subject:"\[strongSwan\] StrongSwan and EAP \(FreeRadius\)"

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

2017-11-15 Thread Houman

I have changed both configs to 127.0.0.1 and restarted both StrongSwan and
FreeRadius but I got the same error message.
Then I changed them both to 0.0.0.0 and restarted both servers, and I still
get the same error message.

Any idea what this could be?

On Wed, Nov 15, 2017 at 9:01 AM, Michael Schwartzkopff  wrote:

> Am 15.11.2017 um 09:58 schrieb Houman:
> > Hallo Michael,
> >
> >
> > Thanks for your reply.  Indeed I should have checked the radius log.  It
> > seems the shared secret is incorrect, but there do match in configs as
> > pasted below.
> > Where else could the secret have been used that I have missed?  Thanks
> >
> > *vim /var/log/freeradius/radius.log*
> >
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
> > database "radius"
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (0), 1 of 32 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (1), 1 of 31 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (2), 1 of 30 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (3), 1 of 29 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (4), 1 of 28 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10
> spares
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (5), 1 of 27 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server 
> > Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
> > raddb/mods-available/README.rst)
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
> > Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
> > always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
> > Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
> > Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
> > of error: Received packet from 127.0.0.1 with invalid
> > Message-Authenticator!  (Shared secret is incorrect.)
> >
> >
> >
> > *vim /etc/strongswan.conf*
> >
> > charon {
> >   load_modular = yes
> >   compress = yes
> >  plugins {
> > include strongswan.d/charon/*.conf
> >eap-radius {
> > servers {
> > server-a {
> > accounting = yes
> > secret = 123456
> > address = 127.0.0.1
> > auth_port = 1812
> > acct_port = 1813
> > }
> > }
> > }
> > }
> > include strongswan.d/*.conf
> > }
> >
> >
> >
> > *vim /etc/freeradius/clients.conf*
> >
> > client 0.0.0.0 {
> > secret  = 123456
> > nas_type= other
> > shortname   = 0.0.0.0
> > require_message_authenticator = no
> > }
> >
> >
> >
> > On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff 
> wrote:
> >
> >> Am 15.11.2017 um 08:24 schrieb Houman:
> >>> Hi,
> >>>
> >>> I'm new to the concept of EAP and might be misunderstanding something.
> >>> Apologies up front.
> >>>
> >>> I have finally been able to install FreeRadius and enable the SQL
> module.
> >>> I have created a user in the database and was hoping to establish a VPN
> >>> connection via that user.
> >>>
> >>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
> >>> ('houman','Cleartext-Password',':=','test123');
> >>>
> >>>
> >>> When I try to connect from my MacBook into the StrongSwan server I get
> >> this
> >>> log. It looks promising but eventually, it says initiating EAP_RADIUS
> >>> method failed.
> >>>
> >>> I'm not quite sure if this has failed due a bad configuration on my
> side
> >> or
> >>> it is for other reasons that I don't quite understand how EAP should
> >> work.
> >>> Please be so kind and advise,
> >>> Thanks,
> >>> Houman
> >>>
> >>>
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
> >>> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT
> >> request 0
> >>> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is
> >> initiating
> >>> an IKE_SA
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind
> NAT,
> >>> sending keep alives
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind
> NAT
> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
> >>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
> N(MULT_AUTH)
> >> ]
> >>> Nov 15 07:13:21

