[strongSwan] StrongSwan and EAP (FreeRadius)

Houman houmie at gmail.com
Wed Nov 15 10:06:39 CET 2017 

I have changed both configs to 127.0.0.1 and restarted both StrongSwan and
FreeRadius but I got the same error message.
Then I changed them both to 0.0.0.0 and restarted both servers, and I still
get the same error message.

Any idea what this could be?

On Wed, Nov 15, 2017 at 9:01 AM, Michael Schwartzkopff <ms at sys4.de> wrote:

> Am 15.11.2017 um 09:58 schrieb Houman:
> > Hallo Michael,
> >
> >
> > Thanks for your reply.  Indeed I should have checked the radius log.  It
> > seems the shared secret is incorrect, but there do match in configs as
> > pasted below.
> > Where else could the secret have been used that I have missed?  Thanks
> >
> > *vim /var/log/freeradius/radius.log*
> >
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
> > database "radius"
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (0), 1 of 32 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (1), 1 of 31 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (2), 1 of 30 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (3), 1 of 29 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (4), 1 of 28 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10
> spares
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (5), 1 of 27 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server <default>
> > Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
> > raddb/mods-available/README.rst)
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
> > Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
> > always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
> > Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
> > Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
> > of error: Received packet from 127.0.0.1 with invalid
> > Message-Authenticator!  (Shared secret is incorrect.)
> >
> >
> >
> > *vim /etc/strongswan.conf*
> >
> > charon {
> >       load_modular = yes
> >       compress = yes
> >          plugins {
> >             include strongswan.d/charon/*.conf
> >                eap-radius {
> >                     servers {
> >                         server-a {
> >                             accounting = yes
> >                             secret = 123456
> >                             address = 127.0.0.1
> >                             auth_port = 1812
> >                             acct_port = 1813
> >                         }
> >                     }
> >                 }
> >         }
> >     include strongswan.d/*.conf
> > }
> >
> >
> >
> > *vim /etc/freeradius/clients.conf*
> >
> > client 0.0.0.0 {
> >         secret          = 123456
> >         nas_type        = other
> >         shortname       = 0.0.0.0
> >         require_message_authenticator = no
> > }
> >
> >
> >
> > On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <ms at sys4.de>
> wrote:
> >
> >> Am 15.11.2017 um 08:24 schrieb Houman:
> >>> Hi,
> >>>
> >>> I'm new to the concept of EAP and might be misunderstanding something.
> >>> Apologies up front.
> >>>
> >>> I have finally been able to install FreeRadius and enable the SQL
> module.
> >>> I have created a user in the database and was hoping to establish a VPN
> >>> connection via that user.
> >>>
> >>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
> >>> ('houman','Cleartext-Password',':=','test123');
> >>>
> >>>
> >>> When I try to connect from my MacBook into the StrongSwan server I get
> >> this
> >>> log. It looks promising but eventually, it says initiating EAP_RADIUS
> >>> method failed.
> >>>
> >>> I'm not quite sure if this has failed due a bad configuration on my
> side
> >> or
> >>> it is for other reasons that I don't quite understand how EAP should
> >> work.
> >>> Please be so kind and advise,
> >>> Thanks,
> >>> Houman
> >>>
> >>>
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
> >>> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT
> >> request 0
> >>> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is
> >> initiating
> >>> an IKE_SA
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind
> NAT,
> >>> sending keep alives
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind
> NAT
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
> >>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
> N(MULT_AUTH)
> >> ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
> >>> 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
> >>> 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type
> >> (25)
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request
> 1
> >> [
> >>> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6
> DHCP6
> >>> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs
> >>> matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config
> >>> 'roadwarrior'
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY
> >>> method (id 0x00)
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received
> >>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of '
> >> vpn2.t.com'
> >>> (myself) with RSA signature successful
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert
> >> "CN=
> >>> vpn2.t.com"
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert
> "C=US,
> >>> O=Let's Encrypt, CN=Let's Encrypt Authority X3"
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> >> response
> >>> 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message
> with
> >>> length of 3334 bytes into 7 fragments
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> >> response
> >>> 1 [ EF(1/7) ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> >> response
> >>> 1 [ EF(2/7) ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> >> response
> >>> 1 [ EF(3/7) ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> >> response
> >>> 1 [ EF(4/7) ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> >> response
> >>> 1 [ EF(5/7) ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> >> response
> >>> 1 [ EF(6/7) ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH
> >> response
> >>> 1 [ EF(7/7) ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
> >>> 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [
> >> 14[NET]
> >>> sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544
> >> bytes)]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
> >>> 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes)
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from
> >>> 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes)
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request
> 2
> >> [
> >>> EAP/RES/ID ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity
> >>> 'houman'
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS
> >>> Access-Request to server 'server-a'
> >>> Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS
> >>> Access-Request (timeout: 2.8s)
> >>> Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID
> >> 2,
> >>> already processing
> >>> Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS
> >>> Access-Request (timeout: 3.9s)
> >>> Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID
> >> 2,
> >>> already processing
> >>> Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS
> >>> Access-Request (timeout: 5.5s)
> >>> Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID
> >> 2,
> >>> already processing
> >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[CFG] RADIUS Access-Request
> >> timed
> >>> out after 4 attempts
> >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[IKE] initiating EAP_RADIUS
> >> method
> >>> failed
> >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[ENC] generating IKE_AUTH
> >> response
> >>> 2 [ EAP/FAIL ]
> >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[NET] sending packet: from
> >>> 172.31.9.51[4500] to 88.98.201.107[51248] (65 bytes)
> >>>
> >> It seems that your RADIUS server does not behave properly.
> >>
> >> Is the server online?
> >>
> >> Is the RADIUS service running?
> >>
> >> What are the logs of the RADIUS server, or in other words, what is the
> >> output of freeradius -X?
> >>
> >>
> >> Mit freundlichen Grüßen,
> >>
> >> --
> >>
> >> [*] sys4 AG
> >>
> >> https://sys4.de, +49 (89) 30 90 46 64
> >> Schleißheimer Straße 26/MG,80333 München
> >>
> >> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> >> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> >> Aufsichtsratsvorsitzender: Florian Kirstein
> >>
> >>
> >>
> Well, RADIUS accepts the client 0.0.0.0. But the client has the
> 127.0.0.1. Please change the entry in the clients.conf of the freeradius
> setup.
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171115/3e07d275/attachment-0001.html>

More information about the Users mailing list