Never mind the EAP problem, I enabled xauth in configure and it works like a charm.
At least I found the missing variable :) Regards, Kimmo 2012/6/22 Kimmo Koivisto <[email protected]>: > Hello Martin > > Thanks for the clarification, I now understand :) > > > I tried to configure this, but got strange error in Xauth: > > no XAuth method found named 'Pû' > > and the name was changing when I tried, there seems to be missing > name-variable in xauth.c > DBG1(DBG_CFG, "no XAuth method found named '%s'"); > > I fixed this by adding the name variable: > DBG1(DBG_CFG, "no XAuth method found named '%s'",name); > > and now getting error > no XAuth method found named 'eap' > > > So, my question is, do I need to compile something to get xauth-eap or > did I misunderstood something? > > Regards, > Kimmo > > > My config: > > conn ikev1 > keyexchange=ikev1 > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=3 > left=strong-5-server-ip > leftsubnet=0.0.0.0/0 > leftcert=server.crt > leftid=@server-cert-cn > leftauth=pubkey > leftfirewall=no > right=%any > rightauth=pubkey > rightauth2=xauth-eap > rightsourceip=172.26.27.128/25 > modeconfig=push > auto=add > > > and log full log is: > > 13[NET] received packet: from android-4-handser-ip[500] to > strong-5-server-ip[500] > 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ] > 13[IKE] received NAT-T (RFC 3947) vendor ID > 13[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID > 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > 13[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID > 13[IKE] received XAuth vendor ID > 13[IKE] received Cisco Unity vendor ID > 13[ENC] received unknown vendor ID: > 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00 > 13[IKE] received DPD vendor ID > 13[IKE] android-4-handser-ip is initiating a Main Mode IKE_SA > 13[ENC] generating ID_PROT response 0 [ SA V V V ] > 13[NET] sending packet: from strong-5-server-ip[500] to > android-4-handser-ip[500] > 02[NET] received packet: from android-4-handser-ip[500] to > strong-5-server-ip[500] > 02[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] > 02[IKE] remote host is behind NAT > 02[IKE] sending cert request for "DC=local, DC=s5-test, CN=s5-test Domain CA" > 02[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] > 02[NET] sending packet: from strong-5-server-ip[500] to > android-4-handser-ip[500] > 01[NET] received packet: from android-4-handser-ip[1024] to > strong-5-server-ip[4500] > 01[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ] > 01[IKE] received cert request for 'DC=local, DC=s5-test, CN=s5-test Domain CA' > 01[IKE] received end entity cert "O=s5-test x, CN=Kimmo" > 01[CFG] looking for XAuthInitRSA peer configs matching > strong-5-server-ip...android-4-handser-ip[O=s5-test x, CN=Kimmo] > 01[CFG] selected peer config "ikev1" > 01[CFG] using certificate "O=s5-test x, CN=Kimmo" > 01[CFG] using trusted ca certificate "DC=local, DC=s5-test, > CN=s5-test Domain CA" > 01[CFG] checking certificate status of "O=s5-test x, CN=Kimmo" > 01[CFG] using trusted certificate "DC=local, DC=s5-test, CN=s5-test Domain > CA" > 01[CFG] crl correctly signed by "DC=local, DC=s5-test, CN=s5-test Domain CA" > 01[CFG] crl is valid: until Jun 27 07:13:04 2012 > 01[CFG] using cached crl > J01[CFG] certificate status is good > J01[CFG] reached self-signed root ca with a path length of 0 > J01[IKE] authentication of 'O=s5-test x, CN=Kimmo' with RSA successful > J01[IKE] authentication of 'vpn2.s5-test.com' (myself) successful > J01[IKE] sending end entity cert "O=s5-test, CN=vpn2.s5-test.com" > J01[ENC] generating ID_PROT response 0 [ ID CERT SIG ] > J01[NET] sending packet: from strong-5-server-ip[4500] to > android-4-handser-ip[1024] > J01[CFG] no XAuth method found named 'Pû' > > > 2012/6/22 Martin Willi <[email protected]>: >> Hello Kimmo, >> >>> Does this mean that now the AAA server needs to be configured to use >>> EAP, let's say EAP-MSCHAPv2? >> >> With the xauth-eap plugin, yes. This is the same configuration that >> you'd use for IKEv2 clients, Windows 7 Agile VPN for example. >> >>> Then AAA receives the access request from Strongswan and AAA server >>> then responds or starts EAP and strongswan needs to have that >>> eap-mschapv2 enabled? >> >> Yes. AAA should request a (password based) EAP method, and the >> strongSwan gateway acts as client for this EAP method using XAuth >> credentials from the client. To use EAP-MSCHAPv2, pass >> --enable-eap-mschapv2 to ./configure (and enable a MD4 implementation, >> either through --enable-openssl or --enable-md4). >> >> Regards >> Martin >> _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
