Re: [strongSwan] Remote Attestation through Cisco ASA

2017-11-15 Thread Andreas Steffen

Hi Mario,

if the Cisco ASA does not tunnel the strongSwan IKE traffic then just
do remote attestation via the PT-TLS protocol. On the client side you
can use the strongSwan pt-tls-client and on the server side add the
tnc-pdp plugin listening on the PT-TLS TCP port 271 to the strongSwan
charon daemon.

Regards

Andreas

On 15.11.2017 23:22, Mario Maldonado wrote:

Hi all,

I wish to use StrongSwan for remote attestation through a Cisco ASA, eg:
StrongSwan gateway 192.168.0.0/24 
ASA 192.168.1.0/24  Device

With no ASA I have successfully configured StrongSwan with remote
attestation using the EAP-TTLS plugin. I have also managed to configure
a StrongSwan connection to the ASA, giving me access to the
192.168.0.0/24  subnet. I am then unable to bring
up the attestation connection. I was hoping it would setup a tunnel
within the ASA tunnel but from what I understand IKE traffic is exempt
from the negotiated tunnel (preventing nested tunnels) and then blocked
by the ASA.

Is there a way around this / a nice way of achieving such a connection?

Can I use StrongSwan for TNC integrity measurement without the tls
tunnel? This way the TPM and IMA measurements can be sent through the
ASA tunnel with no issues. From looking around the docs it looks like
the only way of performing remote attestation is with the EAP-TTLS
plugin? This would also be ideal as the traffic only has to be decrypted
once by the device.

Many thanks,

Mario


--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature


[strongSwan] Remote Attestation through Cisco ASA

2017-11-15 Thread Mario Maldonado
Hi all,

I wish to use StrongSwan for remote attestation through a Cisco ASA, eg:
StrongSwan gateway 192.168.0.0/24 ASA 192.168.1.0/24 Device

With no ASA I have successfully configured StrongSwan with remote
attestation using the EAP-TTLS plugin. I have also managed to configure a
StrongSwan connection to the ASA, giving me access to the 192.168.0.0/24
subnet. I am then unable to bring up the attestation connection. I was
hoping it would setup a tunnel within the ASA tunnel but from what I
understand IKE traffic is exempt from the negotiated tunnel (preventing
nested tunnels) and then blocked by the ASA.

Is there a way around this / a nice way of achieving such a connection?

Can I use StrongSwan for TNC integrity measurement without the tls tunnel?
This way the TPM and IMA measurements can be sent through the ASA tunnel
with no issues. From looking around the docs it looks like the only way of
performing remote attestation is with the EAP-TTLS plugin? This would also
be ideal as the traffic only has to be decrypted once by the device.

Many thanks,

Mario


[strongSwan] IKEv1 reauth problem is met when working with Aruba controller

2017-11-15 Thread 曹昊阳
Hi,

I tried to make strongSwan work in road warrior mode with VPN server
integrated in Aruba controller, the tunnel is established successfully and
the communication is OK, but I found the tunnel is shut down after IKE
re-authentication.
After some study, I found between after msg MM6 strongSwan are waiting for
the TRANSACTION for XAUTH request and Aruba never send it, after timeout
strongSwan will re-launch a IKE MM but Aruba will also not answer it.

