HI Dmitry, It looks like a problem on the radius side. I know I had to modify the source code to add a NAS Identifier AVP to the Radius-Request to make my AAA Server happy. [Note I'm not using FreeRadius I'm using my own AAA]
I think you'll need to look at the AAA logfile to see why it's rejecting the request. If you have a pcap file of the radius transaction I can take a look and make sure it's similar to mine. cheers AlanE 2011/7/5 [email protected] <[email protected]> > ** > Hello, Alan > Thank you for your reply. > > I've tried various configurations and got different results, but neither > result > was not desirable. > ipsec.conf: > > config setup > strictcrlpolicy=no > plutostart=no > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > > conn rw-eap > left=83.149.6.20 > leftsubnet=10.0.0.0/24 > #[email protected] > #leftcert=moonCert.pem > #leftauth=pubkey > leftfirewall=yes > #rightid=*@strongswan.org > rightauth=eap-radius > #eap_identity=%any > rightsendcert=never > right=%any > auto=add > strongswan.conf: > > charon { > load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation > hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius > eap-identity updown > plugins { > eap-radius { > secret = secret > server = 10.255.2.70 > } > } > filelog { > /usr/local/strongswan/logs/charon.log { > # add a timestamp prefix > time_format = %b %e %T > # loggers to files also accept the append option to open files > in > # append mode at startup (default is yes) > append = no > # the default loglevel for all daemon subsystems (defaults to > 1). > default = 4 > # flush each line to disk > flush_line = yes > } > } > } > With this configuration Strongswan sends packets to RADIUS-server, but in > this packets there are no necessary data. > If i configure Strongswan, as described here( > https://lists.strongswan.org/pipermail/users/2011-May/006231.html, third > link-->rw-eap-sim-id-radius), no packets sends to RADIUS-server. > > -- > Best regards, Dmitry. > > Alan Evans пишет: > > Hi Dmitry, > > I have this working in my setup. > > If you send me your ipsec.conf file and log file I will take a quick look. > > Set charondebug = "ike 3, cfg 3, net 3, knl 3" in the ipsec.conf file so we > get some debug info. > > cheers > AlanaE > > 2011/7/5 [email protected] <[email protected]> > >> Hello, >> >> Dear developers, help me, please. >> Is it possible to configure Strongswan to work according to the attached >> diagram. >> In short: I need to configure authorization for the IKEv2 with EAP-SIM >> with RADIUS-server. >> I can't do it yet. >> I take dumps of each packet exchange and decrypts it using Wireshark. >> Dump shows that information request from strongswan to client does not >> occur, and to the radius are sent information from the first packet >> IKE_AUTH. >> For the RADIUS-server does not receive the necessary data, it return >> 'Access-Reject', and in response packet 'IKE_AUTH' Strongswan sent >> 'EAP-FAILURE' and terminates the connection. >> >> I will be very grateful for any help. >> >> -- >> Best regards, Dmitry. >> >> >> --------------------------------------------------------------------------------------------------- >> >> Здравствуйте, >> >> Уважаемые разработчики, помогите, пожалуйста, разобраться. >> Возможно ли настроить strongswan, чтобы он работал согласно приложенной >> схемы. >> Вкратце: мне нужно настроить IKEv2 с авторизацией по EAP-SIM с >> RADIUS-сервером. >> Пока у меня никак не получается это сделать. >> Я снимаю дампы каждого обмена пакетами и расшифровываю их с помощью >> wireshark. >> По дампам видно, что запроса информации у клиента не происходит, а на >> радиус отправляется информация из первого пакета 'IKE_AUTH'. >> Так как RADIUS-сервер не получает необходимых данных, он отвечает >> 'Access-Reject', и в ответном пакете 'IKE_AUTH' Strongswan посылает >> 'EAP-FAILURE' и завершает соединение. >> >> Буду очень признателен за любую помощь. >> >> -- >> С Уважением, Дмитрий. >> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users >> > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
