[strongSwan] StrongSwan and EAP (FreeRadius)

Houman houmie at gmail.com
Wed Nov 15 09:58:39 CET 2017 

Hallo Michael,


Thanks for your reply.  Indeed I should have checked the radius log.  It
seems the shared secret is incorrect, but there do match in configs as
pasted below.
Where else could the secret have been used that I have missed?  Thanks

*vim /var/log/freeradius/radius.log*

Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
database "radius"
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (0), 1 of 32 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (1), 1 of 31 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (2), 1 of 30 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (3), 1 of 29 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (4), 1 of 28 pending slots used
Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (5), 1 of 27 pending slots used
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server <default>
Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
raddb/mods-available/README.rst)
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
of error: Received packet from 127.0.0.1 with invalid
Message-Authenticator!  (Shared secret is incorrect.)



*vim /etc/strongswan.conf*

charon {
      load_modular = yes
      compress = yes
         plugins {
            include strongswan.d/charon/*.conf
               eap-radius {
                    servers {
                        server-a {
                            accounting = yes
                            secret = 123456
                            address = 127.0.0.1
                            auth_port = 1812
                            acct_port = 1813
                        }
                    }
                }
        }
    include strongswan.d/*.conf
}



*vim /etc/freeradius/clients.conf*

client 0.0.0.0 {
        secret          = 123456
        nas_type        = other
        shortname       = 0.0.0.0
        require_message_authenticator = no
}



On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <ms at sys4.de> wrote:

> Am 15.11.2017 um 08:24 schrieb Houman:
> > Hi,
> >
> > I'm new to the concept of EAP and might be misunderstanding something.
> > Apologies up front.
> >
> > I have finally been able to install FreeRadius and enable the SQL module.
> > I have created a user in the database and was hoping to establish a VPN
> > connection via that user.
> >
> > INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
> > ('houman','Cleartext-Password',':=','test123');
> >
> >
> > When I try to connect from my MacBook into the StrongSwan server I get
> this
> > log. It looks promising but eventually, it says initiating EAP_RADIUS
> > method failed.
> >
> > I'm not quite sure if this has failed due a bad configuration on my side
> or
> > it is for other reasons that I don't quite understand how EAP should
> work.
> >
> > Please be so kind and advise,
> > Thanks,
> > Houman
> >
> >
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
> > 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT
> request 0
> > [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is
> initiating
> > an IKE_SA
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
> > sending keep alives
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
> > response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH)
> ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
> > 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
> > 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type
> (25)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1
> [
> > IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
> > DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs
> > matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config
> > 'roadwarrior'
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY
> > method (id 0x00)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received
> > ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of '
> vpn2.t.com'
> > (myself) with RSA signature successful
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert
> "CN=
> > vpn2.t.com"
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US,
> > O=Let's Encrypt, CN=Let's Encrypt Authority X3"
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> response
> > 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with
> > length of 3334 bytes into 7 fragments
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> response
> > 1 [ EF(1/7) ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> response
> > 1 [ EF(2/7) ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> response
> > 1 [ EF(3/7) ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> response
> > 1 [ EF(4/7) ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> response
> > 1 [ EF(5/7) ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> response
> > 1 [ EF(6/7) ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> response
> > 1 [ EF(7/7) ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
> > 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [
> 14[NET]
> > sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544
> bytes)]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
> > 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from
> > 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2
> [
> > EAP/RES/ID ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity
> > 'houman'
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS
> > Access-Request to server 'server-a'
> > Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS
> > Access-Request (timeout: 2.8s)
> > Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID
> 2,
> > already processing
> > Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS
> > Access-Request (timeout: 3.9s)
> > Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID
> 2,
> > already processing
> > Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS
> > Access-Request (timeout: 5.5s)
> > Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID
> 2,
> > already processing
> > Nov 15 07:13:35 ip-172-31-9-51 charon: 15[CFG] RADIUS Access-Request
> timed
> > out after 4 attempts
> > Nov 15 07:13:35 ip-172-31-9-51 charon: 15[IKE] initiating EAP_RADIUS
> method
> > failed
> > Nov 15 07:13:35 ip-172-31-9-51 charon: 15[ENC] generating IKE_AUTH
> response
> > 2 [ EAP/FAIL ]
> > Nov 15 07:13:35 ip-172-31-9-51 charon: 15[NET] sending packet: from
> > 172.31.9.51[4500] to 88.98.201.107[51248] (65 bytes)
> >
> It seems that your RADIUS server does not behave properly.
>
> Is the server online?
>
> Is the RADIUS service running?
>
> What are the logs of the RADIUS server, or in other words, what is the
> output of freeradius -X?
>
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171115/ade7686e/attachment-0001.html>

More information about the Users mailing list