Hi Andreas, That was my problem. Thanks for the tip. I was beginning to lose hope. :P
-Justin On Sat, Sep 27, 2014 at 1:42 PM, Andreas Steffen < [email protected]> wrote: > Hi, > > you must enable and load the eap-identity plugin on the client side. > And if the EAP identity does not equal the IKEv2 identity you must > define the EAP Identity with > > eap_identity=.... > > in ipsec.conf in the client configuration. > > Regards > > Andreas > > On 09/26/2014 07:38 PM, Justin Michael Schwartzbeck wrote: > > Hello, > > > > I am trying to set up strongswan as a client to connect to a vpn server > > using EAP-TLS authentication. I have my connection set up as follows: > > > > /conn client > > keyexchange=ikev2 > > right=myvpnserver.domain.com <http://myvpnserver.domain.com> > > rightid=%myvpnserver.domain.com <http://myvpnserver.domain.com> > > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> > > leftsourceip=%config > > leftauth=eap > > left=myclient.domain.com <http://myclient.domain.com> > > leftid=username > > leftcert=server.crt.pem > > auto=add/ > > > > When I enter "ipsec up client" I get a failure on the client side: > > > > /initiating IKE_SA client[1] to <vpn_server_ip> > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (708 bytes) > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (38 bytes) > > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] > > peer didn't accept DH group MODP_2048, it requested MODP_1024 > > initiating IKE_SA client[1] to <vpn_server_ip> > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > sending packet: from <client_ip>[500] to <vpn_server_ip>[500] (580 bytes) > > received packet: from <vpn_server_ip>[500] to <client_ip>[500] (381 > bytes) > > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) > > CERTREQ ] > > received cert request for "CN=rootCA, CN=Common Name, O=Company Name, > > OU=Organization, C=Country, ST=State, L=City, [email protected] > > <mailto:[email protected]>" > > received 1 cert requests for an unknown ca > > sending cert request for "CN=rootCA, CN=Common Name, O=Common Name, > > OU=Organization, C=Country, ST=State, L=City, [email protected] > > <mailto:[email protected]>" > > establishing CHILD_SA client > > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR > > DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (380 > bytes) > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (1420 > > bytes) > > parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ] > > received end entity cert "CN=myvpnserver.domain.com > > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, > > OU=Organization" > > using certificate "CN=myvpnserver.domain.com > > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, > > OU=Organization" > > using trusted ca certificate "CN=rootCA, CN=Common Name, O=Company > > Name, OU=Organization, C=Country, ST=State, L=City, [email protected] > > <mailto:[email protected]>" > > checking certificate status of "CN=myvpnserver.domain.com > > <http://myvpnserver.domain.com>, C=Country, ST=State, O=Company, > > OU=Organization" > > certificate status is not available > > reached self-signed root ca with a path length of 0 > > authentication of '<vpn_server_ip>' with RSA signature successful > > server requested EAP_IDENTITY (id 0x3B), sending 'username' > > EAP_IDENTITY not supported, sending EAP_NAK > > generating IKE_AUTH request 2 [ EAP/RES/NAK ] > > sending packet: from <client_ip>[4500] to <vpn_server_ip>[4500] (76 > bytes) > > received packet: from <vpn_server_ip>[4500] to <client_ip>[4500] (76 > bytes) > > parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ] > > received AUTHENTICATION_FAILED notify error > > establishing connection 'client' failed/ > > > > On the server side, I am using remote authentication with RADIUS. The > > EAP request seems to be incomplete, or fails somehow: > > > > /rad_recv: Access-Request packet from host 10.89.150.210 port 1645, > > id=131, length=135 > > Service-Type = Login-User > > Cisco-AVPair = "service-type=Login" > > Calling-Station-Id = "L2L40A5996D2ZO2L40A5996E3ZH11941194ZN1D" > > User-Name = "username" > > EAP-Message = 0x023b0006030d > > Message-Authenticator = 0xf62fa0a5eaba2ea387bd90c3cfe46c7f > > NAS-IP-Address = <vpn_server_ip> > > # Executing section authorize from file /etc/raddb/sites-enabled/default > > +- entering group authorize {...} > > ++[preprocess] returns ok > > ++[chap] returns noop > > ++[mschap] returns noop > > ++[digest] returns noop > > [suffix] No '@' in User-Name = "username", looking up realm NULL > > [suffix] No such realm "NULL" > > ++[suffix] returns noop > > [eap] EAP packet type response id 59 length 6 > > [eap] No EAP Start, assuming it's an on-going EAP conversation > > ++[eap] returns updated > > [files] users: Matched entry DEFAULT at line 50 > > ++[files] returns ok > > ++[expiration] returns noop > > ++[logintime] returns noop > > [pap] WARNING: Auth-Type already set. Not setting to PAP > > ++[pap] returns noop > > Found Auth-Type = EAP > > # Executing group from file /etc/raddb/sites-enabled/default > > +- entering group authenticate {...} > > [eap] Either EAP-request timed out OR EAP-response to an unknown > EAP-request > > [eap] Failed in handler > > ++[eap] returns invalid > > Failed to authenticate the user. > > Using Post-Auth-Type Reject > > # Executing group from file /etc/raddb/sites-enabled/default > > +- entering group REJECT {...} > > [attr_filter.access_reject] expand: %{User-Name} -> username > > attr_filter: Matched entry DEFAULT at line 11 > > ++[attr_filter.access_reject] returns updated > > Delaying reject of request 129 for 1 seconds > > Going to the next request > > Waking up in 0.9 seconds. > > Sending delayed reject for request 129 > > Sending Access-Reject of id 131 to 10.89.150.210 port 1645 > > Waking up in 4.9 seconds. > > Cleaning up request 129 ID 131 with timestamp +64810 > > Ready to process requests. > > > > / > > So here is my impression of what's happening, and correct me if I'm > > wrong: I think that on the strongswan side, EAP authentication is being > > used but there is no TLS happening. It seems like RADIUS is trying to > > determine whether the client is using TLS, MD5, etc. but fails to > > determine this. From the strongswan documentation I have gotten the idea > > that the client does not initiate EAP-TLS but it is enforced on the > > server side. Is there a way to do what I am trying to do? > > > > Thanks in advance. > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
