[strongSwan] VPN with Windows 8.1 with eap-radius and ldap-samba4ad backend
Hello, I have a problem with my strongswan configuration. I want to establish a vpn between strongswan and my windows 8.1 pc. But I want an radius-ldap backend to check the users. My first try was a mschapv2 connection, which works. I switched the peap-mschapv2 to eap-radius and added the radius server to the strongswan.conf. But if I now start a VPN, the radius-server reject the request, because he couldn't find the user. It seams to be that the vpn client didn't send the user and the password correctly. I think the problem is a wrong configuration of the vpn client. I think it is the eap-mschapv2 option, but I have no idea what I have to choose. Here are the Config and Log files: ipsec.conf http://pastebin.com/m4UvtNXP ipsec.secrets http://pastebin.com/VC9UmsGg strongswan.conf http://pastebin.com/7TCfY22Y radius.loghttp://pastebin.com/kyAjPRbZ radiusacct http://pastebin.com/CCvrtYSk syslog http://pastebin.com/5U0W2kqj ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Fritzbox - strongSwan / Missing ping replies
Hi, seems to be this kind of problem. After pinning the connection settings to: ike=aes256-sha-modp1024 esp=aes192-sha1-modp1024! the connection works perfectly. Don't know why the Fritzbox offers aes256 but only aes192 works. Cheers Sascha Zitat von Tobias Brunner tob...@strongswan.org: Hi Sascha, I've build a connection between a FRITZ!Box and a strongSwan server. On the virtual server where strongSwan is located I've added a virtual interface and configured the ip 192.168.0.10/24 on it. Now I'm trying to ping each side of the vpn with no luck. What version of strongSwan are you using? There were some issues with proposal handling between FRITZ!Box and strongSwan before 5.2.0, see [1]. Regards, Tobias [1] https://wiki.strongswan.org/issues/661 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Fritzbox - strongSwan / Missing ping replies
Hi, I've noticed, that ping works after the first rekeying... Forcing a permanent rekeying with margintime=59 made it work immediately. But this floods the log and seems not to be intended to work this way. Any hint what I made wrong? Thx Sascha Zitat von sas...@schmidt.ps: Ok that makes sense. But replies to pings don't reach the source, either. So it seems that something is wrong with routing? I really don't have a clue what to debug to find out what's going wrong. Greets Sascha Zitat von Andreas Steffen andreas.stef...@strongswan.org: Hi Sascha, due to the Linux netfilter architecture tcpdump running on an IPsec endpoint shows you only the inbound decrypted plaintext but never the outbound plaintext IP packets. Does tcpdump show outbound encrypted ESP packets? Regards Andreas On 01/22/2015 12:30 PM, sas...@schmidt.ps wrote: Hi, I've build a connection between a FRITZ!Box and a strongSwan server. On the virtual server where strongSwan is located I've added a virtual interface and configured the ip 192.168.0.10/24 on it. Now I'm trying to ping each side of the vpn with no luck. On the serverside (strongSwan) I can see the incoming icmp requests, but cannot see an answer: tcpdump -i eth0 dst host 192.168.0.10 or src host 192.168.0.10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:25:44.421577 IP 192.168.2.4 192.168.0.10: ICMP echo request, id 10277, seq 3537, length 64 12:25:45.421483 IP 192.168.2.4 192.168.0.10: ICMP echo request, id 10277, seq 3538, length 64 12:25:46.425221 IP 192.168.2.4 192.168.0.10: ICMP echo request, id 10277, seq 3539, length 64 My ipsec.conf: conn fritzbox aggressive=no keyingtries=0 type=tunnel left=strongSwan public ip leftsubnet=192.168.0.0/24 leftfirewall=yes lefthostaccess=yes leftnexthop=%defaultroute # ike=aes256-sha-modp1024 esp=aes256-sha1-modp1024 # right=hostname of fritzbox rightid=@hostname of fritzbox rightsubnet=192.168.2.0/24 leftnexthop=%defaultroute # ikelifetime=4h keylife=1h # authby=secret auto=add Starting strongSwan gives me the following last line: Jan 22 12:27:44 linux vpn: + hostname of fritzbox 192.168.2.0/24 == fritzbox public ip -- strongSwan public ip == 192.168.0.0/24 route shows me: 192.168.0.0 * 255.255.255.0 U 0 00 eth0 Any hints what I made wrong or where I have to tweak the settings? Greets Sascha ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Fritzbox - strongSwan / Missing ping replies