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

2017-11-15 Thread Michael Schwartzkopff

Am 15.11.2017 um 09:58 schrieb Houman:
> Hallo Michael,
>
>
> Thanks for your reply.  Indeed I should have checked the radius log.  It
> seems the shared secret is incorrect, but there do match in configs as
> pasted below.
> Where else could the secret have been used that I have missed?  Thanks
>
> *vim /var/log/freeradius/radius.log*
>
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
> database "radius"
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (0), 1 of 32 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (1), 1 of 31 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (2), 1 of 30 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (3), 1 of 29 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (4), 1 of 28 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (5), 1 of 27 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server 
> Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
> raddb/mods-available/README.rst)
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
> Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
> always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
> Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
> Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
> of error: Received packet from 127.0.0.1 with invalid
> Message-Authenticator!  (Shared secret is incorrect.)
>
>
>
> *vim /etc/strongswan.conf*
>
> charon {
>   load_modular = yes
>   compress = yes
>  plugins {
> include strongswan.d/charon/*.conf
>eap-radius {
> servers {
> server-a {
> accounting = yes
> secret = 123456
> address = 127.0.0.1
> auth_port = 1812
> acct_port = 1813
> }
> }
> }
> }
> include strongswan.d/*.conf
> }
>
>
>
> *vim /etc/freeradius/clients.conf*
>
> client 0.0.0.0 {
> secret  = 123456
> nas_type= other
> shortname   = 0.0.0.0
> require_message_authenticator = no
> }
>
>
>
> On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff  wrote:
>
>> Am 15.11.2017 um 08:24 schrieb Houman:
>>> Hi,
>>>
>>> I'm new to the concept of EAP and might be misunderstanding something.
>>> Apologies up front.
>>>
>>> I have finally been able to install FreeRadius and enable the SQL module.
>>> I have created a user in the database and was hoping to establish a VPN
>>> connection via that user.
>>>
>>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
>>> ('houman','Cleartext-Password',':=','test123');
>>>
>>>
>>> When I try to connect from my MacBook into the StrongSwan server I get
>> this
>>> log. It looks promising but eventually, it says initiating EAP_RADIUS
>>> method failed.
>>>
>>> I'm not quite sure if this has failed due a bad configuration on my side
>> or
>>> it is for other reasons that I don't quite understand how EAP should
>> work.
>>> Please be so kind and advise,
>>> Thanks,
>>> Houman
>>>
>>>
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
>>> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT
>> request 0
>>> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is
>> initiating
>>> an IKE_SA
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
>>> sending keep alives
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
>>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH)
>> ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
>>> 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
>>> 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type
>> (25)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1
>> [
>>> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
>>> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>>> Nov 15 07:13:21 ip-172-31-9-51

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

2017-11-15 Thread Houman

Hallo Michael,


Thanks for your reply.  Indeed I should have checked the radius log.  It
seems the shared secret is incorrect, but there do match in configs as
pasted below.
Where else could the secret have been used that I have missed?  Thanks

*vim /var/log/freeradius/radius.log*

Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
database "radius"
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (0), 1 of 32 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (1), 1 of 31 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (2), 1 of 30 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (3), 1 of 29 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (4), 1 of 28 pending slots used
Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (5), 1 of 27 pending slots used
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server 
Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
raddb/mods-available/README.rst)
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
of error: Received packet from 127.0.0.1 with invalid
Message-Authenticator!  (Shared secret is incorrect.)



*vim /etc/strongswan.conf*

charon {
  load_modular = yes
  compress = yes
 plugins {
include strongswan.d/charon/*.conf
   eap-radius {
servers {
server-a {
accounting = yes
secret = 123456
address = 127.0.0.1
auth_port = 1812
acct_port = 1813
}
}
}
}
include strongswan.d/*.conf
}



*vim /etc/freeradius/clients.conf*

client 0.0.0.0 {
secret  = 123456
nas_type= other
shortname   = 0.0.0.0
require_message_authenticator = no
}



On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff  wrote:

