[strongSwan] swanctl.conf EAP credential information
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 29 19:31:24 CET 2017
Hi,
Please provide a log file created with the logger configuration from the HelpRequests[1] page
and the output of `swanctl --stats`.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
On 29.11.2017 19:27, bls s wrote:
>
> Curiously, if eap-user1 is at the end of the list, it authenticates correctly, but not if first or second in the list.
>
>
>
> *From: *bls s <mailto:bls3427 at outlook.com>
> *Sent: *Tuesday, November 28, 2017 4:43 PM
> *To: *users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> *Subject: *[strongSwan] swanctl.conf EAP credential information
>
>
>
> I’m switching over from using IPsec.conf to charon-systemd. Everything is working for the first user, but I have run into a strange issue (or a dumb user error!) with the ‘secrets’ section when trying to implement multiple eap passwords.
>
>
>
> If my secrets section has only one eap id/password in it, the client authenticates correctly. But, if the secrets section has more than one eap id/password in it, the MSCHAPv2 authentication fails.
>
>
>
> Here’s the failing configuration. If I remove the 2^nd and 3^rd entries, user1 works correctly. However, using the full secrets section below, user1 fails to authenticate.
>
>
>
> connections {
>
>
>
> ikev2-eap-mschapv2 {
>
> version = 2
>
> # proposals = aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
>
> proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> rekey_time = 0s
>
> pools = primary-pool-ipv4
>
> fragmentation = yes
>
> dpd_delay = 30s
>
> mobike = yes
>
>
>
> local-1 {
>
> certs = strongswanCert.pem
>
> id = serverid1
>
> auth = psk
>
> }
>
>
>
> remote-1 {
>
> auth = eap-mschapv2
>
> id = clientid1
>
> eap_id = %any
>
> }
>
>
>
> children {
>
> ikev2-eap-mschapv2 {
>
> local_ts = 0.0.0.0/0
>
> rekey_time = 0s
>
> dpd_action = clear
>
> # esp_proposals = aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
>
> esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> # updown = /libexec/ipsec/_updown iptables
>
> }
>
> }
>
> }
>
> ikev2-pubkey {
>
> version = 2
>
> proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> rekey_time = 0s
>
> pools = primary-pool-ipv4
>
> fragmentation = yes
>
> dpd_delay = 30s
>
>
>
> local-1 {
>
> certs = vpnHostCert.pem
>
> id = server1
>
> }
>
>
>
> remote-1 { # defaults are fine
>
> }
>
>
>
> children {
>
> ikev2-pubkey {
>
> local_ts = 0.0.0.0/0
>
> rekey_time = 0s
>
> dpd_action = clear
>
> esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> }
>
> }
>
> }
>
> }
>
> pools {
>
> primary-pool-ipv4 {
>
> addrs = 10.92.10.0/24
>
> dns = 192.168.92.3, 8.8.8.8
>
> }
>
> }
>
>
>
> secrets {
>
> ike-psk {
>
> secret=somepsk
>
> }
>
> eap-user1 at mydomain.com <mailto:eap-user1 at mydomain.com> {
>
> id = user1 at mydomain.com
>
> secret=secret1
>
> }
>
> eap-user2 at mydomain.com <mailto:eap-user2 at mydomain.com> {
>
> id = user2 at mydomain.com
>
> secret=secret2
>
> }
>
> eap-user3 at mydomain.com <mailto:eap-user3 at mydomain.com> {
>
> id = user3 at mydomain.com
>
> secret=secret3
>
> }
>
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171129/5ccb3e88/attachment-0001.sig>
More information about the Users
mailing list