Hi Bjarke, I am not sure about that topic. But I think it is supported by strongSwan. I can remember that I saw a configuration of strongSwan using a remote RADIUS server for doing the authentication work. The configuration should made in your strongSwan.conf file. If I am right, you should have an section like
charon { eap-radius { server: secret: } } I think that is what you intend to do... I think, it would be a good idea to have a downloadable virtual machine containing an already configured strongSwan. So everybody would be able just to download and get things running in a first step... Thanks again to all the strongSwan developers! You did/do an excellent work! :) Mit freundlichem Gruß / Best regards Sven Kerschbaum Siemens AG Industry Sector Industry Automation Division mailto:sven.kerschb...@siemens.com http://www.siemens.com/automation Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen Registered offices: Berlin and Munich; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684 WEEE-Reg.-No. DE 23691322 -----Ursprüngliche Nachricht----- Von: Bjarke Istrup Pedersen [mailto:gu...@gurlinet.dk] Gesendet: Freitag, 7. Mai 2010 13:57 An: Kerschbaum, Sven Cc: Tobias Brunner; Martin Willi; users@lists.strongswan.org Betreff: Re: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password) Hey, I'm about to use the same configuration that you are setting up. I was wondering if it is possible to get strogswan to read the usernames and passwords from something else than the ipsec.secrets file? (Like using RADIUS to read the values from a Windows AD) Best regards, Bjarke 2010/5/7 Kerschbaum, Sven <sven.kerschb...@siemens.com>: > Hi Tobias, Hi Martin, > > thanks for your replies! > > I fixed the issue of the missing md4 plugin. Now md4 is being successfully > loaded as plugin during startup of strongSwan: > > 01[DMN] loaded plugins: aes des sha1 sha2 md4 md5 fips-prf random x509 pubkey > xcbc hmac gmp stroke eap-identity eap-mschapv2 > > That's true, Tobias, the IKE AUTH gets sent by strongSwan. But I still can't > figure out why strongSwan does not include the CERT into the IKE AUTH > response (in fact Win 7 sends a CERTREQ to strongSwan): > > 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.2) > 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' > 01[LIB] loaded certificate file '/usr/local/etc/ipsec.d/cacerts/cacert.pem' > 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' > 01[CFG] loading ocsp signer certificates from > '/usr/local/etc/ipsec.d/ocspcerts' > 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' > 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' > 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' > 01[CFG] loaded private key file > '/usr/local/etc/ipsec.d/private/clientkey.pem' > 01[CFG] loaded EAP secret for test > > ... > > 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ] > 07[IKE] received cert request for "O=Siemens, OU=ATS, L=Nuremberg, > ST=Bavaria, C=DE, CN=ikeca" > 07[CFG] looking for peer configs matching > 192.168.10.90[%any]...192.168.10.12[192.168.10.12] > 07[CFG] selected peer config 'host-host' > 07[IKE] initiating EAP-Identity request > 07[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere, > CN=ikeclient' (myself) with RSA signature successful > 07[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP ] > 07[NET] sending packet: from 192.168.10.90[4500] to 192.168.10.12[4500] > > Any ideas what´s going wrong? Why does strongSwan not reply with IKE AUTH > [Idr AUTH CERT EAP REQ/ID] as I would expect? Could it be of a > misconfiguration of strongSwan? My ipsec.conf looks as follows: > > config setup > plutostart=no > > conn host-host > esp = 3des-sha1 > ike = 3des-sha1-modp1024 > left=%defaultroute > leftsubnet=192.168.2.0/24 > leftcert=clientcert.pem > leftsendcert=never > right=192.168.10.12 > rightsubnet=192.168.3.0/24 > rightauth=eap-mschapv2 > eap_identity=%any > keyexchange=ikev2 > auto=add > > Thanks for your help! > Kind Regards, > Sven > > > Mit freundlichem Gruß / Best regards > > Sven Kerschbaum > > Siemens AG > Industry Sector Industry Automation Division > mailto:sven.kerschb...@siemens.com > http://www.siemens.com/automation > > Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme > Managing Board: Peter Loescher, Chairman, President and Chief Executive > Officer; > Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt, > Siegfried Russwurm, Peter Y. Solmssen > Registered offices: Berlin and Munich; > Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684 > WEEE-Reg.-No. DE 23691322 > > > > -----Ursprüngliche Nachricht----- > Von: Tobias Brunner [mailto:tob...@strongswan.org] > Gesendet: Freitag, 7. Mai 2010 11:34 > An: Martin Willi > Cc: Kerschbaum, Sven; users@lists.strongswan.org > Betreff: Re: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username > and password) > > Hi Martin, Hi Sven, > > the response is just a little bit below: > >> 08[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere, >> CN=ikeclient' (myself) with RSA signature successful >> 08[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP ] >> 08[NET] sending packet: from 192.168.10.90[4500] to 192.168.10.12[4500] > > Which indicates that the gateway certificate is not sent, which might cause > this > error in Win7. > > One other thing, not related to this particular error, but will cause the > authentication to fail later: > >> 01[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 >> pubkey xcbc hmac gmp stroke eap-identity eap-mschapv2 > > The MD4 plugin is not built/loaded (which is required, if you don't use the > OpenSSL plugin), therefore the NT-Hashes cannot be generated. > > Regards, > Tobias > > -- > ====================================================================== > Tobias Brunner tob...@strongswan.org > strongSwan - The Linux VPN Solution! http://www.strongswan.org > ====================================================================== > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users