Hi Jordan, here is an xauth-eap example:
http://www.strongswan.org/uml/testresults/ikev1/xauth-rsa-eap-md5-radius/ Please make sure that you enable all the required plugins. Regards Andreas On 09/07/2012 10:33 PM, yordanos beyene wrote: > Thank you Andreas. I have successful IKEv2 remote vpn connection from > Win7 machine with eap-radius. > > But I am having some difficulty getting IKEv1 xauth to work with Radius. > > Is there a similar example for IKEv1 + psk/cert + xauth with Radius? > > When I configure connection as follows, it works for xauth users in > local - ipsec.secrets. It doesn't attempt external radius. > > conn rw-ikev1 > keyexchange=ikev1 > left=172.16.20.2 > leftid=local.net <http://local.net> > leftsubnet=172.16.40.0/24 <http://172.16.40.0/24> > rightid=remote.net <http://remote.net> > right=%any > authby=xauthpsk > xauth=server > rightsourceip=192.16.80.10/24 <http://192.16.80.10/24> > auto=add > > When I use the configuration below, I get the an error : > Sep 8 02:57:40 02[CFG] no XAuth method found named 'eap' > > conn rw-ikev1 > keyexchange=ikev1 > aggressive=yes > left=172.16.20.2 > leftid=local.net <http://local.net> > leftsubnet=172.16.40.0/24 <http://172.16.40.0/24> > rightid=remote.net <http://remote.net> > right=%any > leftauth=psk > rightauth=psk > rightauth2=xauth-eap > rightsourceip=192.16.80.10/24 <http://192.16.80.10/24> > auto=add > > I appreciate any help. > > Thanks! > > Jordan > > I am now trying > leftauth=psk > rightauth=psk > rightauth2=xauth-eap > > > > On Thu, Sep 6, 2012 at 10:06 AM, Andreas Steffen > <[email protected] <mailto:[email protected]>> > wrote: > > Hi, > > the configuration of the EAP RADIUS interface goes into > /etc/strongswan.conf. Please have a look at our detailed HOWTO > > http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius > > or the simple example > > > http://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-id-radius/moon.strongswan.conf > > Best regards > > Andreas > > On 09/05/2012 06:01 AM, yordanos beyene wrote: > > Hi Again, > > > > In fact I see eap-radius configuration in strongswan.conf in not > picked up. > > Sep 5 10:42:01 00[CFG] loaded 0 RADIUS server > configurations > > > > See the log below when I just started ipsec. I appreciate any > tips why > > Radius server configuration is not loaded. > > > > Sep 5 10:42:01 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, > > Linux 2.6.34, x86_64) > > Sep 5 10:42:01 00[KNL] listening on interfaces: > > Sep 5 10:42:01 00[KNL] fpn0 > > Sep 5 10:42:01 00[KNL] fe80::200:46ff:fe50:4e00 > > Sep 5 10:42:01 00[KNL] ethernet1 > > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b96 > > Sep 5 10:42:01 00[KNL] ethernet2 > > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b97 > > Sep 5 10:42:01 00[KNL] ethernet3 > > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b98 > > Sep 5 10:42:01 00[KNL] ethernet4 > > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b99 > > Sep 5 10:42:01 00[KNL] ethernet5 > > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b9a > > Sep 5 10:42:01 00[KNL] ethernet6 > > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b9b > > Sep 5 10:42:01 00[KNL] ethernet7 > > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b9c > > Sep 5 10:42:01 00[KNL] ethernet8 > > Sep 5 10:42:01 00[KNL] fe80::210:f3ff:fe24:5b9d > > Sep 5 10:42:01 00[CFG] loaded 0 RADIUS server configurations > > Sep 5 10:42:01 00[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > > Sep 5 10:42:01 00[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts' > > Sep 5 10:42:01 00[CFG] loading ocsp signer certificates from > > '/etc/ipsec.d/ocspcerts' > > Sep 5 10:42:01 00[CFG] loading attribute certificates from > > '/etc/ipsec.d/acerts' > > Sep 5 10:42:01 00[CFG] loading crls from '/etc/ipsec.d/crls' > > Sep 5 10:42:01 00[CFG] loading secrets from '/etc/ipsec.secrets' > > .... > > Thanks! > > Jordan. > > On Tue, Sep 4, 2012 at 11:03 AM, yordanos beyene > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Hi SS team, > > > > I finally resolved the SS5 kernel error with Martin tips, and > charon > > is up and running. I can establish site-to-site tunnels with > IKEv1 > > and