> Am 15.11.2017 um 08:24 schrieb Houman:
> > Hi,
> >
> > I'm new to the concept of EAP and might be misunderstanding something.
> > Apologies up front.
> >
> > I have finally been able to install FreeRadius and enable the SQL module.
> > I have created a user in the database and was hoping to establish a VPN
> > connection via that user.
> >
> > INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
> > ('houman','Cleartext-Password',':=','test123');
> >
> >
> > When I try to connect from my MacBook into the StrongSwan server I get
> this
> > log. It looks promising but eventually, it says initiating EAP_RADIUS
> > method failed.
> >
> > I'm not quite sure if this has failed due a bad configuration on my side
> or
> > it is for other reasons that I don't quite understand how EAP should
> work.
> >
> > Please be so kind and advise,
> > Thanks,
> > Houman
> >
> >
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
> > 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT
> request 0
> > [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is
> initiating
> > an IKE_SA
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
> > sending keep alives
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
> > response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH)
> ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
> > 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
> > 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type
> (25)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1
> [
> > IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
> > DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs
> > matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config
> >

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

2017-11-14 Thread Michael Schwartzkopff

Am 15.11.2017 um 08:24 schrieb Houman:
> Hi,
>
> I'm new to the concept of EAP and might be misunderstanding something.
> Apologies up front.
>
> I have finally been able to install FreeRadius and enable the SQL module.
> I have created a user in the database and was hoping to establish a VPN
> connection via that user.
>
> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
> ('houman','Cleartext-Password',':=','test123');
>
>
> When I try to connect from my MacBook into the StrongSwan server I get this
> log. It looks promising but eventually, it says initiating EAP_RADIUS
> method failed.
>
> I'm not quite sure if this has failed due a bad configuration on my side or
> it is for other reasons that I don't quite understand how EAP should work.
>
> Please be so kind and advise,
> Thanks,
> Houman
>
>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT request 0
> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is initiating
> an IKE_SA
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
> sending keep alives
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
> 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
> 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type (25)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 [
> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs
> matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config
> 'roadwarrior'
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY
> method (id 0x00)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of 'vpn2.t.com'
> (myself) with RSA signature successful
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert "CN=
> vpn2.t.com"
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US,
> O=Let's Encrypt, CN=Let's Encrypt Authority X3"
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with
> length of 3334 bytes into 7 fragments
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(1/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(2/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(3/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(4/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(5/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(6/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(7/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
> 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ 14[NET]
> sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
> 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from
> 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2 [
> EAP/RES/ID ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity
> 'houman'
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS
> Access-Request to server 'server-a'
> Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS
> Access-Request (timeout: 2.8s)
> Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID 2,
> already processing
> Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS
> Access-Request (timeout: 3.9s)
> Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID 2,
> already processing
> Nov 15

[strongSwan] StrongSwan and EAP (FreeRadius)

2017-11-14 Thread Houman

Hi,

I'm new to the concept of EAP and might be misunderstanding something.
Apologies up front.

I have finally been able to install FreeRadius and enable the SQL module.
I have created a user in the database and was hoping to establish a VPN
connection via that user.

INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
('houman','Cleartext-Password',':=','test123');


When I try to connect from my MacBook into the StrongSwan server I get this
log. It looks promising but eventually, it says initiating EAP_RADIUS
method failed.

I'm not quite sure if this has failed due a bad configuration on my side or
it is for other reasons that I don't quite understand how EAP should work.

Please be so kind and advise,
Thanks,
Houman


Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is initiating
an IKE_SA
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
sending keep alives
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type (25)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs
matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config
'roadwarrior'
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY
method (id 0x00)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of 'vpn2.t.com'
(myself) with RSA signature successful
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert "CN=
vpn2.t.com"
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with
length of 3334 bytes into 7 fragments
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(1/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(2/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(3/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(4/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(5/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(6/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(7/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ 14[NET]
sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from
88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2 [
EAP/RES/ID ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity
'houman'
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS
Access-Request to server 'server-a'
Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS
Access-Request (timeout: 2.8s)
Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID 2,
already processing
Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS
Access-Request (timeout: 3.9s)
Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID 2,
already processing
Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS
Access-Request (timeout: 5.5s)
Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID 2,
already processing
Nov 15 07:13:35 ip-172-31-9-51 charon:

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

[strongSwan] StrongSwan and EAP (FreeRadius)

5 matches

Site Navigation

Mail list logo

Footer information