>From the strongSwan's log, it shows
*Nov  9 15:29:39 localhost charon: 07[IKE] reauthenticating IKE_SA str1[1]*
*Nov  9 15:29:39 localhost charon: 07[IKE] installing new virtual IP
99.99.99.91*
*Nov  9 15:29:39 localhost charon: 07[IKE] initiating Main Mode IKE_SA
str1[3] to 10.4.30.200*
*Nov  9 15:29:39 localhost charon: 07[ENC] generating ID_PROT request 0 [
SA V V V V V ]*
*Nov  9 15:29:39 localhost charon: 07[NET] sending packet: from
30.1.1.22[500] to 10.4.30.200[500] (240 bytes)*
*Nov  9 15:29:39 localhost charon: 05[NET] received packet: from
10.4.30.200[500] to 30.1.1.22[500] (200 bytes)*
*Nov  9 15:29:39 localhost charon: 05[ENC] parsed ID_PROT response 0 [ SA V
V V V V V ]*
*Nov  9 15:29:39 localhost charon: 05[IKE] received FRAGMENTATION vendor ID*
*Nov  9 15:29:39 localhost charon: 05[IKE] received
draft-ietf-ipsec-nat-t-ike-00 vendor ID*
*Nov  9 15:29:39 localhost charon: 05[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID*
*Nov  9 15:29:39 localhost charon: 05[IKE] received DPD vendor ID*
*Nov  9 15:29:39 localhost charon: 05[IKE] received XAuth vendor ID*
*Nov  9 15:29:39 localhost charon: 05[IKE] received Cisco Unity vendor ID*
*Nov  9 15:29:39 localhost charon: 05[ENC] generating ID_PROT request 0 [
KE No NAT-D NAT-D ]*
*Nov  9 15:29:39 localhost charon: 05[NET] sending packet: from
30.1.1.22[500] to 10.4.30.200[500] (372 bytes)*
*Nov  9 15:29:39 localhost charon: 09[NET] received packet: from
10.4.30.200[500] to 30.1.1.22[500] (372 bytes)*
*Nov  9 15:29:39 localhost charon: 09[ENC] parsed ID_PROT response 0 [ KE
No NAT-D NAT-D ]*
*Nov  9 15:29:39 localhost charon: 09[ENC] generating ID_PROT request 0 [
ID HASH ]*
*Nov  9 15:29:39 localhost charon: 09[NET] sending packet: from
30.1.1.22[500] to 10.4.30.200[500] (76 bytes)*
*Nov  9 15:29:39 localhost charon: 10[NET] received packet: from
10.4.30.200[500] to 30.1.1.22[500] (76 bytes)*
*Nov  9 15:29:39 localhost charon: 10[ENC] parsed ID_PROT response 0 [ ID
HASH ]*
*Nov  9 15:30:09 localhost charon: 13[JOB] peer did not initiate expected
exchange, reestablishing IKE_SA*
*Nov  9 15:30:09 localhost charon: 13[IKE] reinitiating IKE_SA str1[3]*
*Nov  9 15:30:09 localhost charon: 13[IKE] initiating Main Mode IKE_SA
str1[3] to 10.4.30.200*
*Nov  9 15:30:09 localhost charon: 13[ENC] generating ID_PROT request 0 [
SA V V V V V ]*
*Nov  9 15:30:09 localhost charon: 13[NET] sending packet: from
30.1.1.22[500] to 10.4.30.200[500] (240 bytes)*

I checked this with Aruba support and their answer is that the reauth for
XAUTH is not necessary and they only accept the reauthentication when msg
MM5 includes INITIAL-CONTACT which I think is not a correct solution
because it will result a new virtual IP address assigned to my VPN client.

I searched google and seems there are some VPN client like the one in
IOS/MACOS works well with Aruba solution and they will not mandatorily ask
XAUTH authentication when doing IKE reauthentication, and I fully
understand strongSwan insists redoing the authentication is because of the
security consideration.
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients

My request is that whether it is possible for strongSwan to provide a
configurable option to allow skip XAUTH authentication during IKE
reauthentication?

Thanks in advance.

-- 
Best Regards,

Haoyang CAO


Re: [strongSwan] strongSwan reuses stale OCSP responses

2017-11-15 Thread Ander Juaristi
Well, looking at the source code (5.6.0 release tarball), the "offending 
line" is at revocation_validator.c:264:


if (revoked)
{   /* revoked always counts, even if stale */
*valid = VALIDATION_REVOKED;
}

So two questions now come to my mind:

1. What's the reason for this? I might well have missed some detail in 
the specs or maybe it's just a strongSwan-specific design decision. In 
either case (for my own education), what's that line there for?


2. I've seen the stale OCSP responses are deleted from the cache on a 
'ipsec restart'. Could you please point me to the piece of code where 
that cache purge is done?


Regards,
- AJ

El 2017-11-15 13:23, Ander Juaristi escribió:

Hi,

I'm trying to set up a use case where user certificates are revoked
temporarily and then re-activated (think of a user being banned from
accessing the server at set times, according to a policy). So I've got
an OCSP server that returns either "good" or "revoked" responses
according to such policy.

Once my OCSP responder sends a "revoked" answer, strongSwan caches
that answer forever and reuses it over and over again even after it
becoming stale. I would expect strongSwan to query the OCSP responder
again once the cached response becomes stale, but it is not happening.

I don't want to be manually purging the OCSP cache with 'ipsec 
purgeocsp'.


Is there a way to tell strongSwan to remove the expired responses 
automatically?


