Hi All, I am trying to run EAP-TLS client authentication with radius server.
Strongswan is failing EAP-TLS method. Find attached the deamon logs, ipsec.conf and ipsec.secrets. Kindly let me know if there is any configuration issue. Regards Gurminder =============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================
Sep 19 16:36:42 localhost charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 2.6.31.5-127.fc12.x86_64, x86_64) Sep 19 16:36:42 localhost charon: 00[KNL] listening on interfaces: Sep 19 16:36:42 localhost charon: 00[KNL] eth0 Sep 19 16:36:42 localhost charon: 00[KNL] 10.1.1.1 Sep 19 16:36:42 localhost charon: 00[KNL] 1.1.1.1 Sep 19 16:36:42 localhost charon: 00[KNL] fe80::be30:5bff:fecb:560 Sep 19 16:36:42 localhost charon: 00[KNL] eth1 Sep 19 16:36:42 localhost charon: 00[KNL] 10.203.2.228 Sep 19 16:36:42 localhost charon: 00[KNL] fe80::2e0:1cff:fe3c:ac2 Sep 19 16:36:42 localhost charon: 00[KNL] virbr0 Sep 19 16:36:42 localhost charon: 00[KNL] 192.168.122.1 Sep 19 16:36:42 localhost charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Sep 19 16:36:42 localhost charon: 00[CFG] loaded ca certificate "C=in, ST=Some-State, O=gg, CN=kl" from '/usr/local/etc/ipsec.d/cacerts/cacert1.pem' Sep 19 16:36:42 localhost charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Sep 19 16:36:42 localhost charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Sep 19 16:36:42 localhost charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Sep 19 16:36:42 localhost charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' Sep 19 16:36:42 localhost charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' Sep 19 16:36:42 localhost charon: 00[CFG] loaded IKE secret for 1.1.1.2 @01234567.ims.mnc212.mcc091.3gppnetwork.org Sep 19 16:36:42 localhost charon: 00[CFG] loaded EAP secret for [email protected] 1.1.1.2 Sep 19 16:36:42 localhost charon: 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-sim eap-md5 eap-tls xauth-generic Sep 19 16:36:42 localhost charon: 00[JOB] spawning 16 worker threads Sep 19 16:36:42 localhost charon: 10[CFG] received stroke: add connection 'home' Sep 19 16:36:42 localhost charon: 10[CFG] added configuration 'home' Sep 19 16:36:47 localhost charon: 12[CFG] received stroke: initiate 'home' Sep 19 16:36:47 localhost charon: 13[IKE] initiating IKE_SA home[1] to 1.1.1.2 Sep 19 16:36:47 localhost charon: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Sep 19 16:36:47 localhost charon: 13[NET] sending packet: from 1.1.1.1[500] to 1.1.1.2[500] Sep 19 16:36:47 localhost charon: 14[NET] received packet: from 1.1.1.2[500] to 1.1.1.1[500] Sep 19 16:36:47 localhost charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Sep 19 16:36:47 localhost charon: 14[IKE] establishing CHILD_SA home Sep 19 16:36:47 localhost charon: 14[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Sep 19 16:36:47 localhost charon: 14[NET] sending packet: from 1.1.1.1[4500] to 1.1.1.2[4500] Sep 19 16:36:47 localhost charon: 15[NET] received packet: from 1.1.1.2[4500] to 1.1.1.1[4500] Sep 19 16:36:47 localhost charon: 15[ENC] parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/TLS ] Sep 19 16:36:47 localhost charon: 15[IKE] authentication of '1.1.1.2' with pre-shared key successful Sep 19 16:36:47 localhost charon: 15[IKE] server requested EAP_TLS authentication (id 0x01) Sep 19 16:36:47 localhost charon: 15[ENC] generating IKE_AUTH request 2 [ EAP/RES/TLS ] Sep 19 16:36:47 localhost charon: 15[NET] sending packet: from 1.1.1.1[4500] to 1.1.1.2[4500] Sep 19 16:36:47 localhost charon: 16[NET] received packet: from 1.1.1.2[4500] to 1.1.1.1[4500] Sep 19 16:36:47 localhost charon: 16[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TLS ] Sep 19 16:36:47 localhost charon: 16[TLS] negotiated TLS 1.1 using suite TLS_RSA_WITH_AES_128_CBC_SHA Sep 19 16:36:47 localhost charon: 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/TLS ] Sep 19 16:36:47 localhost charon: 16[NET] sending packet: from 1.1.1.1[4500] to 1.1.1.2[4500] Sep 19 16:36:47 localhost charon: 08[NET] received packet: from 1.1.1.2[4500] to 1.1.1.1[4500] Sep 19 16:36:47 localhost charon: 08[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TLS ] Sep 19 16:36:47 localhost charon: 08[TLS] received TLS server certificate 'C=in, O=gg, CN=kl' Sep 19 16:36:47 localhost charon: 08[TLS] received TLS cert request for 'C=in, ST=Some-State, O=gg, CN=kl Sep 19 16:36:47 localhost charon: 08[TLS] no TLS peer certificate found for '[email protected]', skipping client authentication Sep 19 16:36:47 localhost charon: 08[CFG] using certificate "C=in, O=gg, CN=kl" Sep 19 16:36:47 localhost charon: 08[CFG] using trusted ca certificate "C=in, ST=Some-State, O=gg, CN=kl" Sep 19 16:36:47 localhost charon: 08[CFG] checking certificate status of "C=in, O=gg, CN=kl" Sep 19 16:36:47 localhost charon: 08[CFG] certificate status is not available Sep 19 16:36:47 localhost charon: 08[CFG] reached self-signed root ca with a path length of 0 Sep 19 16:36:47 localhost charon: 08[ENC] generating IKE_AUTH request 4 [ EAP/RES/TLS ] Sep 19 16:36:47 localhost charon: 08[NET] sending packet: from 1.1.1.1[4500] to 1.1.1.2[4500] Sep 19 16:36:47 localhost charon: 10[NET] received packet: from 1.1.1.2[4500] to 1.1.1.1[4500] Sep 19 16:36:47 localhost charon: 10[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TLS ] Sep 19 16:36:47 localhost charon: 10[IKE] EAP_TLS method failed
ipsec.conf
Description: ipsec.conf
ipsec.secrets
Description: ipsec.secrets
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
