-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Justin,
You need to set leftauth=eap-tls and the RADIUS complains about a amissing realm:/ [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" / Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 26.09.2014 um 19:38 schrieb Justin Michael Schwartzbeck: > Hello, > > I am trying to set up strongswan as a client to connect to a vpn server using > EAP-TLS authentication. I have my connection set up as follows: > > /conn client > keyexchange=ikev2 > right=myvpnserver.domain.com <http://myvpnserver.domain.com> > rightid=%myvpnserver.domain.com <http://myvpnserver.domain.com> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> > leftsourceip=%config > leftauth=eap > left=myclient.domain.com <http://myclient.domain.com> > leftid=username > leftcert=server.crt.pem > auto=add/ > > When I enter "ipsec up client" I get a failure on the client side: > > /initiating IKE_SA client[1] to <vpn_server_ip> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708 bytes) > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38 bytes) > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] > peer didn't accept DH group MODP_2048, it requested MODP_1024 > initiating IKE_SA client[1] to <vpn_server_ip> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580 bytes) > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381 bytes) > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) > CERTREQ ] > received cert request for "CN=rootCA, CN=Common Name, O=Company Name, > OU=Organization, C=Country, ST=State, L=City, [email protected] > <mailto:[email protected]>" > received 1 cert requests for an unknown ca > sending cert request for "CN=rootCA, CN=Common Name, O=Common Name, > OU=Organization, C=Country, ST=State, L=City, [email protected] > <mailto:[email protected]>" > establishing CHILD_SA client > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA > TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380 bytes) > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420 bytes) > parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ] > received end entity cert "CN=myvpnserver.domain.com > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, > OU=Organization" > using certificate "CN=myvpnserver.domain.com > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, > OU=Organization" > using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company Name, > OU=Organization, C=Country, ST=State, L=City, [email protected] > <mailto:[email protected]>" > checking certificate status of "CN=myvpnserver.domain.com > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, > OU=Organization" > certificate status is not available > reached self-signed root ca with a path length of 0 > authentication of '<vpn_server_ip>' with RSA signature successful > server requested EAP_IDENTITY (id 0x3B), sending 'username' > EAP_IDENTITY not supported, sending EAP_NAK > generating IKE_AUTH request 2 [ EAP/RES/NAK ] > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76 bytes) > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76 bytes) > parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ] > received AUTHENTICATION_FAILED notify error > establishing connection 'client' failed/ > > On the server side, I am using remote authentication with RADIUS. The EAP > request seems to be incomplete, or fails somehow: > > /rad_recv: Access-Request packet from host 10.89.150.210 port 1645, id=131, > length=135 > Service-Type = Login-User > Cisco-AVPair = "service-type=Login" > Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D" > User-Name = "username" > EAP-Message = 0x023b0006030d > Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f > NAS-IP-Address = <vpn_server_ip> > # Executing section authorize from file /etc/raddb/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > ++[digest] returns noop > [suffix] No '@' in User-Name = "username", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] EAP packet type response id 59 length 6 > [eap] No EAP Start, assuming it's an on-going EAP conversation > ++[eap] returns updated > [files] users: Matched entry DEFAULT at line 50 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING: Auth-Type already set. Not setting to PAP > ++[pap] returns noop > Found Auth-Type = EAP > # Executing group from file /etc/raddb/sites-enabled/default > +- entering group authenticate {...} > [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request > [eap] Failed in handler > ++[eap] returns invalid > Failed to authenticate the user. > Using Post-Auth-Type Reject > # Executing group from file /etc/raddb/sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> username > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 129 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 129 > Sending Access-Reject of id 131 to 10.89.150.210 port 1645 > Waking up in 4.9 seconds. > Cleaning up request 129 ID 131 with timestamp +64810 > Ready to process requests. > > / > So here is my impression of what's happening, and correct me if I'm wrong: I > think that on the strongswan side, EAP authentication is being used but there > is no TLS happening. It seems like RADIUS is trying to determine whether the > client is using TLS, MD5, etc. but fails to determine this. From the > strongswan documentation I have gotten the idea that the client does not > initiate EAP-TLS but it is enforced on the server side. Is there a way to do > what I am trying to do? > > Thanks in advance. > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUJaZHAAoJEDg5KY9j7GZYPn0P/jFwOp44fTnzYRCmP/0nD1SH jLtMF7hBrHH9N9pG/ak+1d2S4z5sMpuQVTo2aRge0zxT0gaUQHucDk9kX5XBlg31 AwaDJF+0a4W6NA5TbTs9Cb2rzwsKE6U/Jgi5+Ern7zxQGiVYHI+20Fw+EjFDg1JW VV1nKYUYC9yGVX5bbiNI57eJZP6nh2E6V2BlwoaNNNU/+Di6OXKWrcR99rZR/VT/ FuoKyOVdWGq00TuMAzmn32km+3d53ZCe8xyZXKGJJiWyO7Sq67OeS3nllxRhQeVJ ywZoEkUHV7H44Y0SEKtzr9FCDdDh+VJuBmgSh4URAVuZ4VO/vzz8+NuqnbksCTEd ivps8Q4w6Iynp2GQTFeY6sVoqmKk8AepUCeu6kaNOSABkw0RUgnLQ20ntDhagO7W 5hej6TlMY8kfv6LldbA9/TzMBb3OI6jBMG0ayeq8tnlK+bBpK9qHKghQ25SjOO3z gpvqpcM7VgA9aBysV2CNnO+rTA14KzWtuFU46RlVquuuapap02tDUL3lqifv/wL2 61g4PSfBb/xn+coB5ShpmTk1zDlNQ58tpRFxXX/jH8zkuZn+IzIv5cMujSolYPzG ClPPcBTPj3tq1oO/mkyiBAuR/JGTssTywvv3wrkT0vDuEXa5MK3FZO8pdXqXUBnh CsFk4L2A5gOzk6GjjYy1 =Ljct -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