This looks like the same use case that is described at [0].

Here [1] it says:

A valid OCSP response that revokes a particular certificate will
be used even if it is stale.

but it doesn't say why, specifically, why the response keeps on being
used even if certificateHold was specified as the revoke reason.

Thanks.

Details
===

My OCSP responder is sending revoked responses with a certificateHold
(6) CRLReason, and a next update value of 1 minute later than the
current time:

Cert Status: revoked
Revocation Time: Nov 15 12:00:55 2017 GMT
Revocation Reason: certificateHold (0x6)
This Update: Nov 15 12:00:55 2017 GMT
Next Update: Nov 15 12:01:55 2017 GMT

According to the spec [2], the certificateHold CRLReason means a
certificate has been revoked temporarily:

The "revoked" state indicates that the certificate has been 
revoked,

either temporarily (the revocation reason is certificateHold) or
permanently.

I would expect strongSwan to query the OCSP responder again when the
time expires, but it's not happening so. It keeps on using cached OCSP
responses even though these are stale:

charon: 06[CFG]ocsp response correctly signed by "C=ES,
ST=, L=, O=, CN=ocsp.localhost"
charon: 06[CFG] certificate was revoked on Nov 15 12:00:55 UTC
2017, reason: certificate hold
charon: 06[CFG]   ocsp response is stale: since Nov 15 12:01:55 
2017

charon: 06[CFG]   using cached ocsp response

I can clearly verify, with 'ipsec listocsp' that the response is stale:

List of OCSP responses:

  signer:   "C=ES, ST=, L=, O=, CN=ocsp.localhost"
  validity:  produced at Nov 15 12:00:55 2017
 usable till Nov 15 12:01:55 2017, expired (101 seconds 
ago)


References
==

[0] [strongSwan] OCSP and CRL -
https://lists.strongswan.org/pipermail/users/2015-December/009049.html
[1] Issue #1238 - https://wiki.strongswan.org/issues/1238
[2] RFC 6960 - https://tools.ietf.org/html/rfc6960#section-2.2


[strongSwan] strongSwan reuses stale OCSP responses

2017-11-15 Thread Ander Juaristi

Hi,

I'm trying to set up a use case where user certificates are revoked 
temporarily and then re-activated (think of a user being banned from 
accessing the server at set times, according to a policy). So I've got 
an OCSP server that returns either "good" or "revoked" responses 
according to such policy.


Once my OCSP responder sends a "revoked" answer, strongSwan caches that 
answer forever and reuses it over and over again even after it becoming 
stale. I would expect strongSwan to query the OCSP responder again once 
the cached response becomes stale, but it is not happening.


I don't want to be manually purging the OCSP cache with 'ipsec 
purgeocsp'.


Is there a way to tell strongSwan to remove the expired responses 
automatically?


This looks like the same use case that is described at [0].

Here [1] it says:

A valid OCSP response that revokes a particular certificate will be 
used even if it is stale.


but it doesn't say why, specifically, why the response keeps on being 
used even if certificateHold was specified as the revoke reason.


Thanks.

Details
===

My OCSP responder is sending revoked responses with a certificateHold 
(6) CRLReason, and a next update value of 1 minute later than the 
current time:


Cert Status: revoked
Revocation Time: Nov 15 12:00:55 2017 GMT
Revocation Reason: certificateHold (0x6)
This Update: Nov 15 12:00:55 2017 GMT
Next Update: Nov 15 12:01:55 2017 GMT

According to the spec [2], the certificateHold CRLReason means a 
certificate has been revoked temporarily:


The "revoked" state indicates that the certificate has been revoked,
either temporarily (the revocation reason is certificateHold) or
permanently.

I would expect strongSwan to query the OCSP responder again when the 
time expires, but it's not happening so. It keeps on using cached OCSP 
responses even though these are stale:


charon: 06[CFG]ocsp response correctly signed by "C=ES, ST=, 
L=, O=, CN=ocsp.localhost"
charon: 06[CFG] certificate was revoked on Nov 15 12:00:55 UTC 2017, 
reason: certificate hold

charon: 06[CFG]   ocsp response is stale: since Nov 15 12:01:55 2017
charon: 06[CFG]   using cached ocsp response

I can clearly verify, with 'ipsec listocsp' that the response is stale:

List of OCSP responses:

  signer:   "C=ES, ST=, L=, O=, CN=ocsp.localhost"
  validity:  produced at Nov 15 12:00:55 2017
 usable till Nov 15 12:01:55 2017, expired (101 seconds 
ago)


