[strongSwan] Strongswan + IKEv2 + eap-radius accounting issue

Konstantin Votinov votinov at protonmail.com
Mon Sep 24 10:08:10 CEST 2018


Hi Nikola,

Thank you for pointing that out - I've just forgot to set it back to 1813 after trying to debug (yup, I've tried even that :) )

That being said  the problem persists with correct accounting port (1813) and doesn't seem to be related to it.

Regards,
Konstantin.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, September 23, 2018 9:15 PM, Nikola Kolev <nikky at minus273.org> wrote:

> Hi,
>
> It seems that you have set both auth_port and acct_port to 1812, while acct_port should be udp/1813. Can you please check if changing that fixes the issue?
>
> Nikola
>
> September 23, 2018 8:36 AM, "Konstantin Votinov" <[votinov at protonmail.com](mailto:votinov at protonmail.com?to=%22Konstantin%20Votinov%22%20<votinov at protonmail.com>)> wrote:
>
>> Hi all,
>>
>> I am having issues with eap-radius plugin when "accounting = yes" is set.
>>
>> I have IPSec and IKEv2 connections set up in Strongswan.
>>
>> IPSec(conn IKEv1-PSK-XAuth) works correctly whether accounting is set to "no" or "yes"
>>
>> IKEv2(conn ikev2-mschapv2-apple) doesn't connect with accounting set to "yes", but connects with accounting set to "no"
>>
>> I've tried to increase the timeout, but it didn't worked.
>> Below is the log for IKEv2 connection attempt:
>>
>> Sep 23 15:21:35 07[NET] received packet: from this.is.my.ip[33584] to this.is.server.ip[500] (304 bytes)
>> Sep 23 15:21:35 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>> Sep 23 15:21:35 07[IKE] this.is.my.ip is initiating an IKE_SA
>> Sep 23 15:21:35 07[IKE] remote host is behind NAT
>> Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
>> Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA"
>> Sep 23 15:21:35 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
>> Sep 23 15:21:35 07[NET] sending packet: from this.is.server.ip[500] to this.is.my.ip[33584] (385 bytes)
>> Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (348 bytes)
>> Sep 23 15:21:35 10[ENC] unknown attribute type (25)
>> Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]
>> Sep 23 15:21:35 10[CFG] looking for peer configs matching this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]
>> Sep 23 15:21:35 10[CFG] selected peer config 'ikev2-mschapv2-apple'
>> Sep 23 15:21:35 10[IKE] initiating EAP_IDENTITY method (id 0x00)
>> Sep 23 15:21:35 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>> Sep 23 15:21:35 10[IKE] peer supports MOBIKE
>> Sep 23 15:21:35 10[IKE] authentication of 'ikev2.mydomain.net' (myself) with RSA signature successful
>> Sep 23 15:21:35 10[IKE] sending end entity cert "C=IL, CN=ikev2.mydomain.net"
>> Sep 23 15:21:35 10[IKE] sending issuer cert "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA"
>> Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
>> Sep 23 15:21:35 10[ENC] splitting IKE message with length of 3660 bytes into 4 fragments
>> Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(1/4) ]
>> Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(2/4) ]
>> Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(3/4) ]
>> Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(4/4) ]
>> Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes)
>> Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes)
>> Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes)
>> Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (112 bytes)
>> Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes)
>> Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
>> Sep 23 15:21:35 14[IKE] received EAP identity 'ligykpif'
>> Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer'
>> Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server 'radiusServer'
>> Sep 23 15:21:35 14[IKE] initiating EAP_MD5 method (id 0x01)
>> Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
>> Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (92 bytes)
>> Sep 23 15:21:35 08[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes)
>> Sep 23 15:21:35 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
>> Sep 23 15:21:35 08[CFG] sending RADIUS Access-Request to server 'radiusServer'
>> Sep 23 15:21:35 08[CFG] received RADIUS Access-Challenge from server 'radiusServer'
>> Sep 23 15:21:35 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
>> Sep 23 15:21:35 08[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (108 bytes)
>> Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (140 bytes)
>> Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
>> Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer'
>> Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server 'radiusServer'
>> Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
>> Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (124 bytes)
>> Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes)
>> Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
>> Sep 23 15:21:35 10[CFG] sending RADIUS Access-Request to server 'radiusServer'
>> Sep 23 15:21:35 10[CFG] received RADIUS Access-Accept from server 'radiusServer'
