[strongSwan] swanctl.conf EAP credential information

bls s bls3427 at outlook.com
Wed Nov 29 20:13:57 CET 2017 

Thanks. Here is swanctl –stats (after a service restart). 2 charon_debug logfiles attached, one with a successful connection (the userid in question at the end of the list) and one with a failed connection (userid in question at the front of the list).



Xunil/var/log# swanctl --stats

uptime: 10 seconds, since Nov 29 11:11:07 2017

worker threads: 16 total, 11 idle, working: 4/0/1/0

job queues: 0/0/0/0

jobs scheduled: 0

IKE_SAs: 0 total, 0 half-open

mallinfo: sbrk 2564096, mmap 0, used 401792, free 2162304

loaded plugins: charon-systemd charon-systemd aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-tls xauth-generic

Xunil/var/log#





From: Noel Kuntze<mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>
Sent: Wednesday, November 29, 2017 10:31 AM
To: bls s<mailto:bls3427 at outlook.com>; users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] swanctl.conf EAP credential information



Hi,

Please provide a log file created with the logger configuration from the HelpRequests[1] page
and the output of `swanctl --stats`.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

On 29.11.2017 19:27, bls s wrote:
>
> Curiously, if eap-user1 is at the end of the list, it authenticates correctly, but not if first or second in the list.
>
>
>
> *From: *bls s <mailto:bls3427 at outlook.com>
> *Sent: *Tuesday, November 28, 2017 4:43 PM
> *To: *users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> *Subject: *[strongSwan] swanctl.conf EAP credential information
>
>
>
> I’m switching over from using IPsec.conf to charon-systemd. Everything is working for the first user, but I have run into a strange issue (or a dumb user error!) with the ‘secrets’ section when trying to implement multiple eap passwords.
>
>
>
> If my secrets section has only one eap id/password in it, the client authenticates correctly. But, if the secrets section has more than one eap id/password in it, the MSCHAPv2 authentication fails.
>
>
>
> Here’s the failing configuration. If I remove the 2^nd and 3^rd entries, user1 works correctly. However, using the full secrets section below, user1 fails to authenticate.
>
>
>
> connections {
>
>
>
>     ikev2-eap-mschapv2 {
>
>             version = 2
>
> #            proposals = aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
>
>             proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
>             rekey_time = 0s
>
>             pools = primary-pool-ipv4
>
>             fragmentation = yes
>
>             dpd_delay = 30s
>
>             mobike = yes
>
>
>
>          local-1 {
>
>              certs = strongswanCert.pem
>
>              id = serverid1
>
>              auth = psk
>
>          }
>
>
>
>          remote-1 {
>
>              auth = eap-mschapv2
>
>              id = clientid1
>
>              eap_id = %any
>
>         }
>
>
>
>         children {
>
>             ikev2-eap-mschapv2 {
>
>                 local_ts = 0.0.0.0/0
>
>                 rekey_time = 0s
>
>                 dpd_action = clear
>
> #                esp_proposals = aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
>
>                 esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> #               updown = /libexec/ipsec/_updown iptables
>
>                 }
>
>             }
>
>     }
>
>     ikev2-pubkey {
>
>              version = 2
>
>              proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
>              rekey_time = 0s
>
>              pools = primary-pool-ipv4
>
>              fragmentation = yes
>
>              dpd_delay = 30s
>
>
>
>              local-1 {
>
>                  certs = vpnHostCert.pem
>
>                  id = server1
>
>              }
>
>
>
>              remote-1 {   # defaults are fine
>
>              }
>
>
>
>              children {
>
>                  ikev2-pubkey {
>
>                      local_ts = 0.0.0.0/0
>
>                      rekey_time = 0s
>
>                      dpd_action = clear
>
>                      esp_proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
>                  }
>
>             }
>
>     }
>
> }
>
> pools {
>
>     primary-pool-ipv4 {
>
>         addrs = 10.92.10.0/24
>
>         dns = 192.168.92.3, 8.8.8.8
>
>     }
>
> }
>
>
>
> secrets {
>
>     ike-psk {
>
>         secret=somepsk
>
>     }
>
>     eap-user1 at mydomain.com <mailto:eap-user1 at mydomain.com> {
>
>         id = user1 at mydomain.com
>
>         secret=secret1
>
>     }
>
>     eap-user2 at mydomain.com <mailto:eap-user2 at mydomain.com> {
>
>         id = user2 at mydomain.com
>
>         secret=secret2
>
>     }
>
>     eap-user3 at mydomain.com <mailto:eap-user3 at mydomain.com> {
>
>         id = user3 at mydomain.com
>
>         secret=secret3
>
>     }
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171129/560aaa77/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon-debug-authfail.log
Type: application/octet-stream
Size: 22477 bytes
Desc: charon-debug-authfail.log
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171129/560aaa77/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon-debug-authOK.log
Type: application/octet-stream
Size: 28585 bytes
Desc: charon-debug-authOK.log
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171129/560aaa77/attachment-0003.obj>

More information about the Users mailing list