IKev2. Remote vpn works with users authenticated locally. > But I > > can't get users to authenticate via eap-radius. > > > > Here is the error message: > > Sep 5 01:11:47 15[IKE] received EAP identity 'jordan' > > Sep 5 01:11:47 15[IKE] loading EAP_RADIUS method failed > > > > Can you please provide me any tips? Did I miss any plugins? > > > > I have included vpn logs and configuration details below. > > > > Thanks as always for your help. > > > > Jordan. > > vpn.log: > > > > Sep 5 01:11:36 00[DMN] loaded plugins: charon random nonce x509 > > revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem xcbc > cmac > > hmac attr kernel-netlink resolve socket-default stroke updown > > xauth-generic xauth-eap openssl eap-identity sha1 fips-prf > > eap-mschapv2 eap-radius eap-md5 eap-aka eap-aka-3gpp2 > > eap-simaka-pseudonym eap-simaka-reauth > > Sep 5 01:11:36 00[JOB] spawning 16 worker threads > > Sep 5 01:11:36 14[CFG] received stroke: add connection > 'rw-ikev2' > > Sep 5 01:11:36 14[CFG] loaded certificate "C=US, ST=CA, O=RS, > > OU=SPG, CN=zeus.test.com <http://zeus.test.com> > <http://zeus.test.com>, [email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>" from 'zeus2.pem' > > Sep 5 01:11:36 14[CFG] added configuration 'rw-ikev2' > > Sep 5 01:11:36 14[CFG] adding virtual IP address pool > 'rw-ikev2': > > 192.16.80.10/24 <http://192.16.80.10/24> <http://192.16.80.10/24> > > Sep 5 01:11:47 12[NET] received packet: from > 172.16.50.20[500] to > > 172.16.20.2[500] > > Sep 5 01:11:47 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No > > N(NATD_S_IP) N(NATD_D_IP) ] > > Sep 5 01:11:47 12[IKE] 172.16.50.20 is initiating an IKE_SA > > Sep 5 01:11:47 12[ENC] generating IKE_SA_INIT response 0 [ > SA KE No > > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] > > Sep 5 01:11:47 12[NET] sending packet: from 172.16.20.2[500] to > > 172.16.50.20[500] > > Sep 5 01:11:47 10[NET] received packet: from > 172.16.50.20[4500] to > > 172.16.20.2[4500] > > Sep 5 01:11:47 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ > > N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ] > > Sep 5 01:11:47 10[IKE] received 34 cert requests for an > unknown ca > > Sep 5 01:11:47 10[CFG] looking for peer configs matching > > 172.16.20.2[%any]...172.16.50.20[172.16.50.20] > > Sep 5 01:11:47 10[CFG] selected peer config 'rw-ikev2' > > Sep 5 01:11:47 10[IKE] initiating EAP_IDENTITY method (id 0x00) > > Sep 5 01:11:47 10[IKE] peer supports MOBIKE, but disabled in > config > > Sep 5 01:11:47 10[IKE] authentication of 'zeus.hp.com > <http://zeus.hp.com> > > <http://zeus.hp.com>' (myself) with RSA signature successful > > Sep 5 01:11:47 10[IKE] sending end entity cert "C=US, ST=CA, > O=RS, > > OU=SPG, CN=zeus.test.com <http://zeus.test.com> > <http://zeus.test.com>, [email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>" > > Sep 5 01:11:47 10[ENC] generating IKE_AUTH response 1 [ IDr CERT > > AUTH EAP/REQ/ID ] > > Sep 5 01:11:47 10[NET] sending packet: from 172.16.20.2[4500] to > > 172.16.50.20[4500] > > Sep 5 01:11:47 15[NET] received packet: from > 172.16.50.20[4500] to > > 172.16.20.2[4500] > > Sep 5 01:11:47 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] > > Sep 5 01:11:47 15[IKE] received EAP identity 'jordan' > > Sep 5 01:11:47 15[IKE] loading EAP_RADIUS method failed > > Sep 5 01:11:47 15[ENC] generating IKE_AUTH response 2 [ > EAP/FAIL ] > > Sep 5 01:11:47 15[NET] sending packet: from 172.16.20.2[4500] to > > 172.16.50.20[4500] > > > > ipsec.conf > > > > # /etc/ipsec.conf - strongSwan IPsec configuration file > > > > config setup > > > > conn %default > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=1 > > authby=secret > > mobike=no > > > > conn rw-ikev2 > > keyexchange=ikev2 > > left=172.16.20.2 > > leftcert=zeus2.pem > > [email protected] <http://zeus.test.com> > <http://zeus.test.com> > > leftauth=pubkey > > leftsubnet=172.16.40.0/24 <http://172.16.40.0/24> > <http://172.16.40.0/24> > > right=%any > > rightsourceip=192.16.80.10/24 > <http://192.16.80.10/24> <http://192.16.80.10/24> > > rightauth=eap-radius > > eap_identity=%any > > auto=add ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