References
==

[0] [strongSwan] OCSP and CRL - 
https://lists.strongswan.org/pipermail/users/2015-December/009049.html

[1] Issue #1238 - https://wiki.strongswan.org/issues/1238
[2] RFC 6960 - https://tools.ietf.org/html/rfc6960#section-2.2


Re: [strongSwan] StrongSwan and EAP (FreeRadius)

2017-11-15 Thread Houman
I have changed both configs to 127.0.0.1 and restarted both StrongSwan and
FreeRadius but I got the same error message.
Then I changed them both to 0.0.0.0 and restarted both servers, and I still
get the same error message.

Any idea what this could be?

On Wed, Nov 15, 2017 at 9:01 AM, Michael Schwartzkopff  wrote:

> Am 15.11.2017 um 09:58 schrieb Houman:
> > Hallo Michael,
> >
> >
> > Thanks for your reply.  Indeed I should have checked the radius log.  It
> > seems the shared secret is incorrect, but there do match in configs as
> > pasted below.
> > Where else could the secret have been used that I have missed?  Thanks
> >
> > *vim /var/log/freeradius/radius.log*
> >
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
> > database "radius"
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (0), 1 of 32 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (1), 1 of 31 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (2), 1 of 30 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (3), 1 of 29 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (4), 1 of 28 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10
> spares
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (5), 1 of 27 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server 
> > Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
> > raddb/mods-available/README.rst)
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
> > Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
> > always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
> > Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
> > Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
> > of error: Received packet from 127.0.0.1 with invalid
> > Message-Authenticator!  (Shared secret is incorrect.)
> >
> >
> >
> > *vim /etc/strongswan.conf*
> >
> > charon {
> >   load_modular = yes
> >   compress = yes
> >  plugins {
> > include strongswan.d/charon/*.conf
> >eap-radius {
> > servers {
> > server-a {
> > accounting = yes
> > secret = 123456
> > address = 127.0.0.1
> > auth_port = 1812
> > acct_port = 1813
> > }
> > }
> > }
> > }
> > include strongswan.d/*.conf
> > }
> >
> >
> >
> > *vim /etc/freeradius/clients.conf*
> >
> > client 0.0.0.0 {
> > secret  = 123456
> > nas_type= other
> > shortname   = 0.0.0.0
> > require_message_authenticator = no
> > }
> >
> >
> >
> > On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff 
> wrote:
> >
> >> Am 15.11.2017 um 08:24 schrieb Houman:
> >>> Hi,
> >>>
> >>> I'm new to the concept of EAP and might be misunderstanding something.
> >>> Apologies up front.
> >>>
> >>> I have finally been able to install FreeRadius and enable the SQL
> module.
> >>> I have created a user in the database and was hoping to establish a VPN
> >>> connection via that user.
> >>>
> >>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
> >>> ('houman','Cleartext-Password',':=','test123');
> >>>
> >>>
> >>> When I try to connect from my MacBook into the StrongSwan server I get
> >> this
> >>> log. It looks promising but eventually, it says initiating EAP_RADIUS
> >>> method failed.
> >>>
> >>> I'm not quite sure if this has failed due a bad configuration on my
> side
> >> or
> >>> it is for other reasons that I don't quite understand how EAP should
> >> work.
> >>> Please be so kind and advise,
> >>> Thanks,
> >>> Houman
> >>>
> >>>
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
> >>> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT
> >> request 0
> >>> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is
> >> initiating
> >>> an IKE_SA
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind
> NAT,
> >>> sending keep alives
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind
> NAT
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
> >>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
> N(MULT_AUTH)
> >> ]
> >>> Nov 15 07:13:21 

