[strongSwan] EAP-MSCHAPV2/PEAP client connection from Network Manager

Chris Sherry smilinjoe at gmail.com
Thu Apr 18 05:10:33 CEST 2019 

Tobias,

Makes total sense.

So my production environment doesn't have EAP-MSCHAPv2! That was a
revelation. So unloading PEAP, and connecting to a server with EAP-MSCHAPv2
enabled (DEV) things work.

Apr 17 22:00:55 ubuntu-desktop charon-nm: 07[CFG] certificate status is good
Apr 17 22:00:55 ubuntu-desktop charon-nm: 07[CFG]   reached self-signed
root ca with a path length of 2
Apr 17 22:00:55 ubuntu-desktop charon-nm: 07[IKE] authentication of 'CN=
vpn.company.com' with RSA signature successful
Apr 17 22:00:55 ubuntu-desktop charon-nm: 07[IKE] server requested
EAP_IDENTITY (id 0xD1), sending 'user'
Apr 17 22:00:55 ubuntu-desktop charon-nm: 07[ENC] generating IKE_AUTH
request 2 [ EAP/RES/ID ]
Apr 17 22:00:55 ubuntu-desktop charon-nm: 07[NET] sending packet: from
192.168.1.125[40071] to y.y.y.y[4500] (96 bytes)
Apr 17 22:00:55 ubuntu-desktop charon-nm: 06[NET] received packet: from
y.y.y.y[4500] to 192.168.1.125[40071] (112 bytes)
Apr 17 22:00:55 ubuntu-desktop charon-nm: 06[ENC] parsed IKE_AUTH response
2 [ EAP/REQ/MSCHAPV2 ]
Apr 17 22:00:55 ubuntu-desktop charon-nm: 06[IKE] server requested
EAP_MSCHAPV2 authentication (id 0xD2)
Apr 17 22:00:55 ubuntu-desktop charon-nm: 06[ENC] generating IKE_AUTH
request 3 [ EAP/RES/MSCHAPV2 ]
Apr 17 22:00:55 ubuntu-desktop charon-nm: 06[NET] sending packet: from
192.168.1.125[40071] to y.y.y.y[4500] (144 bytes)
Apr 17 22:00:55 ubuntu-desktop charon-nm: 15[NET] received packet: from
y.y.y.y[4500] to 192.168.1.125[40071] (128 bytes)
Apr 17 22:00:55 ubuntu-desktop charon-nm: 15[ENC] parsed IKE_AUTH response
3 [ EAP/REQ/MSCHAPV2 ]
Apr 17 22:00:55 ubuntu-desktop charon-nm: 15[IKE] EAP-MS-CHAPv2 succeeded:
'(null)'
Apr 17 22:00:55 ubuntu-desktop charon-nm: 15[ENC] generating IKE_AUTH
request 4 [ EAP/RES/MSCHAPV2 ]
Apr 17 22:00:55 ubuntu-desktop charon-nm: 15[NET] sending packet: from
192.168.1.125[40071] to y.y.y.y[4500] (80 bytes)
Apr 17 22:00:55 ubuntu-desktop charon-nm: 11[NET] received packet: from
y.y.y.y[4500] to 192.168.1.125[40071] (80 bytes)
Apr 17 22:00:55 ubuntu-desktop charon-nm: 11[ENC] parsed IKE_AUTH response
4 [ EAP/SUCC ]
Apr 17 22:00:55 ubuntu-desktop charon-nm: 11[IKE] EAP method EAP_MSCHAPV2
succeeded, MSK established
Apr 17 22:00:55 ubuntu-desktop charon-nm: 11[IKE] authentication of 'user'
(myself) with EAP
Apr 17 22:00:55 ubuntu-desktop charon-nm: 11[ENC] generating IKE_AUTH
request 5 [ AUTH ]
Apr 17 22:00:55 ubuntu-desktop charon-nm: 11[NET] sending packet: from
192.168.1.125[40071] to y.y.y.y[4500] (112 bytes)
Apr 17 22:00:55 ubuntu-desktop charon-nm: 10[NET] received packet: from
y.y.y.y[4500] to 192.168.1.125[40071] (288 bytes)
Apr 17 22:00:55 ubuntu-desktop charon-nm: 10[ENC] parsed IKE_AUTH response
5 [ IDr AUTH CPRP(ADDR DNS) N(MSG_ID_SYN_SUP) N(AUTH_LFT) SA TSi TSr ]
Apr 17 22:00:55 ubuntu-desktop charon-nm: 10[IKE] authentication of 'CN=
vpn.company.com' with EAP successful
Apr 17 22:00:55 ubuntu-desktop charon-nm: 10[IKE] IKE_SA NI VPN[6]
established between 192.168.1.125[user]...y.y.y.y[CN=vpn.company.com]

So I guess the question is, what's the security risk here? I always knew
that with PEAP, there is PKI as an outer method. What am I missing without
that outer method encryption. Guess I need to read some more....

Here is my strongswan.conf in case anyone else is interested.

Thanks,
Chris.

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        charon-nm.plugins.eap-peap.load = no
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf



On Wed, Apr 17, 2019 at 1:48 AM Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Chris,
>
> The NM plugin currently does not provide an option to configure the
> expected AAA server identity.  So the IKE identity is reused and
> enforced.  This will fail if the AAA server uses a different identity
> during EAP-PEAP/(T)TLS:
>
> > [IKE] authentication of 'CN=vpn.company.com' with RSA signature
> successful
> > ...
> > [TLS] server certificate does not match to 'CN=vpn.company.com'
>
>
> > What we found key was the leftauth method has to be eap-mschapv2. That
> > doesn't seem to be avavailbe in the network manager config.
>
> While the authentication method can't be configured explicitly in the NM
> plugin, you can prevent the ẹap-peap plugin from getting loaded so plain
> EAP-MSCHAPv2 will be used.  To do so configure
> charon-nm.plugins.eap-peap.load = no in strongswan.conf (note that this
> requires at least 5.5.0 to work, in older releases the complete list of
> plugins has to be provided in charon-nm.load, see [1] for details).
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190417/b5d39989/attachment.html>

More information about the Users mailing list