[strongSwan] Strongswan + IKEv2 + eap-radius accounting issue

Nikola Kolev nikky at minus273.org
Sun Sep 23 21:15:32 CEST 2018


Hi,

It seems that you have set both auth_port and acct_port to 1812, while acct_port should be udp/1813. Can you please check if changing that fixes the issue?

Nikola

September 23, 2018 8:36 AM, "Konstantin Votinov" <votinov at protonmail.com (mailto:votinov at protonmail.com?to=%22Konstantin%20Votinov%22%20<votinov at protonmail.com>)> wrote:
Hi all, 
I am having issues with eap-radius plugin when "accounting = yes" is set. 
I have IPSec and IKEv2 connections set up in Strongswan. 
IPSec(conn IKEv1-PSK-XAuth) works correctly whether accounting is set to "no" or "yes" 
IKEv2(conn ikev2-mschapv2-apple) doesn't connect with accounting set to "yes", but connects with accounting set to "no" 
I've tried to increase the timeout, but it didn't worked. 
Below is the log for IKEv2 connection attempt: 
Sep 23 15:21:35 07[NET] received packet: from this.is.my.ip[33584] to this.is.server.ip[500] (304 bytes) 
Sep 23 15:21:35 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 
Sep 23 15:21:35 07[IKE] this.is.my.ip is initiating an IKE_SA 
Sep 23 15:21:35 07[IKE] remote host is behind NAT 
Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority" 
Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA" 
Sep 23 15:21:35 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ] 
Sep 23 15:21:35 07[NET] sending packet: from this.is.server.ip[500] to this.is.my.ip[33584] (385 bytes) 
Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (348 bytes) 
Sep 23 15:21:35 10[ENC] unknown attribute type (25) 
Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ] 
Sep 23 15:21:35 10[CFG] looking for peer configs matching this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137] 
Sep 23 15:21:35 10[CFG] selected peer config 'ikev2-mschapv2-apple' 
Sep 23 15:21:35 10[IKE] initiating EAP_IDENTITY method (id 0x00) 
Sep 23 15:21:35 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
Sep 23 15:21:35 10[IKE] peer supports MOBIKE 
Sep 23 15:21:35 10[IKE] authentication of 'ikev2.mydomain.net' (myself) with RSA signature successful 
Sep 23 15:21:35 10[IKE] sending end entity cert "C=IL, CN=ikev2.mydomain.net" 
Sep 23 15:21:35 10[IKE] sending issuer cert "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA" 
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] 
Sep 23 15:21:35 10[ENC] splitting IKE message with length of 3660 bytes into 4 fragments 
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(1/4) ] 
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(2/4) ] 
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(3/4) ] 
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(4/4) ] 
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes) 
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes) 
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes) 
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (112 bytes) 
Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes) 
Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] 
Sep 23 15:21:35 14[IKE] received EAP identity 'ligykpif' 
Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer' 
Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server 'radiusServer' 
Sep 23 15:21:35 14[IKE] initiating EAP_MD5 method (id 0x01) 
Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ] 
Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (92 bytes) 
Sep 23 15:21:35 08[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes) 
Sep 23 15:21:35 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ] 
Sep 23 15:21:35 08[CFG] sending RADIUS Access-Request to server 'radiusServer' 
Sep 23 15:21:35 08[CFG] received RADIUS Access-Challenge from server 'radiusServer' 
Sep 23 15:21:35 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] 
Sep 23 15:21:35 08[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (108 bytes) 
Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (140 bytes) 
Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] 
Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer' 
Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server 'radiusServer' 
Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ] 
Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (124 bytes) 
Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes) 
Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ] 
Sep 23 15:21:35 10[CFG] sending RADIUS Access-Request to server 'radiusServer' 
Sep 23 15:21:35 10[CFG] received RADIUS Access-Accept from server 'radiusServer' 
Sep 23 15:21:35 10[IKE] RADIUS authentication of 'ligykpif' successful 
Sep 23 15:21:35 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established 
