[strongSwan] Strongswan + IKEv2 + eap-radius accounting issue
Nikola Kolev
nikky at minus273.org
Sun Sep 23 21:15:32 CEST 2018
Hi,
It seems that you have set both auth_port and acct_port to 1812, while acct_port should be udp/1813. Can you please check if changing that fixes the issue?
Nikola
September 23, 2018 8:36 AM, "Konstantin Votinov" <votinov at protonmail.com (mailto:votinov at protonmail.com?to=%22Konstantin%20Votinov%22%20<votinov at protonmail.com>)> wrote:
Hi all,
I am having issues with eap-radius plugin when "accounting = yes" is set.
I have IPSec and IKEv2 connections set up in Strongswan.
IPSec(conn IKEv1-PSK-XAuth) works correctly whether accounting is set to "no" or "yes"
IKEv2(conn ikev2-mschapv2-apple) doesn't connect with accounting set to "yes", but connects with accounting set to "no"
I've tried to increase the timeout, but it didn't worked.
Below is the log for IKEv2 connection attempt:
Sep 23 15:21:35 07[NET] received packet: from this.is.my.ip[33584] to this.is.server.ip[500] (304 bytes)
Sep 23 15:21:35 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep 23 15:21:35 07[IKE] this.is.my.ip is initiating an IKE_SA
Sep 23 15:21:35 07[IKE] remote host is behind NAT
Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA"
Sep 23 15:21:35 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
Sep 23 15:21:35 07[NET] sending packet: from this.is.server.ip[500] to this.is.my.ip[33584] (385 bytes)
Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (348 bytes)
Sep 23 15:21:35 10[ENC] unknown attribute type (25)
Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]
Sep 23 15:21:35 10[CFG] looking for peer configs matching this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]
Sep 23 15:21:35 10[CFG] selected peer config 'ikev2-mschapv2-apple'
Sep 23 15:21:35 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Sep 23 15:21:35 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 23 15:21:35 10[IKE] peer supports MOBIKE
Sep 23 15:21:35 10[IKE] authentication of 'ikev2.mydomain.net' (myself) with RSA signature successful
Sep 23 15:21:35 10[IKE] sending end entity cert "C=IL, CN=ikev2.mydomain.net"
Sep 23 15:21:35 10[IKE] sending issuer cert "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA"
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Sep 23 15:21:35 10[ENC] splitting IKE message with length of 3660 bytes into 4 fragments
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(1/4) ]
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(2/4) ]
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(3/4) ]
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(4/4) ]
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes)
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes)
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes)
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (112 bytes)
Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes)
Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 23 15:21:35 14[IKE] received EAP identity 'ligykpif'
Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer'
Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server 'radiusServer'
Sep 23 15:21:35 14[IKE] initiating EAP_MD5 method (id 0x01)
Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (92 bytes)
Sep 23 15:21:35 08[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes)
Sep 23 15:21:35 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
Sep 23 15:21:35 08[CFG] sending RADIUS Access-Request to server 'radiusServer'
Sep 23 15:21:35 08[CFG] received RADIUS Access-Challenge from server 'radiusServer'
Sep 23 15:21:35 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Sep 23 15:21:35 08[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (108 bytes)
Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (140 bytes)
Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer'
Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server 'radiusServer'
Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (124 bytes)
Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes)
Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
Sep 23 15:21:35 10[CFG] sending RADIUS Access-Request to server 'radiusServer'
Sep 23 15:21:35 10[CFG] received RADIUS Access-Accept from server 'radiusServer'
Sep 23 15:21:35 10[IKE] RADIUS authentication of 'ligykpif' successful
