[strongSwan] Strongswan + IKEv2 + eap-radius accounting issue

Konstantin Votinov votinov at protonmail.com
Sun Sep 23 17:36:34 CEST 2018 

Hi all,

I am having issues with eap-radius plugin when "accounting = yes" is set.

I have IPSec and IKEv2 connections set up in Strongswan.

IPSec(conn IKEv1-PSK-XAuth) works correctly whether accounting is set to "no" or "yes"

IKEv2(conn ikev2-mschapv2-apple) doesn't connect with accounting set to "yes", but connects with accounting set to "no"

I've tried to increase the timeout, but it didn't worked.
Below is the log for IKEv2 connection attempt:

Sep 23 15:21:35 07[NET] received packet: from this.is.my.ip[33584] to this.is.server.ip[500] (304 bytes)
Sep 23 15:21:35 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep 23 15:21:35 07[IKE] this.is.my.ip is initiating an IKE_SA
Sep 23 15:21:35 07[IKE] remote host is behind NAT
Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA"
Sep 23 15:21:35 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
Sep 23 15:21:35 07[NET] sending packet: from this.is.server.ip[500] to this.is.my.ip[33584] (385 bytes)
Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (348 bytes)
Sep 23 15:21:35 10[ENC] unknown attribute type (25)
Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]
Sep 23 15:21:35 10[CFG] looking for peer configs matching this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]
Sep 23 15:21:35 10[CFG] selected peer config 'ikev2-mschapv2-apple'
Sep 23 15:21:35 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Sep 23 15:21:35 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 23 15:21:35 10[IKE] peer supports MOBIKE
Sep 23 15:21:35 10[IKE] authentication of 'ikev2.mydomain.net' (myself) with RSA signature successful
Sep 23 15:21:35 10[IKE] sending end entity cert "C=IL, CN=ikev2.mydomain.net"
Sep 23 15:21:35 10[IKE] sending issuer cert "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA"
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Sep 23 15:21:35 10[ENC] splitting IKE message with length of 3660 bytes into 4 fragments
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(1/4) ]
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(2/4) ]
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(3/4) ]
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(4/4) ]
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes)
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes)
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes)
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (112 bytes)
Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes)
Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 23 15:21:35 14[IKE] received EAP identity 'ligykpif'
Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer'
Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server 'radiusServer'
Sep 23 15:21:35 14[IKE] initiating EAP_MD5 method (id 0x01)
Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (92 bytes)
Sep 23 15:21:35 08[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes)
Sep 23 15:21:35 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
Sep 23 15:21:35 08[CFG] sending RADIUS Access-Request to server 'radiusServer'
Sep 23 15:21:35 08[CFG] received RADIUS Access-Challenge from server 'radiusServer'
Sep 23 15:21:35 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Sep 23 15:21:35 08[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (108 bytes)
Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (140 bytes)
Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer'
Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server 'radiusServer'
Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (124 bytes)
Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes)
Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
Sep 23 15:21:35 10[CFG] sending RADIUS Access-Request to server 'radiusServer'
Sep 23 15:21:35 10[CFG] received RADIUS Access-Accept from server 'radiusServer'
Sep 23 15:21:35 10[IKE] RADIUS authentication of 'ligykpif' successful
Sep 23 15:21:35 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes)
Sep 23 15:21:36 15[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes)
Sep 23 15:21:36 15[ENC] parsed IKE_AUTH request 6 [ AUTH ]
Sep 23 15:21:36 15[IKE] authentication of '192.168.1.137' with EAP successful
Sep 23 15:21:36 15[IKE] authentication of 'ikev2.mydomain.net' (myself) with EAP
Sep 23 15:21:36 15[IKE] IKE_SA ikev2-mschapv2-apple[2] established between this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]
Sep 23 15:21:36 15[IKE] peer requested virtual IP %any
Sep 23 15:21:36 15[CFG] reassigning offline lease to 'ligykpif'
Sep 23 15:21:36 15[IKE] assigning virtual IP 10.0.12.1 to peer 'ligykpif'
Sep 23 15:21:36 15[IKE] peer requested virtual IP %any6
Sep 23 15:21:36 15[IKE] no virtual IP found for %any6 requested by 'ligykpif'
Sep 23 15:21:36 15[IKE] CHILD_SA ikev2-mschapv2-apple{2} established with SPIs c8cc7f31_i 0164b11e_o and TS 0.0.0.0/0 ::/0 === 10.0.12.1/32
Sep 23 15:21:36 15[CFG] sending RADIUS Accounting-Request to server 'radiusServer'
Sep 23 15:21:38 15[CFG] retransmit 1 of RADIUS Accounting-Request (timeout: 2.8s)
Sep 23 15:21:40 15[CFG] retransmit 2 of RADIUS Accounting-Request (timeout: 3.9s)
Sep 23 15:21:44 15[CFG] retransmit 3 of RADIUS Accounting-Request (timeout: 5.5s)
Sep 23 15:21:46 16[MGR] ignoring request with ID 6, already processing
Sep 23 15:21:50 15[CFG] RADIUS Accounting-Request timed out after 4 attempts
Sep 23 15:21:50 15[CFG] deleting IKE_SA after RADIUS timeout
Sep 23 15:21:50 15[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Sep 23 15:21:50 15[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (284 bytes)
Sep 23 15:21:50 13[IKE] deleting IKE_SA ikev2-mschapv2-apple[2] between this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]
Sep 23 15:21:50 13[IKE] sending DELETE for IKE_SA ikev2-mschapv2-apple[2]
Sep 23 15:21:50 13[ENC] generating INFORMATIONAL request 0 [ D ]
Sep 23 15:21:50 13[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes)
Sep 23 15:21:50 16[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes)
Sep 23 15:21:50 16[ENC] parsed INFORMATIONAL response 0 [ ]
Sep 23 15:21:50 16[IKE] IKE_SA deleted
Sep 23 15:21:50 16[CFG] sending RADIUS Accounting-Request to server 'radiusServer'

