-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Justin,
Please keep it on the list. Do you have the eap-tls plugin? Also, this doesn't look good: /EAP_IDENTITY not supported, sending EAP_NAK I don't know what causes the latter error. /Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 26.09.2014 um 19:53 schrieb Justin Michael Schwartzbeck: > Hi Noel. > > I have tried leftauth=eap-tls and it has the exact same behavior. I get the > missing realm warning with other clients as well but still have a successful > connection. I am thinking that the error is somewhere in the EAP transaction, > especially because of this message: > > [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request > [eap] Failed in handler > ++[eap] returns invalid > Failed to authenticate the user. > > Because I get the same behavior with left-auth set to eap, eap-tls and > eap-md5, I am thinking that the client is defaulting to EAP everything > (without tls or md5). > > On Fri, Sep 26, 2014 at 12:45 PM, Noel Kuntze <[email protected] > <mailto:[email protected]>> wrote: > > > Hello Justin, > > You need to set leftauth=eap-tls and the RADIUS complains about a amissing > realm:/ > [suffix] No '@' in User-Name = "username", looking up realm NULL > [suffix] No such realm "NULL" > > / > Mit freundlichen Grüßen/Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > Am 26.09.2014 um 19:38 schrieb Justin Michael Schwartzbeck: > > Hello, > > > I am trying to set up strongswan as a client to connect to a vpn server > > using EAP-TLS authentication. I have my connection set up as follows: > > > /conn client > > keyexchange=ikev2 > > right=myvpnserver.domain.com <http://myvpnserver.domain.com> > > <http://myvpnserver.domain.com> > > rightid=%myvpnserver.domain.com <http://myvpnserver.domain.com> > > <http://myvpnserver.domain.com> > > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> > > leftsourceip=%config > > leftauth=eap > > left=myclient.domain.com <http://myclient.domain.com> > > <http://myclient.domain.com> > > leftid=username > > leftcert=server.crt.pem > > auto=add/ > > > When I enter "ipsec up client" I get a failure on the client side: > > > /initiating IKE_SA client[1] to <vpn_server_ip> > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708 bytes) > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38 bytes) > > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] > > peer didn't accept DH group MODP_2048, it requested MODP_1024 > > initiating IKE_SA client[1] to <vpn_server_ip> > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580 bytes) > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381 bytes) > > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) > > CERTREQ ] > > received cert request for "CN=rootCA, CN=Common Name, O=Company Name, > > OU=Organization, C=Country, ST=State, L=City, [email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>" > > received 1 cert requests for an unknown ca > > sending cert request for "CN=rootCA, CN=Common Name, O=Common Name, > > OU=Organization, C=Country, ST=State, L=City, [email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>" > > establishing CHILD_SA client > > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) > > SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380 bytes) > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420 > > bytes) > > parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ] > > received end entity cert "CN=myvpnserver.domain.com > > <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, C=Country, > > ST=State, O=Company, OU=Organization" > > using certificate "CN=myvpnserver.domain.com > > <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, C=Country, > > ST=State, O=Company, OU=Organization" > > using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company Name, > > OU=Organization, C=Country, ST=State, L=City, [email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>" > > checking certificate status of "CN=myvpnserver.domain.com > > <http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, C=Country, > > ST=State, O=Company, OU=Organization" > > certificate status is not available > > reached self-signed root ca with a path length of 0 > > authentication of '<vpn_server_ip>' with RSA