-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Justin,
Did you look at [1]? In that example, aaa_identity is set. [1] http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tls-radius/ Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 26.09.2014 um 20:09 schrieb Justin Michael Schwartzbeck: > I do have the eap-tls plugin, I built strongswan with this option enabled. > When I start ipsec, I can see that the eap-tls plugin is being loaded. Here > is the exact output of "ipsec start:" > > Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, > x86_64) > Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] detected Linux 2.6.32, no > support for RTA_PREFSRC for IPv6 routes > Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] known interfaces and IP > addresses: > Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] lo > Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] 127.0.0.1 > Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] ::1 > Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] eth0 > Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] <local_ip> > Sep 26 12:49:48 ast-scodev-27 charon: 00[KNL] <mac_address> > Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loaded ca certificate > "CN=rootCA, CN=Common Name, O=Company Name, OU=Organization, C=Country, > ST=State, L=City, [email protected] <mailto:[email protected]>" from > '/etc/ipsec.d/cacerts/cacert.pem' > Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts' > Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading ocsp signer > certificates from '/etc/ipsec.d/ocspcerts' > Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading attribute certificates > from '/etc/ipsec.d/acerts' > Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading crls from > '/etc/ipsec.d/crls' > Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loading secrets from > '/etc/ipsec.secrets' > Sep 26 12:49:48 ast-scodev-27 charon: 00[CFG] loaded RSA private key from > '/etc/ipsec.d/private/server.key.pem' > Sep 26 12:49:48 ast-scodev-27 charon: 00[LIB] loaded plugins: charon curl aes > des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 > pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr > kernel-netlink resolve socket-default stroke vici updown eap-tls > xauth-generic xauth-noauth lookip > Sep 26 12:49:48 ast-scodev-27 charon: 00[LIB] unable to load 6 plugin > features (6 due to unmet dependencies) > Sep 26 12:49:48 ast-scodev-27 charon: 00[JOB] spawning 16 worker threads > Sep 26 12:49:48 ast-scodev-27 charon: 02[NET] waiting for data on sockets > Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] received stroke: add connection > 'client' > Sep 26 12:49:48 ast-scodev-27 charon: 05[KNL] <vpn_server_ip> is not a local > address or the interface is down > Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] loaded certificate > "CN=username, C=Country, ST=State, O=Company Name, OU=Organization" from > 'server.crt.pem' > Sep 26 12:49:48 ast-scodev-27 charon: 05[CFG] added configuration 'client' > > On Fri, Sep 26, 2014 at 12:57 PM, Noel Kuntze <[email protected] > <mailto:[email protected]>> wrote: > > > Hello Justin, > > Please keep it on the list. > Do you have the eap-tls plugin? > Also, this doesn't look good: > /EAP_IDENTITY not supported, sending EAP_NAK > > I don't know what causes the latter error. > > /Mit freundlichen Grüßen/Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > Am 26.09.2014 um 19:53 schrieb Justin Michael Schwartzbeck: > > Hi Noel. > > > I have tried leftauth=eap-tls and it has the exact same behavior. I get the > > missing realm warning with other clients as well but still have a > > successful connection. I am thinking that the error is somewhere in the EAP > > transaction, especially because of this message: > > > [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request > > [eap] Failed in handler > > ++[eap] returns invalid > > Failed to authenticate the user. > > > Because I get the same behavior with left-auth set to eap, eap-tls and > > eap-md5, I am thinking that the client is defaulting to EAP everything > > (without tls or md5). > > > On Fri, Sep 26, 2014 at 12:45 PM, Noel Kuntze <[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>> wrote: > > > > Hello Justin, > > > You need to set leftauth=eap-tls and the RADIUS