Ok that makes sense. But replies to pings don't reach the source, either. So it seems that something is wrong with routing? I really don't have a clue what to debug to find out what's going wrong. Greets Sascha Zitat von Andreas Steffen andreas.stef...@strongswan.org: Hi Sascha, due to the Linux netfilter architecture tcpdump running on an IPsec endpoint shows you only the inbound decrypted plaintext but never the outbound plaintext IP packets. Does tcpdump show outbound encrypted ESP packets? Regards Andreas On 01/22/2015 12:30 PM, sas...@schmidt.ps wrote: Hi, I've build a connection between a FRITZ!Box and a strongSwan server. On the virtual server where strongSwan is located I've added a virtual interface and configured the ip 192.168.0.10/24 on it. Now I'm trying to ping each side of the vpn with no luck. On the serverside (strongSwan) I can see the incoming icmp requests, but cannot see an answer: tcpdump -i eth0 dst host 192.168.0.10 or src host 192.168.0.10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:25:44.421577 IP 192.168.2.4 192.168.0.10: ICMP echo request, id 10277, seq 3537, length 64 12:25:45.421483 IP 192.168.2.4 192.168.0.10: ICMP echo request, id 10277, seq 3538, length 64 12:25:46.425221 IP 192.168.2.4 192.168.0.10: ICMP echo request, id 10277, seq 3539, length 64 My ipsec.conf: conn fritzbox aggressive=no keyingtries=0 type=tunnel left=strongSwan public ip leftsubnet=192.168.0.0/24 leftfirewall=yes lefthostaccess=yes leftnexthop=%defaultroute # ike=aes256-sha-modp1024 esp=aes256-sha1-modp1024 # right=hostname of fritzbox rightid=@hostname of fritzbox rightsubnet=192.168.2.0/24 leftnexthop=%defaultroute # ikelifetime=4h keylife=1h # authby=secret auto=add Starting strongSwan gives me the following last line: Jan 22 12:27:44 linux vpn: + hostname of fritzbox 192.168.2.0/24 == fritzbox public ip -- strongSwan public ip == 192.168.0.0/24 route shows me: 192.168.0.0 * 255.255.255.0 U 0 00 eth0 Any hints what I made wrong or where I have to tweak the settings? Greets Sascha ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Fritzbox - strongSwan / Missing ping replies
Hi, I've build a connection between a FRITZ!Box and a strongSwan server. On the virtual server where strongSwan is located I've added a virtual interface and configured the ip 192.168.0.10/24 on it. Now I'm trying to ping each side of the vpn with no luck. On the serverside (strongSwan) I can see the incoming icmp requests, but cannot see an answer: tcpdump -i eth0 dst host 192.168.0.10 or src host 192.168.0.10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:25:44.421577 IP 192.168.2.4 192.168.0.10: ICMP echo request, id 10277, seq 3537, length 64 12:25:45.421483 IP 192.168.2.4 192.168.0.10: ICMP echo request, id 10277, seq 3538, length 64 12:25:46.425221 IP 192.168.2.4 192.168.0.10: ICMP echo request, id 10277, seq 3539, length 64 My ipsec.conf: conn fritzbox aggressive=no keyingtries=0 type=tunnel left=strongSwan public ip leftsubnet=192.168.0.0/24 leftfirewall=yes lefthostaccess=yes leftnexthop=%defaultroute # ike=aes256-sha-modp1024 esp=aes256-sha1-modp1024 # right=hostname of fritzbox rightid=@hostname of fritzbox rightsubnet=192.168.2.0/24 leftnexthop=%defaultroute # ikelifetime=4h keylife=1h # authby=secret auto=add Starting strongSwan gives me the following last line: Jan 22 12:27:44 linux vpn: + hostname of fritzbox 192.168.2.0/24 == fritzbox public ip -- strongSwan public ip == 192.168.0.0/24 route shows me: 192.168.0.0 * 255.255.255.0 U 0 00 eth0 Any hints what I made wrong or where I have to tweak the settings? Greets Sascha ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Multiple %aquire-netlink messages in ipsec status
established {ESP=0x1003da1d 0xcfbb107a} Nov 25 05:17:10 vpngate pluto[31774]: xyz #564: received Vendor ID payload [Dead Peer Detection] Nov 25 05:17:11 vpngate pluto[31774]: xyz #564: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx' Nov 25 05:17:11 vpngate pluto[31774]: xyz #564: ISAKMP SA established Nov 25 05:17:11 vpngate pluto[31774]: xyz #569: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#564} Nov 25 05:17:11 vpngate pluto[31774]: xyz #569: Dead Peer Detection (RFC 3706) enabled Nov 25 05:17:11 vpngate pluto[31774]: xyz #569: sent QI2, IPsec SA established {ESP=0x1003da1e 0x39f8270f} Nov 25 05:17:11 vpngate pluto[31774]: xyz #564: received Delete SA(0x1003da1d) payload: deleting IPSEC State #568 Nov 25 05:17:59 vpngate pluto[31774]: xyz #565: max number of retransmissions (2) reached STATE_MAIN_R1 Best regards Sascha Kinz ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users