes into 7 fragments
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(1/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(2/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(3/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(4/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(5/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(6/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(7/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ 14[NET]
sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from
88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2 [
EAP/RES/ID ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity
'houman'
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS
Access-Request to server 'server-a'
Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS
Access-Request (timeout: 2.8s)
Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID 2,
already processing
Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS
Access-Request (timeout: 3.9s)
Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID 2,
already processing
Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS
Access-Request (timeout: 5.5s)
Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID 2,
already processing
Nov 15 07:13:35 ip-172-31-9-51 charon: 15[CFG] RADIUS Access-Request timed
out after 4 attempts
Nov 15 07:13:35 ip-172-31-9-51 charon: 15[IKE] initiating EAP_RADIUS method
failed
Nov 15 07:13:35 ip-172-31-9-51 charon: 15[ENC] generating IKE_AUTH response
2 [ EAP/FAIL ]
Nov 15 07:13:35 ip-172-31-9-51 charon: 15[NET] sending packet: from
172.31.9.51[4500] to 88.98.201.107[51248] (65 bytes)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171115/234dfc91/attachment.html>

More information about the Users mailing list