Re: [strongSwan] Strongswan + IKEv2 + eap-radius accounting issue
Hi Nikola, Thank you for pointing that out - I've just forgot to set it back to 1813 after trying to debug (yup, I've tried even that :) ) That being said the problem persists with correct accounting port (1813) and doesn't seem to be related to it. Regards, Konstantin. ‐‐‐ Original Message ‐‐‐ On Sunday, September 23, 2018 9:15 PM, Nikola Kolev wrote: > Hi, > > It seems that you have set both auth_port and acct_port to 1812, while > acct_port should be udp/1813. Can you please check if changing that fixes the > issue? > > Nikola > > September 23, 2018 8:36 AM, "Konstantin Votinov" > <[voti...@protonmail.com](mailto:voti...@protonmail.com?to=%22Konstantin%20Votinov%22%20)> > wrote: > >> Hi all, >> >> I am having issues with eap-radius plugin when "accounting = yes" is set. >> >> I have IPSec and IKEv2 connections set up in Strongswan. >> >> IPSec(conn IKEv1-PSK-XAuth) works correctly whether accounting is set to >> "no" or "yes" >> >> IKEv2(conn ikev2-mschapv2-apple) doesn't connect with accounting set to >> "yes", but connects with accounting set to "no" >> >> I've tried to increase the timeout, but it didn't worked. >> Below is the log for IKEv2 connection attempt: >> >> Sep 23 15:21:35 07[NET] received packet: from this.is.my.ip[33584] to >> this.is.server.ip[500] (304 bytes) >> Sep 23 15:21:35 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) >> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] >> Sep 23 15:21:35 07[IKE] this.is.my.ip is initiating an IKE_SA >> Sep 23 15:21:35 07[IKE] remote host is behind NAT >> Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., >> OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority" >> Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., >> OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA" >> Sep 23 15:21:35 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No >> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ] >> Sep 23 15:21:35 07[NET] sending packet: from this.is.server.ip[500] to >> this.is.my.ip[33584] (385 bytes) >> Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to >> this.is.server.ip[4500] (348 bytes) >> Sep 23 15:21:35 10[ENC] unknown attribute type (25) >> Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) >> N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) >> N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ] >> Sep 23 15:21:35 10[CFG] looking for peer configs matching >> this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137] >> Sep 23 15:21:35 10[CFG] selected peer config 'ikev2-mschapv2-apple' >> Sep 23 15:21:35 10[IKE] initiating EAP_IDENTITY method (id 0x00) >> Sep 23 15:21:35 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using >> ESPv3 TFC padding >> Sep 23 15:21:35 10[IKE] peer supports MOBIKE >> Sep 23 15:21:35 10[IKE] authentication of 'ikev2.mydomain.net' (myself) with >> RSA signature successful >> Sep 23 15:21:35 10[IKE] sending end entity cert "C=IL, CN=ikev2.mydomain.net" >> Sep 23 15:21:35 10[IKE] sending issuer cert "C=IL, O=StartCom Ltd., >> OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA" >> Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH >> EAP/REQ/ID ] >> Sep 23 15:21:35 10[ENC] splitting IKE message with length of 3660 bytes into >> 4 fragments >> Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(1/4) ] >> Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(2/4) ] >> Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(3/4) ] >> Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(4/4) ] >> Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to >> this.is.my.ip[33585] (1248 bytes) >> Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to >> this.is.my.ip[33585] (1248 bytes) >> Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to >> this.is.my.ip[33585] (1248 bytes) >> Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to >> this.is.my.ip[33585] (112 bytes) >> Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to >> this.is.server.ip[4500] (92 bytes) >> Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] >> Sep 23 15:21:35 14[IKE] received EAP identity 'ligykpif' >> Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server >> 'radiusServer' >> Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server >> 'radiusServer' >> Sep 23 15:21:35 14[IKE] initiating EAP_MD5 method (id 0x01) >> Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ] >> Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to >> this.is.my.ip[33585] (92 bytes) >> Sep 23 15:21:35 08[NET] received packet: from this.is.my.ip[33585] to >> this.is.server.ip[4500] (76 bytes) >> Sep 23 15:21:35 08[ENC] parsed IKE_AUTH
Re: [strongSwan] Strongswan + IKEv2 + eap-radius accounting issue
Hi, It seems that you have set both auth_port and acct_port to 1812, while acct_port should be udp/1813. Can you please check if changing that fixes the issue? Nikola September 23, 2018 8:36 AM, "Konstantin Votinov" mailto:voti...@protonmail.com?to=%22Konstantin%20Votinov%22%20)> wrote: Hi all, I am having issues with eap-radius plugin when "accounting = yes" is set. I have IPSec and IKEv2 connections set up in Strongswan. IPSec(conn IKEv1-PSK-XAuth) works correctly whether accounting is set to "no" or "yes" IKEv2(conn ikev2-mschapv2-apple) doesn't connect with accounting set to "yes", but connects with accounting set to "no" I've tried to increase the timeout, but it didn't worked. Below is the log for IKEv2 connection attempt: Sep 23 15:21:35 07[NET] received packet: from this.is.my.ip[33584] to this.is.server.ip[500] (304 bytes) Sep 23 15:21:35 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Sep 23 15:21:35 07[IKE] this.is.my.ip is initiating an IKE_SA Sep 23 15:21:35 07[IKE] remote host is behind NAT Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority" Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA" Sep 23 15:21:35 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ] Sep 23 15:21:35 07[NET] sending packet: from this.is.server.ip[500] to this.is.my.ip[33584] (385 bytes) Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (348 bytes) Sep 23 15:21:35 10[ENC] unknown attribute type (25) Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ] Sep 23 15:21:35 10[CFG] looking for peer configs matching this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137] Sep 23 15:21:35 10[CFG] selected peer config 'ikev2-mschapv2-apple' Sep 23 15:21:35 10[IKE] initiating EAP_IDENTITY method (id 0x00) Sep 23 15:21:35 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Sep 23 15:21:35 10[IKE] peer supports MOBIKE Sep 23 15:21:35 10[IKE] authentication of 'ikev2.mydomain.net' (myself) with RSA signature successful Sep 23 15:21:35 10[IKE] sending end entity cert "C=IL, CN=ikev2.mydomain.net" Sep 23 15:21:35 10[IKE] sending issuer cert "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA" Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] Sep 23 15:21:35 10[ENC] splitting IKE message with length of 3660 bytes into 4 fragments Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(1/4) ] Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(2/4) ] Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(3/4) ] Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(4/4) ] Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes) Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes) Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes) Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (112 bytes) Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes) Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Sep 23 15:21:35 14[IKE] received EAP identity 'ligykpif' Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer' Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server 'radiusServer' Sep 23 15:21:35 14[IKE] initiating EAP_MD5 method (id 0x01) Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ] Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (92 bytes) Sep 23 15:21:35 08[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes) Sep 23 15:21:35 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ] Sep 23 15:21:35 08[CFG] sending RADIUS Access-Request to server 'radiusServer' Sep 23 15:21:35 08[CFG] received RADIUS Access-Challenge from server 'radiusServer' Sep 23 15:21:35 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Sep 23 15:21:35 08[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (108 bytes) Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (140 bytes) Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request
