Hi, It's very weird that after I loaded EAP-Identity module in charon, the log shows that indeed EAP-Identity is used by the following:
Oct 28 21:38:16 vpn charon: 04[IKE] initiating EAP-Identity request But now Freeradius does not receive any request from Strongswan, nor did Strongswan says it's contacting the radius server in the log. -----Original Message----- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: Friday, October 28, 2011 1:47 AM To: T Z Cc: users@lists.strongswan.org Subject: Re: [strongSwan] Strongswan+RADIUS secret code problem? Hello, did you enable EAP Identity? ./configure ... --enable-eap-identity Regards Andreas On 10/28/2011 06:37 AM, T Z wrote: > Hi all, > > I'm using Strongswan 4.5.2 (from Debian squeeze-backports) and > Freeradius 2.1.0 (from Debian stable) to construct an IKEv2 VPN for my > clients. It seems that Strongswan is connected with Freeradius, but > client connection just fails. Testing with Windows 7 IKEv2 client, it > prompts "Error 13801: IKE authentication credentials are unacceptable." > > Here's the log: > > /var/log/syslog: > Oct 28 13:31:06 vpn charon: 08[NET] received packet: from > client.ip.address[500] to server.ip.address[500] Oct 28 13:31:06 vpn > charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) ] Oct 28 13:31:06 vpn charon: 08[IKE] client.ip.address > is initiating an IKE_SA Oct 28 13:31:06 vpn charon: 08[IKE] remote > host is behind NAT Oct 28 13:31:06 vpn charon: 08[IKE] sending cert > request for "C=CH, O=TonyVPN, CN=TonyVPN CA" > Oct 28 13:31:06 vpn charon: 08[ENC] generating IKE_SA_INIT response 0 > [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Oct 28 > 13:31:06 vpn charon: 08[NET] sending packet: from > server.ip.address[500] to client.ip.address[500] Oct 28 13:31:07 vpn > charon: 10[NET] received packet: from client.ip.address[4500] to > server.ip.address[4500] Oct 28 13:31:07 vpn charon: 10[ENC] unknown > attribute type INTERNAL_IP4_SERVER Oct 28 13:31:07 vpn charon: 10[ENC] > unknown attribute type INTERNAL_IP6_SERVER Oct 28 13:31:07 vpn charon: > 10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR > DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Oct 28 13:31:07 vpn charon: > 10[IKE] received 32 cert requests for an unknown ca Oct 28 13:31:07 > vpn charon: 10[CFG] looking for peer configs matching > server.ip.address[%any]...client.ip.address[client.nat.ip.address] > Oct 28 13:31:07 vpn charon: 10[CFG] selected peer config 'L2TP-PSK-NAT' > Oct 28 13:31:07 vpn charon: 10[IKE] peer requested EAP, config > inacceptable Oct 28 13:31:07 vpn charon: 10[CFG] switching to peer config 'IPSec-IKEv2' > Oct 28 13:31:07 vpn charon: 10[IKE] EAP-Identity request configured, > but not supported Oct 28 13:31:07 vpn charon: 10[CFG] sending RADIUS > Access-Request to server 'vpnserver' > Oct 28 13:31:07 vpn charon: 10[CFG] received RADIUS Access-Challenge > from server 'vpnserver' > Oct 28 13:31:07 vpn charon: 10[IKE] initiating EAP_RADIUS method (id > 0x01) Oct 28 13:31:07 vpn charon: 10[IKE] peer supports MOBIKE Oct 28 > 13:31:07 vpn charon: 10[IKE] authentication of 'C=CH, O=VPN, > CN=server.ip.address' (myself) with RSA signature successful Oct 28 > 13:31:07 vpn charon: 10[IKE] sending end entity cert "C=CH, O=VPN, > CN=server.ip.address" > Oct 28 13:31:07 vpn charon: 10[ENC] generating IKE_AUTH response 1 [ > IDr CERT AUTH EAP/REQ/MD5 ] Oct 28 13:31:07 vpn charon: 10[NET] > sending packet: from server.ip.address[4500] to > client.ip.address[4500] Oct 28 13:31:36 vpn charon: 13[JOB] deleting > half open IKE_SA after timeout > > /var/log/auth.log: > Oct 28 13:31:06 japanvpn charon: 08[IKE] client.ip.address is > initiating an IKE_SA > > /etc/ipsec.conf: > conn IPSec-IKEv2 > keyexchange=ikev2 > auto=add > left=server.ip.address > leftsubnet=0.0.0.0/0 > leftauth=pubkey > leftcert=serverCert.pem > right=%any > rightsourceip=192.168.104.0/0 > rightauth=eap-radius > rightsendcert=never > eap_identity=%any > > /etc/strongswan.conf: > eap-radius { > servers { > vpnserver { > secret = somesecret > address = 127.0.0.1 > } > } > } > > By setting FreeRADIUS to debug mode I found that the user name > Strongswan passed to FreeRADIUS was incorrect (some gibberish), so I > guess it's a secret code problem but I'm 100% sure the secret code is > correct. Also I've tried changing it to some other string like 123456 > but Strongswan passes the username as the same gibberish as before, > thus I don't think it's a secret code problem. > > Any suggestions/advices would be appreciated. ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