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ] 
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes) 
Sep 23 15:21:36 15[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes) 
Sep 23 15:21:36 15[ENC] parsed IKE_AUTH request 6 [ AUTH ] 
Sep 23 15:21:36 15[IKE] authentication of '192.168.1.137' with EAP successful 
Sep 23 15:21:36 15[IKE] authentication of 'ikev2.mydomain.net' (myself) with EAP 
Sep 23 15:21:36 15[IKE] IKE_SA ikev2-mschapv2-apple[2] established between this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137] 
Sep 23 15:21:36 15[IKE] peer requested virtual IP %any 
Sep 23 15:21:36 15[CFG] reassigning offline lease to 'ligykpif' 
Sep 23 15:21:36 15[IKE] assigning virtual IP 10.0.12.1 to peer 'ligykpif' 
Sep 23 15:21:36 15[IKE] peer requested virtual IP %any6 
Sep 23 15:21:36 15[IKE] no virtual IP found for %any6 requested by 'ligykpif' 
Sep 23 15:21:36 15[IKE] CHILD_SA ikev2-mschapv2-apple{2} established with SPIs c8cc7f31_i 0164b11e_o and TS 0.0.0.0/0 ::/0 === 10.0.12.1/32 
Sep 23 15:21:36 15[CFG] sending RADIUS Accounting-Request to server 'radiusServer' 
Sep 23 15:21:38 15[CFG] retransmit 1 of RADIUS Accounting-Request (timeout: 2.8s) 
Sep 23 15:21:40 15[CFG] retransmit 2 of RADIUS Accounting-Request (timeout: 3.9s) 
Sep 23 15:21:44 15[CFG] retransmit 3 of RADIUS Accounting-Request (timeout: 5.5s) 
Sep 23 15:21:46 16[MGR] ignoring request with ID 6, already processing 
Sep 23 15:21:50 15[CFG] RADIUS Accounting-Request timed out after 4 attempts 
Sep 23 15:21:50 15[CFG] deleting IKE_SA after RADIUS timeout 
Sep 23 15:21:50 15[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] 
Sep 23 15:21:50 15[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (284 bytes) 
Sep 23 15:21:50 13[IKE] deleting IKE_SA ikev2-mschapv2-apple[2] between this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137] 
Sep 23 15:21:50 13[IKE] sending DELETE for IKE_SA ikev2-mschapv2-apple[2] 
Sep 23 15:21:50 13[ENC] generating INFORMATIONAL request 0 [ D ] 
Sep 23 15:21:50 13[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes) 
Sep 23 15:21:50 16[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes) 
Sep 23 15:21:50 16[ENC] parsed INFORMATIONAL response 0 [ ] 
Sep 23 15:21:50 16[IKE] IKE_SA deleted 
Sep 23 15:21:50 16[CFG] sending RADIUS Accounting-Request to server 'radiusServer' 
ipsec.conf is as follows: 
config setup 
uniqueids=no 
charondebug="cfg 2, dmn 2, ike 2, net 0" 
conn %default 
dpdaction=clear 
dpddelay=300s 
rekey=no 
left=%defaultroute 
leftfirewall=yes 
right=%any 
ikelifetime=60m 
keylife=20m 
rekeymargin=3m 
keyingtries=1 
auto=add 
conn L2TP-IKEv1-PSK 
type=transport 
keyexchange=ikev1 
authby=secret 
leftprotoport=udp/l2tp 
left=%any 
right=%any 
rekey=no 
forceencaps=yes 
conn Non-L2TP 
leftsubnet=0.0.0.0/0 
rightsubnet=10.0.2.0/24 
rightsourceip=10.0.2.0/24 
# Cisco IPSec 
conn IKEv1-PSK-XAuth 
also=Non-L2TP 
keyexchange=ikev1 
leftauth=psk 
rightauth=psk 
rightauth2=xauth-radius 
conn ikev2-mschapv2 
ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! 
esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1! 
keyexchange=ikev2 
auto=add 
reauth=no 
fragmentation=yes 
leftcert=ius.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/ 
leftsendcert=always 
leftsubnet=0.0.0.0/0 
eap_identity=%identity 
rightsubnet=10.0.12.0/24 
rightsourceip=10.0.12.0/24 
rightdns=8.8.8.8 
rightauth=eap-radius 
# Apple clients usually goes here 
conn ikev2-mschapv2-apple 
ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! 
esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1! 
keyexchange=ikev2 
auto=add 
reauth=no 
fragmentation=yes 
leftcert=ius.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/ 
leftsendcert=always 
leftsubnet=0.0.0.0/0,::/0 
eap_identity=%identity 
rightsubnet=10.0.12.0/24 
rightsourceip=10.0.12.0/24 
rightdns=8.8.8.8 
rightauth=eap-radius 
leftid=ikev2.mydomain.net 
strongswan.conf is below: 
charon { 
use_ipv6 = no 
load_modular = yes 
send_vendor_id = yes 
filelog { 
/var/log/strongswan.charon.log { 
time_format = %b %e %T 
default = 1 
append = no 
flush_line = yes 
} 
} 
plugins { 
eap-radius { 
station_id_with_port = no 
accounting = yes 
servers { 
radiusServer { 
nas_identifer = this.is.server.ip 
secret = radiuspassword 
address = radius.server.ip 
auth_port = 1812 # default 
acct_port = 1812 # default 
} 
} 
} 
include strongswan.d/charon/*.conf 
attr { 
dns = 8.8.8.8, 8.8.4.4 
} 
} 
} 
include strongswan.d/*.conf 
I am really out of the ideas on what can cause the issue. 
Maybe someone had a similar problem? 
Any help will be appreciated! 
Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180923/a29240c0/attachment.html>


More information about the Users mailing list