I do have the eap-tls plugin, I built strongswan with this option enabled. When I start ipsec, I can see that the eap-tls plugin is being loaded. Here is the exact output of "ipsec start:"
Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64) Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] detected Linux 2.6.32, no support for RTA_PREFSRC for IPv6 routes Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] known interfaces and IP addresses: Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] lo Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] 127.0.0.1 Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] ::1 Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] eth0 Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] <local_ip> Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] <mac_address> Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loaded ca certificate "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, ST=State, L=City, [email protected]" from '/etc/ipsec.d/cacerts/cacert.pem' Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server.key.pem' Sep 26 12:49:48 ast-scodev-27 charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-tls xauth-generic xauth-noauth lookip Sep 26 12:49:48 ast-scodev-27 charon: 00[LIB] unable to load 6 plugin features (6 due to unmet dependencies) Sep 26 12:49:48 ast-scodev-27 charon: 00[JOB] spawning 16 worker threads Sep 26 12:49:48 ast-scodev-27 charon: 02[NET] waiting for data on sockets Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] received stroke: add connection 'client' Sep 26 12:49:48 ast-scodev-27 charon: 05[KNL] <vpn_server_ip> is not a local address or the interface is down Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] loaded certificate "CN=username, C=Country, ST=State, O=Company Name, OU=Organization" from 'server.crt.pem' Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] added configuration 'client' On Fri, Sep 26, 2014 at 12:57 PM, Noel Kuntze <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello Justin, > > Please keep it on the list. > Do you have the eap-tls plugin? > Also, this doesn't look good: > /EAP_IDENTITY not supported, sending EAP_NAK > > I don't know what causes the latter error. > > /Mit freundlichen Grüßen/Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > Am 26.09.2014 um 19:53 schrieb Justin Michael Schwartzbeck: > > Hi Noel. > > > > I have tried leftauth=eap-tls and it has the exact same behavior. I get > the missing realm warning with other clients as well but still have a > successful connection. I am thinking that the error is somewhere in the EAP > transaction, especially because of this message: > > > > [eap] Either EAP-request timed out OR EAP-response to an unknown > EAP-request > > [eap] Failed in handler > > ++[eap] returns invalid > > Failed to authenticate the user. > > > > Because I get the same behavior with left-auth set to eap, eap-tls and > eap-md5, I am thinking that the client is defaulting to EAP everything > (without tls or md5). > > > > On Fri, Sep 26, 2014 at 12:45 PM, Noel Kuntze <[email protected] > <mailto:[email protected]>> wrote: > > > > > > Hello Justin, > > > > You need to set leftauth=eap-tls and the RADIUS complains about a > amissing realm:/ > > [suffix] No '@' in User-Name = "username", looking up realm NULL > > [suffix] No such realm "NULL" > > > > / > > Mit freundlichen Grüßen/Regards, > > Noel Kuntze > > > > GPG Key ID: 0x63EC6658 > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 26.09.2014 um 19:38 schrieb Justin Michael Schwartzbeck: > > > Hello, > > > > > I am trying to set up strongswan as a client to connect to a vpn > server using EAP-TLS authentication. I have my connection set up as follows: > > > > > /conn client > > > keyexchange=ikev2 > > > right=myvpnserver.domain.com <http://myvpnserver.domain.com> < > http://myvpnserver.domain.com> > > > rightid=%myvpnserver.domain.com <http://myvpnserver.domain.com> < > http://myvpnserver.domain.com> > > > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> > > > leftsourceip=%config > > > leftauth=eap > > > left=myclient.domain.com <http://myclient.domain.com> < > http://myclient.domain.com> > > > leftid=username > > > leftcert=server.crt.pem > > > auto=add/ > > > > > When I enter "ipsec up client" I get a failure on the client side: > > > > > /initiating IKE_SA client[1] to <vpn_server_ip> > > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708 > bytes) > > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38 > bytes) > > > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] > > > peer didn't accept DH group MODP_2048, it requested MODP_1024 > > > initiating IKE_SA client[1] to <vpn_server_ip> > > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580 > bytes) > > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381 > bytes) > > > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) > CERTREQ ] > > > received cert request for "CN=rootCA, CN=Common Name, O=Company Name, > OU=Organization, C=Country, ST=State, L=City, [email protected] <mailto: > [email protected]> <mailto:[email protected] <mailto:[email protected]>>" > > > received 1 cert requests for an unknown ca > > > sending cert request for "CN=rootCA, CN=Common Name, O=Common Name, > OU=Organization, C=Country, ST=State, L=City, [email protected] <mailto: > [email protected]> <mailto:[email protected] <mailto:[email protected]>>" > > > establishing CHILD_SA client > > > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR > DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] > > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380 > bytes) > > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420 > bytes) > > > parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ] > > > received end entity cert "CN=myvpnserver.domain.com < > http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, > C=Country, ST=State, O=Company, OU=Organization" > > > using certificate "CN=myvpnserver.domain.com < > http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, > C=Country, ST=State, O=Company, OU=Organization" > > > using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company > Name, OU=Organization, C=Country, ST=State, L=City, [email protected] > <mailto:[email protected]> <mailto:[email protected] <mailto: > [email protected]>>" > > > checking certificate status of "CN=myvpnserver.domain.com < > http://myvpnserver.domain.com> <http://myvpnserver.domain.com>, > C=Country, ST=State, O=Company, OU=Organization" > > > certificate status is not available > > > reached self-signed root ca with a path length of 0 > > > authentication of '<vpn_server_ip>' with RSA signature successful > > > server requested EAP_IDENTITY (id 0x3B), sending 'username' > > > EAP_IDENTITY not supported, sending EAP_NAK > > > generating IKE_AUTH request 2 [ EAP/RES/NAK ] > > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76 > bytes) > > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76 > bytes) > > > parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ] > > > received AUTHENTICATION_FAILED notify error > > > establishing connection 'client' failed/ > > > > > On the server side, I am using remote authentication with RADIUS. The > EAP request seems to be incomplete, or fails somehow: > > > > > /rad_recv: Access-Request packet from host 10.89.150.210 port 1645, > id=131, length=135 > > > Service-Type = Login-User > > > Cisco-AVPair = "service-type=Login" > > > Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D" > > > User-Name = "username" > > > EAP-Message = 0x023b0006030d > > > Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f > > > NAS-IP-Address = <vpn_server_ip> > > > # Executing section authorize from file > /etc/raddb/sites-enabled/default > > > +- entering group authorize {...} > > > ++[preprocess] returns ok > > > ++[chap] returns noop > > > ++[mschap] returns noop > > > ++[digest] returns noop > > > [suffix] No '@' in User-Name = "username", looking up realm NULL > > > [suffix] No such realm "NULL" > > > ++[suffix] returns noop > > > [eap] EAP packet type response id 59 length 6 > > > [eap] No EAP Start, assuming it's an on-going EAP conversation > > > ++[eap] returns updated > > > [files] users: Matched entry DEFAULT at line 50 > > > ++[files] returns ok > > > ++[expiration] returns noop > > > ++[logintime] returns noop > > > [pap] WARNING: Auth-Type already set. Not setting to PAP > > > ++[pap] returns noop > > > Found Auth-Type = EAP > > > # Executing group from file /etc/raddb/sites-enabled/default > > > +- entering group authenticate {...} > > > [eap] Either EAP-request timed out OR EAP-response to an unknown > EAP-request > > > [eap] Failed in handler > > > ++[eap] returns invalid > > > Failed to authenticate the user. > > > Using Post-Auth-Type Reject > > > # Executing group from file /etc/raddb/sites-enabled/default > > > +- entering group REJECT {...} > > > [attr_filter.access_reject] expand: %{User-Name} -> username > > > attr_filter: Matched entry DEFAULT at line 11 > > > ++[attr_filter.access_reject] returns updated > > > Delaying reject of request 129 for 1 seconds > > > Going to the next request > > > Waking up in 0.9 seconds. > > > Sending delayed reject for request 129 > > > Sending Access-Reject of id 131 to 10.89.150.210 port 1645 > > > Waking up in 4.9 seconds. > > > Cleaning up request 129 ID 131 with timestamp +64810 > > > Ready to process requests. > > > > > / > > > So here is my impression of what's happening, and correct me if I'm > wrong: I think that on the strongswan side, EAP authentication is being > used but there is no TLS happening. It seems like RADIUS is trying to > determine whether the client is using TLS, MD5, etc. but fails to determine > this. From the strongswan documentation I have gotten the idea that the > client does not initiate EAP-TLS but it is enforced on the server side. Is > there a way to do what I am trying to do? > > > > > Thanks in advance. > > > > > > > _______________________________________________ > > > Users mailing list > > > [email protected] <mailto:[email protected]> > > > https://lists.strongswan.org/mailman/listinfo/users > > > > > > _______________________________________________ > > Users mailing list > > [email protected] <mailto:[email protected]> > > https://lists.strongswan.org/mailman/listinfo/users > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJUJakFAAoJEDg5KY9j7GZY+/cQAJWpsLjjWyVkD8Y6RQYBVFPp > XVCLeKsFxn5RPVzj1DxLltMiREBQ0LVMzp/Ibq6X/NvsPvdASEyguq/741rxGEle > 5aX+DpLhqROqo2J9V5xvAZjEIaF793h4eSBK2N13PUl53s9KDVUQ72xfP/9mDUDR > aSAi1lehciO8soeLVrYhH4QYZ0c1cwYQ+/mk8XSYBFSLGUbHlWuUo3X/yI7olPqw > +KosIOOlEMM5nuUuxdUZy3InvyAHVFSZruG/PofC/l5UA+L6VOmD6mOP+jdodCL4 > jvM/KB/LXbVLUoy1yQPBISgTDyxlwxOK8mXs2vIHrYc66h7hp4NdEE+d+QEsa9c5 > GEXnUi/DANVSIjWc0e2fiMwFaQH3SPXJeAenEdvZSA4zr5qRyUzPAVuZwe7UbCCL > +0d5lJp6t1hdWWVFMtXcuCxLLmmNUniDIrQXwL0WvirYPN8qTI7DIaDlvNLEwB1c > HnnvJ4Vz6bt2nLWh9kEZktbbpiVpNa2HZ/cLGG2rIflXSYTfEfRd2O1qCIjS+42d > dfaSZvTZ8pwy0YItvsZkFkLMPCRWRRe1YaK0m5OjgbPg4vO/SwurSfKw7zI6d7Aj > OAmOZIiFdT1x01dHDcHokRNkvviMqtTadSt4R6FKz5CfJ9e1mUsAEgjYHmbDJeZs > /0Ne3OSZKlz+h3O61NCL > =/Jbp > -----END PGP SIGNATURE----- > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
