Good day! Can you help? I want configure Strongswan IKEv2 with OpenLdap authentication. Is it real? I configure freeradius + LDAP, try radtest with ldap user adam, test OK:
*radtest adam password1234 myip 10 password1234* Sent Access-Request Id 142 from 0.0.0.0:46701 to myip:1812 length 74 User-Name = "adam" User-Password = "password1234" NAS-IP-Address = 127.0.1.1 NAS-Port = 10 Message-Authenticator = 0x00 Cleartext-Password = "password1234" Received *Access-Accept* Id 142 from myip:1812 to 0.0.0.0:0 length 20 *Log from radius server: * radius_1 | Fri Dec 23 08:54:02 2016 : Info: rlm_ldap (ldap): Opening additional connection (38) Log from ldap server: 585ce62a conn=1206 op=0 BIND dn="cn=admin,dc=***,dc=***" method=128 585ce62a conn=1206 op=0 BIND dn="cn=admin,dc=***,dc=***" mech=SIMPLE ssf=0 585ce62a conn=1206 op=0 RESULT tag=97 err=0 text= 585ce62a conn=1206 op=1 MOD dn="uid=adam,dc=***,dc=***" 585ce62a conn=1206 op=1 MOD attr=description 585ce62a conn=1206 op=1 RESULT tag=103 err=0 text= Then I connect android strongswan client with strongswan server and received response from ldap: radius log: radius_1 | Fri Dec 23 09:01:46 2016 : Info: rlm_ldap (ldap): Opening additional connection (42) ldap log: 585ce821 conn=1211 fd=17 ACCEPT from IP=*.*.*.*:46089 <http://78.46.192.19:46089> (IP=0.0.0.0:389) 585ce821 conn=1211 op=0 BIND dn="cn=admin,dc=***,dc=***" method=128 585ce821 conn=1211 op=0 BIND dn="cn=dn="cn=admin,dc=***,dc=***" mech=SIMPLE ssf=0 585ce821 conn=1211 op=0 RESULT tag=97 err=0 text= *Strongswan client log:* Dec 23 12:04:23 12[NET] sending packet: from 192.168.88.18[37418] to *** [4500] (3612 bytes) Dec 23 12:04:23 13[NET] received packet: from *** [4500] to 192.168.88.18[37418] (1196 bytes) Dec 23 12:04:23 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Dec 23 12:04:23 13[IKE] received end entity cert "C=CA, O=Example, CN=nagios.by" Dec 23 12:04:23 13[CFG] using certificate "C=CA, O=Example, CN=nagios.by" Dec 23 12:04:23 13[CFG] using trusted ca certificate "C=CA, O=Example, CN=ExampleCA" Dec 23 12:04:23 13[CFG] reached self-signed root ca with a path length of 0 Dec 23 12:04:23 13[IKE] authentication of '*.*' with RSA signature successful Dec 23 12:04:23 13[IKE] server requested EAP_IDENTITY (id 0x00), sending 'adam' Dec 23 12:04:23 13[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] Dec 23 12:04:23 13[NET] sending packet: from 192.168.88.18[37418] to *.*.*.*[4500] (76 bytes) Dec 23 12:04:23 14[NET] received packet: from *.*.*.*[4500] to 192.168.88.18[37418] (92 bytes) Dec 23 12:04:23 14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ] Dec 23 12:04:23 14[IKE] server requested EAP_MD5 authentication (id 0x01) Dec 23 12:04:23 14[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ] Dec 23 12:04:23 14[NET] sending packet: from 192.168.88.18[37418] to *.*.*.*[4500] (92 bytes) Dec 23 12:04:24 15[NET] received packet: from *.*.*.* [4500] to 192.168.88.18[37418] (76 bytes) Dec 23 12:04:24 15[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ] Dec 23 12:04:24 15[IKE] *received EAP_FAILURE, EAP authentication failed* Dec 23 12:04:24 15[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ] Dec 23 12:04:24 15[NET] sending packet: from 192.168.88.18[37418] to *.*.*.* [4500] (76 bytes) *SYSTEM INFORMATION:* *uname -a* Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux *ipsec --version* Linux strongSwan U5.2.1/K3.16.0-4-amd64 *ipsec listplugins | grep EAP* EAP_SERVER:ID EAP_CLIENT:ID EAP_SERVER:AKA EAP_CLIENT:AKA EAP_SERVER:MD5 EAP_CLIENT:MD5 EAP_SERVER:GTC EAP_CLIENT:GTC EAP_SERVER:MSCHAPV2 EAP_CLIENT:MSCHAPV2 EAP_SERVER:RAD EAP_SERVER:TLS EAP_CLIENT:TLS EAP_SERVER:TTLS EAP_SERVER:ID EAP_CLIENT:TTLS EAP_CLIENT:ID EAP_SERVER:TNC EAP_SERVER:TTLS EAP_CLIENT:TNC EAP_CLIENT:TTLS EAP_SERVER:PT EAP_SERVER:TTLS EAP_CLIENT:PT EAP_CLIENT:TTLS *ipsec statusall* Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64): uptime: 2 days, since Dec 20 19:40:27 2016 malloc: sbrk 2555904, mmap 0, used 421888, free 2134016 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs 7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls e ap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrb lock unity Virtual IP pools (size/online/offline): 10.9.0.0/24: 254/0/0 Listening IP addresses: *.*.*.* *.*.*.* Connections: client: %any...%any IKEv2, dpddelay=30s client: local: [*.*] uses public key authentication client: cert: "C=CA, O=Example, CN=*.*" client: remote: uses EAP_RADIUS authentication with EAP identity '%any' client: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear Security Associations (0 up, 0 connecting): none *Thank you!*
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
