[strongSwan] Roadwarrior configuration with simple eap authentication
Doctor Mirabilis
doctor.mirabilis at gmail.com
Mon Aug 12 15:48:12 CEST 2019
Hi,
I am facing problems trying to setup a tunnel between an android smartphone and the gateway.
Configuration should be fairly simple. I only want to use simple eap authentication (just username and password, no certificates).
Here is gateway ipsec.conf:
[root at zircon strongswan]# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn server
authby=secret
left=192.168.1.20
leftsubnet=192.168.1.0/24
leftfirewall=yes
right=%any
rightsourceip=10.3.0.0/28
rightauth=eap-mschapv2
eap_identity=%any
auto=add
Here is gateway ipsec.secrets (secrets are hidden):
[root at zircon strongswan]# cat ipsec.secrets
<username> : EAP “<password>”
The smartphone is configured using Strongswan android app client.
Here are the relevant iptables rules:
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
I’ve also added the following rules:
iptables -t nat -A POSTROUTING -s 10.3.0.0/28 -o eno16777984 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.3.0.0/28 -o eno16777984 -j MASQUERADE
Here is the gateway status:
[root at zircon strongswan]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-957.1.3.el7.x86_64, x86_64):
uptime: 49 minutes, since Aug 12 14:49:34 2019
malloc: sbrk 1724416, mmap 0, used 576960, free 1147456
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Virtual IP pools (size/online/offline):
10.3.0.0/28: 14/0/0
Listening IP addresses:
192.168.1.20
10.8.0.1
Connections:
server: 192.168.1.20...%any IKEv2
server: local: [192.168.1.20] uses public key authentication
server: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
server: child: 192.168.1.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
The first problem that I see is that, even though I set "authby=secret” authentication method, the statusall command reports that the gateway uses public key authentication (which I don’t want):
server: local: [192.168.1.20] uses public key authentication
When I try to connect, I can see that connection requests are received by the server, but the server does not answer:
[root at zircon strongswan]# tcpdump -i eno16777984 host 5.90.170.158 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777984, link-type EN10MB (Ethernet), capture size 262144 bytes
15:44:00.761866 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:02.795942 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:05.616891 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:09.494909 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:14.993817 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
What am I missing? What’s wrong with my configuration?
Any help would be greatly appreciated.
Thank you very much in advance.
Regards,
Costantino Imbrauglio
More information about the Users
mailing list