Am 15.11.2017 um 09:58 schrieb Houman: > Hallo Michael, > > > Thanks for your reply. Indeed I should have checked the radius log. It > seems the shared secret is incorrect, but there do match in configs as > pasted below. > Where else could the secret have been used that I have missed? Thanks > > *vim /var/log/freeradius/radius.log* > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to > database "radius" > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (0), 1 of 32 pending slots used > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (1), 1 of 31 pending slots used > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (2), 1 of 30 pending slots used > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (3), 1 of 29 pending slots used > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (4), 1 of 28 pending slots used > Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > connection (5), 1 of 27 pending slots used > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server <default> > Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see > raddb/mods-available/README.rst) > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default > Wed Nov 15 08:49:50 2017 : Info: # Skipping contents of 'if' as it is > always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331 > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel > Wed Nov 15 08:49:50 2017 : Info: Ready to process requests > Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because > of error: Received packet from 127.0.0.1 with invalid > Message-Authenticator! (Shared secret is incorrect.) > > > > *vim /etc/strongswan.conf* > > charon { > load_modular = yes > compress = yes > plugins { > include strongswan.d/charon/*.conf > eap-radius { > servers { > server-a { > accounting = yes > secret = 123456 > address = 127.0.0.1 > auth_port = 1812 > acct_port = 1813 > } > } > } > } > include strongswan.d/*.conf > } > > > > *vim /etc/freeradius/clients.conf* > > client 0.0.0.0 { > secret = 123456 > nas_type = other > shortname = 0.0.0.0 > require_message_authenticator = no > } > > > > On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <m...@sys4.de> wrote: > >> Am 15.11.2017 um 08:24 schrieb Houman: >>> Hi, >>> >>> I'm new to the concept of EAP and might be misunderstanding something. >>> Apologies up front. >>> >>> I have finally been able to install FreeRadius and enable the SQL module. >>> I have created a user in the database and was hoping to establish a VPN >>> connection via that user. >>> >>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES >>> ('houman','Cleartext-Password',':=','test123'); >>> >>> >>> When I try to connect from my MacBook into the StrongSwan server I get >> this >>> log. It looks promising but eventually, it says initiating EAP_RADIUS >>> method failed. >>> >>> I'm not quite sure if this has failed due a bad configuration on my side >> or >>> it is for other reasons that I don't quite understand how EAP should >> work. >>> Please be so kind and advise, >>> Thanks, >>> Houman >>> >>> >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from >>> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT >> request 0 >>> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is >> initiating >>> an IKE_SA >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT, >>> sending keep alives >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT >>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) >> ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from >>> 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from >>> 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type >> (25) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 >> [ >>> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 >>> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs >>> matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config >>> 'roadwarrior' >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY >>> method (id 0x00) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received >>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of ' >> vpn2.t.com' >>> (myself) with RSA signature successful >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert >> "CN= >>> vpn2.t.com" >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US, >>> O=Let's Encrypt, CN=Let's Encrypt Authority X3" >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH >> response >>> 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with >>> length of 3334 bytes into 7 fragments >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH >> response >>> 1 [ EF(1/7) ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH >> response >>> 1 [ EF(2/7) ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH >> response >>> 1 [ EF(3/7) ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH >> response >>> 1 [ EF(4/7) ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH >> response >>> 1 [ EF(5/7) ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH >> response >>> 1 [ EF(6/7) ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH >> response >>> 1 [ EF(7/7) ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from >>> 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ >> 14[NET] >>> sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 >> bytes)] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from >>> 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from >>> 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes) >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2 >> [ >>> EAP/RES/ID ] >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity >>> 'houman' >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS >>> Access-Request to server 'server-a' >>> Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS >>> Access-Request (timeout: 2.8s) >>> Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID >> 2, >>> already processing >>> Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS >>> Access-Request (timeout: 3.9s) >>> Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID >> 2, >>> already processing >>> Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS >>> Access-Request (timeout: 5.5s) >>> Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID >> 2, >>> already processing >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[CFG] RADIUS Access-Request >> timed >>> out after 4 attempts >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[IKE] initiating EAP_RADIUS >> method >>> failed >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[ENC] generating IKE_AUTH >> response >>> 2 [ EAP/FAIL ] >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[NET] sending packet: from >>> 172.31.9.51[4500] to 88.98.201.107[51248] (65 bytes) >>> >> It seems that your RADIUS server does not behave properly. >> >> Is the server online? >> >> Is the RADIUS service running? >> >> What are the logs of the RADIUS server, or in other words, what is the >> output of freeradius -X? >> >> >> Mit freundlichen Grüßen, >> >> -- >> >> [*] sys4 AG >> >> https://sys4.de, +49 (89) 30 90 46 64 >> Schleißheimer Straße 26/MG,80333 München >> >> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief >> Aufsichtsratsvorsitzender: Florian Kirstein >> >> >> Well, RADIUS accepts the client 0.0.0.0. But the client has the 127.0.0.1. Please change the entry in the clients.conf of the freeradius setup.
Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
signature.asc
Description: OpenPGP digital signature