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

2017-11-15 Thread Michael Schwartzkopff
Am 15.11.2017 um 09:58 schrieb Houman:
> Hallo Michael,
>
>
> Thanks for your reply.  Indeed I should have checked the radius log.  It
> seems the shared secret is incorrect, but there do match in configs as
> pasted below.
> Where else could the secret have been used that I have missed?  Thanks
>
> *vim /var/log/freeradius/radius.log*
>
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
> database "radius"
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (0), 1 of 32 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (1), 1 of 31 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (2), 1 of 30 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (3), 1 of 29 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (4), 1 of 28 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (5), 1 of 27 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server 
> Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
> raddb/mods-available/README.rst)
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
> Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
> always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
> Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
> Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
> of error: Received packet from 127.0.0.1 with invalid
> Message-Authenticator!  (Shared secret is incorrect.)
>
>
>
> *vim /etc/strongswan.conf*
>
> charon {
>   load_modular = yes
>   compress = yes
>  plugins {
> include strongswan.d/charon/*.conf
>eap-radius {
> servers {
> server-a {
> accounting = yes
> secret = 123456
> address = 127.0.0.1
> auth_port = 1812
> acct_port = 1813
> }
> }
> }
> }
> include strongswan.d/*.conf
> }
>
>
>
> *vim /etc/freeradius/clients.conf*
>
> client 0.0.0.0 {
> secret  = 123456
> nas_type= other
> shortname   = 0.0.0.0
> require_message_authenticator = no
> }
>
>
>
> On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff  wrote:
>
>> Am 15.11.2017 um 08:24 schrieb Houman:
>>> Hi,
>>>
>>> I'm new to the concept of EAP and might be misunderstanding something.
>>> Apologies up front.
>>>
>>> I have finally been able to install FreeRadius and enable the SQL module.
>>> I have created a user in the database and was hoping to establish a VPN
>>> connection via that user.
>>>
>>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
>>> ('houman','Cleartext-Password',':=','test123');
>>>
>>>
>>> When I try to connect from my MacBook into the StrongSwan server I get
>> this
>>> log. It looks promising but eventually, it says initiating EAP_RADIUS
>>> method failed.
>>>
>>> I'm not quite sure if this has failed due a bad configuration on my side
>> or
>>> it is for other reasons that I don't quite understand how EAP should
>> work.
>>> Please be so kind and advise,
>>> Thanks,
>>> Houman
>>>
>>>
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
>>> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT
>> request 0
>>> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is
>> initiating
>>> an IKE_SA
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
>>> sending keep alives
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
>>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH)
>> ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
>>> 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
>>> 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type
>> (25)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1
>> [
>>> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
>>> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>>> Nov 15 07:13:21 ip-172-31-9-51 

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

2017-11-15 Thread Houman
Hallo Michael,


Thanks for your reply.  Indeed I should have checked the radius log.  It
seems the shared secret is incorrect, but there do match in configs as
pasted below.
Where else could the secret have been used that I have missed?  Thanks

*vim /var/log/freeradius/radius.log*

Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
database "radius"
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (0), 1 of 32 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (1), 1 of 31 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (2), 1 of 30 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (3), 1 of 29 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (4), 1 of 28 pending slots used
Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (5), 1 of 27 pending slots used
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server 
Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
raddb/mods-available/README.rst)
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
of error: Received packet from 127.0.0.1 with invalid
Message-Authenticator!  (Shared secret is incorrect.)



*vim /etc/strongswan.conf*

charon {
  load_modular = yes
  compress = yes
 plugins {
include strongswan.d/charon/*.conf
   eap-radius {
servers {
server-a {
accounting = yes
secret = 123456
address = 127.0.0.1
auth_port = 1812
acct_port = 1813
}
}
}
}
include strongswan.d/*.conf
}



*vim /etc/freeradius/clients.conf*

client 0.0.0.0 {
secret  = 123456
nas_type= other
shortname   = 0.0.0.0
require_message_authenticator = no
}



On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff  wrote:

> Am 15.11.2017 um 08:24 schrieb Houman:
> > Hi,
> >
> > I'm new to the concept of EAP and might be misunderstanding something.
> > Apologies up front.
> >
> > I have finally been able to install FreeRadius and enable the SQL module.
> > I have created a user in the database and was hoping to establish a VPN
> > connection via that user.
> >
> > INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
> > ('houman','Cleartext-Password',':=','test123');
> >
> >
> > When I try to connect from my MacBook into the StrongSwan server I get
> this
> > log. It looks promising but eventually, it says initiating EAP_RADIUS
> > method failed.
> >
> > I'm not quite sure if this has failed due a bad configuration on my side
> or
> > it is for other reasons that I don't quite understand how EAP should
> work.
> >
> > Please be so kind and advise,
> > Thanks,
> > Houman
> >
> >
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
> > 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT
> request 0
> > [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is
> initiating
> > an IKE_SA
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
> > sending keep alives
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
> > response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH)
> ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
> > 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
> > 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type
> (25)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1
> [
> > IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
> > DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs
> > matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config
> >