complains about a amissing > > realm:/ > > [suffix] No '@' in User-Name = "username", looking up realm NULL > > [suffix] No such realm "NULL" > > > / > > Mit freundlichen Grüßen/Regards, > > Noel Kuntze > > > GPG Key ID: 0x63EC6658 > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 26.09.2014 um 19:38 schrieb Justin Michael Schwartzbeck: > > > Hello, > > > > I am trying to set up strongswan as a client to connect to a vpn server > > > using EAP-TLS authentication. I have my connection set up as follows: > > > > /conn client > > > keyexchange=ikev2 > > > right=myvpnserver.domain.com <http://myvpnserver.domain.com> > > > <http://myvpnserver.domain.com> <http://myvpnserver.domain.com> > > > rightid=%myvpnserver.domain.com <http://myvpnserver.domain.com> > > > <http://myvpnserver.domain.com> <http://myvpnserver.domain.com> > > > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> > > > <http://0.0.0.0/0> > > > leftsourceip=%config > > > leftauth=eap > > > left=myclient.domain.com <http://myclient.domain.com> > > > <http://myclient.domain.com> <http://myclient.domain.com> > > > leftid=username > > > leftcert=server.crt.pem > > > auto=add/ > > > > When I enter "ipsec up client" I get a failure on the client side: > > > > /initiating IKE_SA client[1] to <vpn_server_ip> > > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708 bytes) > > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38 bytes) > > > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] > > > peer didn't accept DH group MODP_2048, it requested MODP_1024 > > > initiating IKE_SA client[1] to <vpn_server_ip> > > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580 bytes) > > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381 bytes) > > > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) > > > CERTREQ ] > > > received cert request for "CN=rootCA, CN=Common Name, O=Company Name, > > > OU=Organization, C=Country, ST=State, L=City, [email protected] > > > <mailto:[email protected]> <mailto:[email protected] > > > <mailto:[email protected]>> <mailto:[email protected] > > > <mailto:[email protected]> <mailto:[email protected] > > > <mailto:[email protected]>>>" > > > received 1 cert requests for an unknown ca > > > sending cert request for "CN=rootCA, CN=Common Name, O=Common Name, > > > OU=Organization, C=Country, ST=State, L=City, [email protected] > > > <mailto:[email protected]> <mailto:[email protected] > > > <mailto:[email protected]>> <mailto:[email protected] > > > <mailto:[email protected]> <mailto:[email protected] > > > <mailto:[email protected]>>>" > > > establishing CHILD_SA client > > > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR > > > DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] > > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380 > > > bytes) > > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420 > > > bytes) > > > parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ] > > > received end entity cert "CN=myvpnserver.domain.com > > > <http://myvpnserver.domain.com> <http://myvpnserver.domain.com> > > > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, > > > OU=Organization" > > > using certificate "CN=myvpnserver.domain.com > > > <http://myvpnserver.domain.com> <http://myvpnserver.domain.com> > > > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, > > > OU=Organization" > > > using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company > > > Name, OU=Organization, C=Country, ST=State, L=City, [email protected] > > > <mailto:[email protected]> <mailto:[email protected] > > > <mailto:[email protected]>> <mailto:[email protected] > > > <mailto:[email protected]> <mailto:[email protected] > > > <mailto:[email protected]>>>" > > > checking certificate status of "CN=myvpnserver.domain.com > > > <http://myvpnserver.domain.com> <http://myvpnserver.domain.com> > > > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, > > > OU=Organization" > > > certificate status is not available > > > reached self-signed root ca with a path length of 0 > > > authentication of '<vpn_server_ip>' with RSA signature successful > > > server requested EAP_IDENTITY (id 0x3B), sending 'username' > > > EAP_IDENTITY not supported, sending EAP_NAK > > > generating IKE_AUTH request 2 [ EAP/RES/NAK ] > > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76 