>> Sep 23 15:21:35 10[IKE] RADIUS authentication of 'ligykpif' successful
>> Sep 23 15:21:35 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
>> Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]
>> Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes)
>> Sep 23 15:21:36 15[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes)
>> Sep 23 15:21:36 15[ENC] parsed IKE_AUTH request 6 [ AUTH ]
>> Sep 23 15:21:36 15[IKE] authentication of '192.168.1.137' with EAP successful
>> Sep 23 15:21:36 15[IKE] authentication of 'ikev2.mydomain.net' (myself) with EAP
>> Sep 23 15:21:36 15[IKE] IKE_SA ikev2-mschapv2-apple[2] established between this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]
>> Sep 23 15:21:36 15[IKE] peer requested virtual IP %any
>> Sep 23 15:21:36 15[CFG] reassigning offline lease to 'ligykpif'
>> Sep 23 15:21:36 15[IKE] assigning virtual IP 10.0.12.1 to peer 'ligykpif'
>> Sep 23 15:21:36 15[IKE] peer requested virtual IP %any6
>> Sep 23 15:21:36 15[IKE] no virtual IP found for %any6 requested by 'ligykpif'
>> Sep 23 15:21:36 15[IKE] CHILD_SA ikev2-mschapv2-apple{2} established with SPIs c8cc7f31_i 0164b11e_o and TS 0.0.0.0/0 ::/0 === 10.0.12.1/32
>> Sep 23 15:21:36 15[CFG] sending RADIUS Accounting-Request to server 'radiusServer'
>> Sep 23 15:21:38 15[CFG] retransmit 1 of RADIUS Accounting-Request (timeout: 2.8s)
>> Sep 23 15:21:40 15[CFG] retransmit 2 of RADIUS Accounting-Request (timeout: 3.9s)
>> Sep 23 15:21:44 15[CFG] retransmit 3 of RADIUS Accounting-Request (timeout: 5.5s)
>> Sep 23 15:21:46 16[MGR] ignoring request with ID 6, already processing
>> Sep 23 15:21:50 15[CFG] RADIUS Accounting-Request timed out after 4 attempts
>> Sep 23 15:21:50 15[CFG] deleting IKE_SA after RADIUS timeout
>> Sep 23 15:21:50 15[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
>> Sep 23 15:21:50 15[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (284 bytes)
>> Sep 23 15:21:50 13[IKE] deleting IKE_SA ikev2-mschapv2-apple[2] between this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]
>> Sep 23 15:21:50 13[IKE] sending DELETE for IKE_SA ikev2-mschapv2-apple[2]
>> Sep 23 15:21:50 13[ENC] generating INFORMATIONAL request 0 [ D ]
>> Sep 23 15:21:50 13[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes)
>> Sep 23 15:21:50 16[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes)
>> Sep 23 15:21:50 16[ENC] parsed INFORMATIONAL response 0 [ ]
>> Sep 23 15:21:50 16[IKE] IKE_SA deleted
>> Sep 23 15:21:50 16[CFG] sending RADIUS Accounting-Request to server 'radiusServer'
>>
>> ipsec.conf is as follows:
>>
>> config setup
>> uniqueids=no
>> charondebug="cfg 2, dmn 2, ike 2, net 0"
>>
>> conn %default
>> dpdaction=clear
>> dpddelay=300s
>> rekey=no
>> left=%defaultroute
>> leftfirewall=yes
>> right=%any
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> auto=add
>>
>> conn L2TP-IKEv1-PSK
>> type=transport
>> keyexchange=ikev1
>> authby=secret
>> leftprotoport=udp/l2tp
>> left=%any
>> right=%any
>> rekey=no
>> forceencaps=yes
>>
>> conn Non-L2TP
>> leftsubnet=0.0.0.0/0
>> rightsubnet=10.0.2.0/24
>> rightsourceip=10.0.2.0/24
>>
>> # Cisco IPSec
>> conn IKEv1-PSK-XAuth
>> also=Non-L2TP
>> keyexchange=ikev1
>> leftauth=psk
>> rightauth=psk
>> rightauth2=xauth-radius
>>
>> conn ikev2-mschapv2
>> ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
>> esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
>> keyexchange=ikev2
>> auto=add
>> reauth=no
>> fragmentation=yes
>> leftcert=ius.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/
>> leftsendcert=always
>> leftsubnet=0.0.0.0/0
>> eap_identity=%identity
>> rightsubnet=10.0.12.0/24
>> rightsourceip=10.0.12.0/24
>> rightdns=8.8.8.8
>> rightauth=eap-radius
>>
>> # Apple clients usually goes here
>> conn ikev2-mschapv2-apple
>> ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
>> esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
>> keyexchange=ikev2
>> auto=add
>> reauth=no
>> fragmentation=yes
>> leftcert=ius.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/
>> leftsendcert=always
>> leftsubnet=0.0.0.0/0,::/0
>> eap_identity=%identity
>> rightsubnet=10.0.12.0/24
>> rightsourceip=10.0.12.0/24
>> rightdns=8.8.8.8
>> rightauth=eap-radius
>> leftid=ikev2.mydomain.net
>>
>> strongswan.conf is below:
>>
>> charon {
>> use_ipv6 = no
>> load_modular = yes
>> send_vendor_id = yes
>> filelog {
>> /var/log/strongswan.charon.log {
>> time_format = %b %e %T
>> default = 1
>> append = no
>> flush_line = yes
>> }
>> }
>>
>> plugins {
>> eap-radius {
>> station_id_with_port = no
>> accounting = yes
>> servers {
>> radiusServer {
>> nas_identifer = this.is.server.ip
>> secret = radiuspassword
>> address = radius.server.ip
>> auth_port = 1812 # default
>> acct_port = 1812 # default
>> }
>>
>> }
>> }
>> include strongswan.d/charon/*.conf
>> attr {
>> dns = 8.8.8.8, 8.8.4.4
>> }
>> }
>> }
>> include strongswan.d/*.conf
>>
>> I am really out of the ideas on what can cause the issue.
>> Maybe someone had a similar problem?
>> Any help will be appreciated!
>>
>> Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180924/32b212a3/attachment-0001.html>


More information about the Users mailing list