Hi SS team, I finally resolved the SS5 kernel error with Martin tips, and charon is up and running. I can establish site-to-site tunnels with IKEv1 and IKev2. Remote vpn works with users authenticated locally. But I can't get users to authenticate via eap-radius.
Here is the error message: Sep 5 01:11:47 15[IKE] received EAP identity 'jordan' Sep 5 01:11:47 15[IKE] loading EAP_RADIUS method failed Can you please provide me any tips? Did I miss any plugins? I have included vpn logs and configuration details below. Thanks as always for your help. Jordan. vpn.log: Sep 5 01:11:36 00[DMN] loaded plugins: charon random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic xauth-eap openssl eap-identity sha1 fips-prf eap-mschapv2 eap-radius eap-md5 eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth Sep 5 01:11:36 00[JOB] spawning 16 worker threads Sep 5 01:11:36 14[CFG] received stroke: add connection 'rw-ikev2' Sep 5 01:11:36 14[CFG] loaded certificate "C=US, ST=CA, O=RS, OU=SPG, CN= zeus.test.com, [email protected]" from 'zeus2.pem' Sep 5 01:11:36 14[CFG] added configuration 'rw-ikev2' Sep 5 01:11:36 14[CFG] adding virtual IP address pool 'rw-ikev2': 192.16.80.10/24 Sep 5 01:11:47 12[NET] received packet: from 172.16.50.20[500] to 172.16.20.2[500] Sep 5 01:11:47 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Sep 5 01:11:47 12[IKE] 172.16.50.20 is initiating an IKE_SA Sep 5 01:11:47 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Sep 5 01:11:47 12[NET] sending packet: from 172.16.20.2[500] to 172.16.50.20[500] Sep 5 01:11:47 10[NET] received packet: from 172.16.50.20[4500] to 172.16.20.2[4500] Sep 5 01:11:47 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ] Sep 5 01:11:47 10[IKE] received 34 cert requests for an unknown ca Sep 5 01:11:47 10[CFG] looking for peer configs matching 172.16.20.2[%any]...172.16.50.20[172.16.50.20] Sep 5 01:11:47 10[CFG] selected peer config 'rw-ikev2' Sep 5 01:11:47 10[IKE] initiating EAP_IDENTITY method (id 0x00) Sep 5 01:11:47 10[IKE] peer supports MOBIKE, but disabled in config Sep 5 01:11:47 10[IKE] authentication of 'zeus.hp.com' (myself) with RSA signature successful Sep 5 01:11:47 10[IKE] sending end entity cert "C=US, ST=CA, O=RS, OU=SPG, CN=zeus.test.com, [email protected]" Sep 5 01:11:47 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Sep 5 01:11:47 10[NET] sending packet: from 172.16.20.2[4500] to 172.16.50.20[4500] Sep 5 01:11:47 15[NET] received packet: from 172.16.50.20[4500] to 172.16.20.2[4500] Sep 5 01:11:47 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Sep 5 01:11:47 15[IKE] received EAP identity 'jordan' Sep 5 01:11:47 15[IKE] loading EAP_RADIUS method failed Sep 5 01:11:47 15[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ] Sep 5 01:11:47 15[NET] sending packet: from 172.16.20.2[4500] to 172.16.50.20[4500] ipsec.conf # /etc/ipsec.conf - strongSwan IPsec configuration file config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret mobike=no conn rw-ikev2 keyexchange=ikev2 left=172.16.20.2 leftcert=zeus2.pem [email protected] leftauth=pubkey leftsubnet=172.16.40.0/24 right=%any rightsourceip=192.16.80.10/24 rightauth=eap-radius eap_identity=%any auto=add
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