ipsec.conf is as follows:

config setup
  uniqueids=no
  charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default
  dpdaction=clear
  dpddelay=300s
  rekey=no
  left=%defaultroute
  leftfirewall=yes
  right=%any
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  auto=add

conn L2TP-IKEv1-PSK
  type=transport
  keyexchange=ikev1
  authby=secret
  leftprotoport=udp/l2tp
  left=%any
  right=%any
  rekey=no
  forceencaps=yes

conn Non-L2TP
  leftsubnet=0.0.0.0/0
  rightsubnet=10.0.2.0/24
  rightsourceip=10.0.2.0/24

# Cisco IPSec
conn IKEv1-PSK-XAuth
  also=Non-L2TP
  keyexchange=ikev1
  leftauth=psk
  rightauth=psk
  rightauth2=xauth-radius

conn ikev2-mschapv2
    ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
    keyexchange=ikev2
    auto=add
    reauth=no
    fragmentation=yes
    leftcert=ius.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    eap_identity=%identity
    rightsubnet=10.0.12.0/24
    rightsourceip=10.0.12.0/24
    rightdns=8.8.8.8
    rightauth=eap-radius

# Apple clients usually goes here
conn ikev2-mschapv2-apple
    ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
    keyexchange=ikev2
    auto=add
    reauth=no
    fragmentation=yes
    leftcert=ius.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/
    leftsendcert=always
    leftsubnet=0.0.0.0/0,::/0
    eap_identity=%identity
    rightsubnet=10.0.12.0/24
    rightsourceip=10.0.12.0/24
    rightdns=8.8.8.8
    rightauth=eap-radius
    leftid=ikev2.mydomain.net

strongswan.conf is below:

charon {
  use_ipv6 = no
  load_modular = yes
  send_vendor_id = yes
       filelog {
               /var/log/strongswan.charon.log {
                   time_format = %b %e %T
                   default = 1
                   append = no
                   flush_line = yes
               }
       }

  plugins {
          eap-radius {
                station_id_with_port = no
               accounting = yes
               servers {
                  radiusServer {
                        nas_identifer = this.is.server.ip
                       secret = radiuspassword
                       address = radius.server.ip
                       auth_port = 1812   # default
                       acct_port = 1812   # default
                   }

               }
          }
    include strongswan.d/charon/*.conf
    attr {
      dns = 8.8.8.8, 8.8.4.4
    }
  }
}
include strongswan.d/*.conf

I am really out of the ideas on what can cause the issue.
Maybe someone had a similar problem?
Any help will be appreciated!

Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180923/79ce2834/attachment-0001.html>

More information about the Users mailing list