[strongSwan] StrongSwan and EAP (FreeRadius)

Michael Schwartzkopff ms at sys4.de
Wed Nov 15 08:55:53 CET 2017 

Am 15.11.2017 um 08:24 schrieb Houman:
> Hi,
>
> I'm new to the concept of EAP and might be misunderstanding something.
> Apologies up front.
>
> I have finally been able to install FreeRadius and enable the SQL module.
> I have created a user in the database and was hoping to establish a VPN
> connection via that user.
>
> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
> ('houman','Cleartext-Password',':=','test123');
>
>
> When I try to connect from my MacBook into the StrongSwan server I get this
> log. It looks promising but eventually, it says initiating EAP_RADIUS
> method failed.
>
> I'm not quite sure if this has failed due a bad configuration on my side or
> it is for other reasons that I don't quite understand how EAP should work.
>
> Please be so kind and advise,
> Thanks,
> Houman
>
>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT request 0
> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is initiating
> an IKE_SA
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
> sending keep alives
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
> 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
> 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type (25)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 [
> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs
> matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config
> 'roadwarrior'
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY
> method (id 0x00)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of 'vpn2.t.com'
> (myself) with RSA signature successful
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert "CN=
> vpn2.t.com"
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US,
> O=Let's Encrypt, CN=Let's Encrypt Authority X3"
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with
> length of 3334 bytes into 7 fragments
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(1/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(2/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(3/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(4/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(5/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(6/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(7/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
> 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ 14[NET]
> sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
> 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from
> 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2 [
> EAP/RES/ID ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity
> 'houman'
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS
> Access-Request to server 'server-a'
> Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS
> Access-Request (timeout: 2.8s)
> Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID 2,
> already processing
> Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS
> Access-Request (timeout: 3.9s)
> Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID 2,
> already processing
> Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS
> Access-Request (timeout: 5.5s)
> Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID 2,
> already processing
> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[CFG] RADIUS Access-Request timed
> out after 4 attempts
> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[IKE] initiating EAP_RADIUS method
> failed
> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[ENC] generating IKE_AUTH response
> 2 [ EAP/FAIL ]
> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[NET] sending packet: from
> 172.31.9.51[4500] to 88.98.201.107[51248] (65 bytes)
>
It seems that your RADIUS server does not behave properly.

Is the server online?

Is the RADIUS service running?

What are the logs of the RADIUS server, or in other words, what is the
output of freeradius -X?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171115/8969a30d/attachment.sig>

More information about the Users mailing list