Hi, Noel Thanks.I complied again to isolate this problem.The reason why no item about certificates was shown by "ipsec listall" came from that I imported incorrect certificate from FreeRadius.Now I could get the item about CA by "ipsec install". But I get the same error yet. What does "access denied" mean?This is for TLS 1.2 but, it means: access_denied A valid certificate was received, but when access control was applied, the sender decided not to proceed with negotiation. This message is always fatal. from rfc5246 Access control? I complied like this:./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --enable-eap-identity --enable-eap-tls --enable-eap-peap --enable-eap-ttls --enable-eap-mschapv2 --enable-eap-md5 Regards,
////// debug of StrongSwan.///Sun Feb 28 10:28:54 2016 : Info: [ttls] <<< TLS 1.0 Alert [length 0002], fatal access_deniedSun Feb 28 10:28:54 2016 : Error: TLS Alert read:fatal:access deniedSun Feb 28 10:28:54 2016 : Error: TLS_accept: failed in SSLv3 read client certificate ASun Feb 28 10:28:54 2016 : Error: rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access deniedSun Feb 28 10:28:54 2016 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.Sun Feb 28 10:28:54 2016 : Debug: TLS receive handshake failed during operation ////// config of ipsec.conf///root@eNB-3:/usr/local/etc# cat ipsec.conf# /etc/ipsec.conf - strongSwan IPsec configuration file config setup charondebug="tls 4, ike 4, lib 4" conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn eap-ttls-rad1 left=192.168.31.10 leftsourceip=%config leftid=test1@test leftauth=eap #leftauth2=md5 right=192.168.120.254 #rightcert=/usr/local/etc/ipsec.d/certs/Radius-1_Svr_cert rightid=Radius-1@test rightsubnet=2.0.0.1/32 rightauth=pubkey #rightauth2=md5 aaa_identity="C=JP, O=XXX, CN=Radius-1_svr@test" auto=add ////// output of "ipsec listall"///root@eNB-3:/usr/local/etc# ipsec listall List of X.509 CA Certificates: subject: "C=JP, ST=Some-State, O=XXX, OU=TSO, [email protected], [email protected]" issuer: "C=JP, ST=Some-State, O=XXX, OU=TSO, [email protected], [email protected]" serial: 91:72:72:2d:af:3f:7c:73 validity: not before Feb 28 01:02:24 2016, ok not after Feb 27 01:02:24 2017, ok pubkey: RSA 2048 bits keyid: e5:a7:66:c8:00:8f:8a:3a:72:7a:b3:af:ef:6c:e5:a4:3f:bb:51:16 subjkey: 52:f7:97:13:61:a5:c5:0c:df:ae:cf:96:95:7f:a3:23:39:d0:b3:53 authkey: 52:f7:97:13:61:a5:c5:0c:df:ae:cf:96:95:7f:a3:23:39:d0:b3:53 List of registered IKE algorithms:(snip) Just for info, user configuration of FreeRadius is fine.////// about Server's certificate/// CN=Radius-1_svr@tes was issued by CN=Radius-1_SA///root@Radius-1:/usr/lib/ssl/misc# openssl x509 -text -noout -in Radius-1_Svr_certCertificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA@test/emailAddress=yukou.katori@test Validity Not Before: Feb 27 16:18:46 2016 GMT Not After : Feb 26 16:18:46 2017 GMT Subject: C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_svr@test/emailAddress=yukou.katori@test Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ////// users/// user configuration seems fine...///test1@test Cleartext-Password := "test1@test" /etc/freeradius/wpa_supplicant-2.5/wpa_supplicant# ./eapol_test -c eap-ttls.conf -s testing123 -a 127.0.0.1Reading configuration file 'eap-ttls.conf'eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00identity - hexdump_ascii(len=15): 74 65 73 74 31 40 6e 6f 6b 69 61 2e 63 6f 6d test1@testpassword - hexdump_ascii(len=15): 74 65 73 74 31 40 6e 6f 6b 69 61 2e 63 6f 6d test1@testphase2 - hexdump_ascii(len=8): 61 75 74 68 3d 4d 44 35 auth=MD5Priority group 0 id=0 ssid=''(snip) MPPE keys OK: 1 mismatch: 0SUCCESS On Friday, 26 February 2016, 0:38, Noel Kuntze <[email protected]> wrote: Hello Yukou, > Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius > Server(Freeradius2.1.12) >> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to >> 'C=AAA, O=OOO, CN=TEST' What does your config look like? Obviously, the RADIUS server only authenticates itself, not the authenticator. >I installed certification of the server: >ipsec.d/certs/ Where is that exactly? Are you aware that the location of ipsec.d changes, depending on the compile time sysconfdir and prefix settings? > When I checked by "ipsec listall", no item about "List of X.509 End Entity > Certificates" is listed up. Make sure you understand where charon things ipsec.d is actually. On 25.02.2016 08:51, yukou katori wrote: > Hi, > > I'm setting up EAP-TTLS-Radius client on StrongSwan5.3.5. > > Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius > Server(Freeradius2.1.12) > > I got the following error when the Client tries to connect. > > Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to > > 'C=AAA, O=OOO, CN=TEST' > > I installed certification of the server: > ipsec.d/certs/ > > /usr/local/etc/ipsec.d# ls certs/ > server.pem > > When I checked by "ipsec listall", no item about "List of X.509 End Entity > Certificates" is listed up. > > Is it wrong about the way to store certificate? > Or another reason? (e.g. plugin is not enough) > > Regards, > > Log: > Feb 25 14:41:13 tester charon: 05[TLS] negotiated TLS 1.0 using suite > TLS_DHE_RSA_WITH_AES_128_CBC_SHA > Feb 25 14:41:13 tester charon: 05[TLS] processing TLS Handshake record (708 > bytes) > Feb 25 14:41:13 tester charon: 05[TLS] received TLS Certificate handshake > (704 bytes) > Feb 25 14:41:13 tester charon: 05[LIB] signature verification: > Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to > 'C=ES, O=ACCV, CN=ACCVRAIZ1' > Feb 25 14:41:13 tester charon: 05[TLS] buffering 254 bytes, 254 bytes of 530 > byte TLS record received > Feb 25 14:41:13 tester charon: 05[TLS] sending fatal TLS alert 'access denied' -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
