[strongSwan] Roadwarrior configuration with simple eap authentication

Doctor Mirabilis doctor.mirabilis at gmail.com
Mon Aug 12 15:48:12 CEST 2019


Hi,

I am facing problems trying to setup a tunnel between an android smartphone and the gateway.

Configuration should be fairly simple. I only want to use simple eap authentication (just username and password, no certificates).

Here is gateway ipsec.conf:

[root at zircon strongswan]# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
   charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
   ikelifetime=60m
   keylife=20m
   rekeymargin=3m
   keyingtries=1
   keyexchange=ikev2

conn server
   authby=secret
   left=192.168.1.20
   leftsubnet=192.168.1.0/24
   leftfirewall=yes
   right=%any
   rightsourceip=10.3.0.0/28
   rightauth=eap-mschapv2
   eap_identity=%any
   auto=add

Here is gateway ipsec.secrets (secrets are hidden):

[root at zircon strongswan]# cat ipsec.secrets
<username> : EAP “<password>”

The smartphone is configured using Strongswan android app client.

Here are the relevant iptables rules:

ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t

I’ve also added the following rules:

iptables -t nat -A POSTROUTING -s 10.3.0.0/28 -o eno16777984 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.3.0.0/28 -o eno16777984 -j MASQUERADE

Here is the gateway status:

[root at zircon strongswan]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-957.1.3.el7.x86_64, x86_64):
  uptime: 49 minutes, since Aug 12 14:49:34 2019
  malloc: sbrk 1724416, mmap 0, used 576960, free 1147456
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Virtual IP pools (size/online/offline):
  10.3.0.0/28: 14/0/0
Listening IP addresses:
  192.168.1.20
  10.8.0.1
Connections:
      server:  192.168.1.20...%any  IKEv2
      server:   local:  [192.168.1.20] uses public key authentication
      server:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
      server:   child:  192.168.1.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
  none

The first problem that I see is that, even though I set "authby=secret” authentication method, the statusall command reports that the gateway uses public key authentication (which I don’t want):

server:   local:  [192.168.1.20] uses public key authentication

When I try to connect, I can see that connection requests are received by the server, but the server does not answer:

[root at zircon strongswan]#  tcpdump -i eno16777984 host 5.90.170.158 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777984, link-type EN10MB (Ethernet), capture size 262144 bytes

15:44:00.761866 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:02.795942 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:05.616891 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:09.494909 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:14.993817 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]

What am I missing? What’s wrong with my configuration?

Any help would be greatly appreciated.

Thank you very much in advance.

Regards,

Costantino Imbrauglio



More information about the Users mailing list