Sep 23 15:21:35 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]
Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes)
Sep 23 15:21:36 15[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes)
Sep 23 15:21:36 15[ENC] parsed IKE_AUTH request 6 [ AUTH ]
Sep 23 15:21:36 15[IKE] authentication of '192.168.1.137' with EAP successful
Sep 23 15:21:36 15[IKE] authentication of 'ikev2.mydomain.net' (myself) with EAP
Sep 23 15:21:36 15[IKE] IKE_SA ikev2-mschapv2-apple[2] established between this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]
Sep 23 15:21:36 15[IKE] peer requested virtual IP %any
Sep 23 15:21:36 15[CFG] reassigning offline lease to 'ligykpif'
Sep 23 15:21:36 15[IKE] assigning virtual IP 10.0.12.1 to peer 'ligykpif'
Sep 23 15:21:36 15[IKE] peer requested virtual IP %any6
Sep 23 15:21:36 15[IKE] no virtual IP found for %any6 requested by 'ligykpif'
Sep 23 15:21:36 15[IKE] CHILD_SA ikev2-mschapv2-apple{2} established with SPIs c8cc7f31_i 0164b11e_o and TS 0.0.0.0/0 ::/0 === 10.0.12.1/32
Sep 23 15:21:36 15[CFG] sending RADIUS Accounting-Request to server 'radiusServer'
Sep 23 15:21:38 15[CFG] retransmit 1 of RADIUS Accounting-Request (timeout: 2.8s)
Sep 23 15:21:40 15[CFG] retransmit 2 of RADIUS Accounting-Request (timeout: 3.9s)
Sep 23 15:21:44 15[CFG] retransmit 3 of RADIUS Accounting-Request (timeout: 5.5s)
Sep 23 15:21:46 16[MGR] ignoring request with ID 6, already processing
Sep 23 15:21:50 15[CFG] RADIUS Accounting-Request timed out after 4 attempts
Sep 23 15:21:50 15[CFG] deleting IKE_SA after RADIUS timeout
Sep 23 15:21:50 15[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Sep 23 15:21:50 15[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (284 bytes)
Sep 23 15:21:50 13[IKE] deleting IKE_SA ikev2-mschapv2-apple[2] between this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]
Sep 23 15:21:50 13[IKE] sending DELETE for IKE_SA ikev2-mschapv2-apple[2]
Sep 23 15:21:50 13[ENC] generating INFORMATIONAL request 0 [ D ]
Sep 23 15:21:50 13[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes)
Sep 23 15:21:50 16[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes)
Sep 23 15:21:50 16[ENC] parsed INFORMATIONAL response 0 [ ]
Sep 23 15:21:50 16[IKE] IKE_SA deleted
Sep 23 15:21:50 16[CFG] sending RADIUS Accounting-Request to server 'radiusServer'
ipsec.conf is as follows:
config setup
uniqueids=no
charondebug="cfg 2, dmn 2, ike 2, net 0"
conn %default
dpdaction=clear
dpddelay=300s
rekey=no
left=%defaultroute
leftfirewall=yes
right=%any
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
auto=add
conn L2TP-IKEv1-PSK
type=transport
keyexchange=ikev1
authby=secret
leftprotoport=udp/l2tp
left=%any
right=%any
rekey=no
forceencaps=yes
conn Non-L2TP
leftsubnet=0.0.0.0/0
rightsubnet=10.0.2.0/24
rightsourceip=10.0.2.0/24
# Cisco IPSec
conn IKEv1-PSK-XAuth
also=Non-L2TP
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth-radius
conn ikev2-mschapv2
ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
keyexchange=ikev2
auto=add
reauth=no
fragmentation=yes
leftcert=ius.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/
leftsendcert=always
leftsubnet=0.0.0.0/0
eap_identity=%identity
rightsubnet=10.0.12.0/24
rightsourceip=10.0.12.0/24
rightdns=8.8.8.8
rightauth=eap-radius
# Apple clients usually goes here
conn ikev2-mschapv2-apple
ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
keyexchange=ikev2
auto=add
reauth=no
fragmentation=yes
leftcert=ius.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
eap_identity=%identity
rightsubnet=10.0.12.0/24
rightsourceip=10.0.12.0/24
rightdns=8.8.8.8
rightauth=eap-radius
leftid=ikev2.mydomain.net
strongswan.conf is below:
charon {
use_ipv6 = no
load_modular = yes
send_vendor_id = yes
filelog {
/var/log/strongswan.charon.log {
time_format = %b %e %T
default = 1
append = no
flush_line = yes
}
}
plugins {
eap-radius {
station_id_with_port = no
accounting = yes
servers {
radiusServer {
nas_identifer = this.is.server.ip
secret = radiuspassword
address = radius.server.ip
auth_port = 1812 # default
acct_port = 1812 # default
}
}
}
include strongswan.d/charon/*.conf
attr {
dns = 8.8.8.8, 8.8.4.4
}
}
}
include strongswan.d/*.conf
I am really out of the ideas on what can cause the issue.
Maybe someone had a similar problem?
Any help will be appreciated!
Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180923/a29240c0/attachment.html>
More information about the Users
mailing list