bytes) > > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76 > > > bytes) > > > parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ] > > > received AUTHENTICATION_FAILED notify error > > > establishing connection 'client' failed/ > > > > On the server side, I am using remote authentication with RADIUS. The EAP > > > request seems to be incomplete, or fails somehow: > > > > /rad_recv: Access-Request packet from host 10.89.150.210 port 1645, > > > id=131, length=135 > > > Service-Type = Login-User > > > Cisco-AVPair = "service-type=Login" > > > Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D" > > > User-Name = "username" > > > EAP-Message = 0x023b0006030d > > > Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f > > > NAS-IP-Address = <vpn_server_ip> > > > # Executing section authorize from file /etc/raddb/sites-enabled/default > > > +- entering group authorize {...} > > > ++[preprocess] returns ok > > > ++[chap] returns noop > > > ++[mschap] returns noop > > > ++[digest] returns noop > > > [suffix] No '@' in User-Name = "username", looking up realm NULL > > > [suffix] No such realm "NULL" > > > ++[suffix] returns noop > > > [eap] EAP packet type response id 59 length 6 > > > [eap] No EAP Start, assuming it's an on-going EAP conversation > > > ++[eap] returns updated > > > [files] users: Matched entry DEFAULT at line 50 > > > ++[files] returns ok > > > ++[expiration] returns noop > > > ++[logintime] returns noop > > > [pap] WARNING: Auth-Type already set. Not setting to PAP > > > ++[pap] returns noop > > > Found Auth-Type = EAP > > > # Executing group from file /etc/raddb/sites-enabled/default > > > +- entering group authenticate {...} > > > [eap] Either EAP-request timed out OR EAP-response to an unknown > > > EAP-request > > > [eap] Failed in handler > > > ++[eap] returns invalid > > > Failed to authenticate the user. > > > Using Post-Auth-Type Reject > > > # Executing group from file /etc/raddb/sites-enabled/default > > > +- entering group REJECT {...} > > > [attr_filter.access_reject] expand: %{User-Name} -> username > > > attr_filter: Matched entry DEFAULT at line 11 > > > ++[attr_filter.access_reject] returns updated > > > Delaying reject of request 129 for 1 seconds > > > Going to the next request > > > Waking up in 0.9 seconds. > > > Sending delayed reject for request 129 > > > Sending Access-Reject of id 131 to 10.89.150.210 port 1645 > > > Waking up in 4.9 seconds. > > > Cleaning up request 129 ID 131 with timestamp +64810 > > > Ready to process requests. > > > > / > > > So here is my impression of what's happening, and correct me if I'm > > > wrong: I think that on the strongswan side, EAP authentication is being > > > used but there is no TLS happening. It seems like RADIUS is trying to > > > determine whether the client is using TLS, MD5, etc. but fails to > > > determine this. From the strongswan documentation I have gotten the idea > > > that the client does not initiate EAP-TLS but it is enforced on the > > > server side. Is there a way to do what I am trying to do? > > > > Thanks in advance. > > > > > _______________________________________________ > > > Users mailing list > > > [email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>> > > > https://lists.strongswan.org/mailman/listinfo/users > > > > _______________________________________________ > > Users mailing list > > [email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > https://lists.strongswan.org/mailman/listinfo/users > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUJb16AAoJEDg5KY9j7GZYnt8P/ie19MbuVkat5hEdSUWC8Soq lfrSJ/YN/zBrWmQml5AjM4OIatwbwLr53IbOe4tMwRf8x6cJ02MMgspqVTe1+8cz whjQME3U0Uxx/EFTWFjgZE4Lp322JImSJxuJoULxfA0sAVj79CiktISQHZe5sV/9 JNNtZiGQokewyRZwXvfffLoh9znYjhCpAl+49OpDSopMAWEL55Wu3T2HUa1GgwwJ sOvKPAXTWhZH00MrWFXTJjaH2ctSexUrf9O7emmybKt38kzc7a0CI6TLcbnq/cZC JwIGcTOOHvbA45Cxna5IEI0qO39tZkxFGlxzQm8lWT3tN5S9G+GQwsT5Yn+ayF2G 9m+T78F+FXHezyzmTXqij2ll9oeGrU/G3NP6kW7kJ9FzpiT1q89gOViOxoDaSIzr 6Cpc+3NwWlI+7YJg3+paDCnJBEAP5PHNgmb3SDpPohCGGcRbakvGG6L8jNol3nLK H9BUZ1D5ulN9gUOajOrUkDRaFq4n762h0jvQwAY9v40txgxPtwclmsjCiy9yvqjQ 1sC6v+vbasnV6wCHsL9RJgs9M/bHDE0YgYe2QBJnfTOitY9mO59WPutZAe2b+xyA h1HpYdWZTRBDpCR8+Bl9Azs+sVUHaOgqVG//Q6ib15mynfjuIIm51Ww2SmXgy8Pb 7jpRs3FOZv+UWxrbcSu9 =Ckbl -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