signature successful > > server requested EAP_IDENTITY (id 0x3B), sending 'username' > > EAP_IDENTITY not supported, sending EAP_NAK > > generating IKE_AUTH request 2 [ EAP/RES/NAK ] > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76 bytes) > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76 bytes) > > parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ] > > received AUTHENTICATION_FAILED notify error > > establishing connection 'client' failed/ > > > On the server side, I am using remote authentication with RADIUS. The EAP > > request seems to be incomplete, or fails somehow: > > > /rad_recv: Access-Request packet from host 10.89.150.210 port 1645, id=131, > > length=135 > > Service-Type = Login-User > > Cisco-AVPair = "service-type=Login" > > Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D" > > User-Name = "username" > > EAP-Message = 0x023b0006030d > > Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f > > NAS-IP-Address = <vpn_server_ip> > > # Executing section authorize from file /etc/raddb/sites-enabled/default > > +- entering group authorize {...} > > ++[preprocess] returns ok > > ++[chap] returns noop > > ++[mschap] returns noop > > ++[digest] returns noop > > [suffix] No '@' in User-Name = "username", looking up realm NULL > > [suffix] No such realm "NULL" > > ++[suffix] returns noop > > [eap] EAP packet type response id 59 length 6 > > [eap] No EAP Start, assuming it's an on-going EAP conversation > > ++[eap] returns updated > > [files] users: Matched entry DEFAULT at line 50 > > ++[files] returns ok > > ++[expiration] returns noop > > ++[logintime] returns noop > > [pap] WARNING: Auth-Type already set. Not setting to PAP > > ++[pap] returns noop > > Found Auth-Type = EAP > > # Executing group from file /etc/raddb/sites-enabled/default > > +- entering group authenticate {...} > > [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request > > [eap] Failed in handler > > ++[eap] returns invalid > > Failed to authenticate the user. > > Using Post-Auth-Type Reject > > # Executing group from file /etc/raddb/sites-enabled/default > > +- entering group REJECT {...} > > [attr_filter.access_reject] expand: %{User-Name} -> username > > attr_filter: Matched entry DEFAULT at line 11 > > ++[attr_filter.access_reject] returns updated > > Delaying reject of request 129 for 1 seconds > > Going to the next request > > Waking up in 0.9 seconds. > > Sending delayed reject for request 129 > > Sending Access-Reject of id 131 to 10.89.150.210 port 1645 > > Waking up in 4.9 seconds. > > Cleaning up request 129 ID 131 with timestamp +64810 > > Ready to process requests. > > > / > > So here is my impression of what's happening, and correct me if I'm wrong: > > I think that on the strongswan side, EAP authentication is being used but > > there is no TLS happening. It seems like RADIUS is trying to determine > > whether the client is using TLS, MD5, etc. but fails to determine this. > > From the strongswan documentation I have gotten the idea that the client > > does not initiate EAP-TLS but it is enforced on the server side. Is there a > > way to do what I am trying to do? > > > Thanks in advance. > > > > _______________________________________________ > > Users mailing list > > [email protected] <mailto:[email protected]> > > https://lists.strongswan.org/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> > https://lists.strongswan.org/mailman/listinfo/users > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUJakFAAoJEDg5KY9j7GZY+/cQAJWpsLjjWyVkD8Y6RQYBVFPp XVCLeKsFxn5RPVzj1DxLltMiREBQ0LVMzp/Ibq6X/NvsPvdASEyguq/741rxGEle 5aX+DpLhqROqo2J9V5xvAZjEIaF793h4eSBK2N13PUl53s9KDVUQ72xfP/9mDUDR aSAi1lehciO8soeLVrYhH4QYZ0c1cwYQ+/mk8XSYBFSLGUbHlWuUo3X/yI7olPqw +KosIOOlEMM5nuUuxdUZy3InvyAHVFSZruG/PofC/l5UA+L6VOmD6mOP+jdodCL4 jvM/KB/LXbVLUoy1yQPBISgTDyxlwxOK8mXs2vIHrYc66h7hp4NdEE+d+QEsa9c5 GEXnUi/DANVSIjWc0e2fiMwFaQH3SPXJeAenEdvZSA4zr5qRyUzPAVuZwe7UbCCL +0d5lJp6t1hdWWVFMtXcuCxLLmmNUniDIrQXwL0WvirYPN8qTI7DIaDlvNLEwB1c HnnvJ4Vz6bt2nLWh9kEZktbbpiVpNa2HZ/cLGG2rIflXSYTfEfRd2O1qCIjS+42d dfaSZvTZ8pwy0YItvsZkFkLMPCRWRRe1YaK0m5OjgbPg4vO/SwurSfKw7zI6d7Aj OAmOZIiFdT1x01dHDcHokRNkvviMqtTadSt4R6FKz5CfJ9e1mUsAEgjYHmbDJeZs /0Ne3OSZKlz+h3O61NCL =/Jbp -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
