[strongSwan] StrongSwan and EAP (FreeRadius)

Michael Schwartzkopff ms at sys4.de
Wed Nov 15 10:01:44 CET 2017 

Am 15.11.2017 um 09:58 schrieb Houman:
> Hallo Michael,
>
>
> Thanks for your reply.  Indeed I should have checked the radius log.  It
> seems the shared secret is incorrect, but there do match in configs as
> pasted below.
> Where else could the secret have been used that I have missed?  Thanks
>
> *vim /var/log/freeradius/radius.log*
>
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
> database "radius"
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (0), 1 of 32 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (1), 1 of 31 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (2), 1 of 30 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (3), 1 of 29 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (4), 1 of 28 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (5), 1 of 27 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server <default>
> Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
> raddb/mods-available/README.rst)
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
> Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
> always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
> Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
> Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
> of error: Received packet from 127.0.0.1 with invalid
> Message-Authenticator!  (Shared secret is incorrect.)
>
>
>
> *vim /etc/strongswan.conf*
>
> charon {
>       load_modular = yes
>       compress = yes
>          plugins {
>             include strongswan.d/charon/*.conf
>                eap-radius {
>                     servers {
>                         server-a {
>                             accounting = yes
>                             secret = 123456
>                             address = 127.0.0.1
>                             auth_port = 1812
>                             acct_port = 1813
>                         }
>                     }
>                 }
>         }
>     include strongswan.d/*.conf
> }
>
>
>
> *vim /etc/freeradius/clients.conf*
>
> client 0.0.0.0 {
>         secret          = 123456
>         nas_type        = other
>         shortname       = 0.0.0.0
>         require_message_authenticator = no
> }
>
>
>
> On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <ms at sys4.de> wrote:
>
>> Am 15.11.2017 um 08:24 schrieb Houman:
>>> Hi,
>>>
>>> I'm new to the concept of EAP and might be misunderstanding something.
>>> Apologies up front.
>>>
>>> I have finally been able to install FreeRadius and enable the SQL module.
>>> I have created a user in the database and was hoping to establish a VPN
>>> connection via that user.
>>>
>>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
>>> ('houman','Cleartext-Password',':=','test123');
>>>
>>>
>>> When I try to connect from my MacBook into the StrongSwan server I get
>> this
>>> log. It looks promising but eventually, it says initiating EAP_RADIUS
>>> method failed.
>>>
>>> I'm not quite sure if this has failed due a bad configuration on my side
>> or
>>> it is for other reasons that I don't quite understand how EAP should
>> work.
>>> Please be so kind and advise,
>>> Thanks,
>>> Houman
>>>
>>>
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
>>> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT
>> request 0
>>> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is
>> initiating
>>> an IKE_SA
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
>>> sending keep alives
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
>>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH)
>> ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
>>> 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
>>> 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type
>> (25)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1
>> [
>>> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
>>> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs
>>> matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config
>>> 'roadwarrior'
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY
>>> method (id 0x00)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received
>>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of '
>> vpn2.t.com'
>>> (myself) with RSA signature successful
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert
>> "CN=
>>> vpn2.t.com"
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US,
>>> O=Let's Encrypt, CN=Let's Encrypt Authority X3"
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
>> response
>>> 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with
>>> length of 3334 bytes into 7 fragments
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
>> response
>>> 1 [ EF(1/7) ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
>> response
>>> 1 [ EF(2/7) ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
>> response
>>> 1 [ EF(3/7) ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
>> response
>>> 1 [ EF(4/7) ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
>> response
>>> 1 [ EF(5/7) ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
>> response
>>> 1 [ EF(6/7) ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
>> response
>>> 1 [ EF(7/7) ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
>>> 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [
>> 14[NET]
>>> sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544
>> bytes)]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
>>> 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from
>>> 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2
>> [
>>> EAP/RES/ID ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity
>>> 'houman'
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS
>>> Access-Request to server 'server-a'
>>> Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS
>>> Access-Request (timeout: 2.8s)
>>> Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID
>> 2,
>>> already processing
>>> Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS
>>> Access-Request (timeout: 3.9s)
>>> Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID
>> 2,
>>> already processing
>>> Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS
>>> Access-Request (timeout: 5.5s)
>>> Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID
>> 2,
>>> already processing
>>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[CFG] RADIUS Access-Request
>> timed
>>> out after 4 attempts
>>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[IKE] initiating EAP_RADIUS
>> method
>>> failed
>>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[ENC] generating IKE_AUTH
>> response
>>> 2 [ EAP/FAIL ]
>>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[NET] sending packet: from
>>> 172.31.9.51[4500] to 88.98.201.107[51248] (65 bytes)
>>>
>> It seems that your RADIUS server does not behave properly.
>>
>> Is the server online?
>>
>> Is the RADIUS service running?
>>
>> What are the logs of the RADIUS server, or in other words, what is the
>> output of freeradius -X?
>>
>>
>> Mit freundlichen Grüßen,
>>
>> --
>>
>> [*] sys4 AG
>>
>> https://sys4.de, +49 (89) 30 90 46 64
>> Schleißheimer Straße 26/MG,80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> Aufsichtsratsvorsitzender: Florian Kirstein
>>
>>
>>
Well, RADIUS accepts the client 0.0.0.0. But the client has the
127.0.0.1. Please change the entry in the clients.conf of the freeradius
setup.

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171115/ecb7c05b/attachment.sig>

More information about the Users mailing list