I have changed both configs to 127.0.0.1 and restarted both StrongSwan and FreeRadius but I got the same error message. Then I changed them both to 0.0.0.0 and restarted both servers, and I still get the same error message.
Any idea what this could be? On Wed, Nov 15, 2017 at 9:01 AM, Michael Schwartzkopff <m...@sys4.de> wrote: > Am 15.11.2017 um 09:58 schrieb Houman: > > Hallo Michael, > > > > > > Thanks for your reply. Indeed I should have checked the radius log. It > > seems the shared secret is incorrect, but there do match in configs as > > pasted below. > > Where else could the secret have been used that I have missed? Thanks > > > > *vim /var/log/freeradius/radius.log* > > > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to > > database "radius" > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (0), 1 of 32 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (1), 1 of 31 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (2), 1 of 30 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (3), 1 of 29 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (4), 1 of 28 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 > spares > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (5), 1 of 27 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server <default> > > Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see > > raddb/mods-available/README.rst) > > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default > > Wed Nov 15 08:49:50 2017 : Info: # Skipping contents of 'if' as it is > > always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331 > > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel > > Wed Nov 15 08:49:50 2017 : Info: Ready to process requests > > Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because > > of error: Received packet from 127.0.0.1 with invalid > > Message-Authenticator! (Shared secret is incorrect.) > > > > > > > > *vim /etc/strongswan.conf* > > > > charon { > > load_modular = yes > > compress = yes > > plugins { > > include strongswan.d/charon/*.conf > > eap-radius { > > servers { > > server-a { > > accounting = yes > > secret = 123456 > > address = 127.0.0.1 > > auth_port = 1812 > > acct_port = 1813 > > } > > } > > } > > } > > include strongswan.d/*.conf > > } > > > > > > > > *vim /etc/freeradius/clients.conf* > > > > client 0.0.0.0 { > > secret = 123456 > > nas_type = other > > shortname = 0.0.0.0 > > require_message_authenticator = no > > } > > > > > > > > On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <m...@sys4.de> > wrote: > > > >> Am 15.11.2017 um 08:24 schrieb Houman: > >>> Hi, > >>> > >>> I'm new to the concept of EAP and might be misunderstanding something. > >>> Apologies up front. > >>> > >>> I have finally been able to install FreeRadius and enable the SQL > module. > >>> I have created a user in the database and was hoping to establish a VPN > >>> connection via that user. > >>> > >>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES > >>> ('houman','Cleartext-Password',':=','test123'); > >>> > >>> > >>> When I try to connect from my MacBook into the StrongSwan server I get > >> this > >>> log. It looks promising but eventually, it says initiating EAP_RADIUS > >>> method failed. > >>> > >>> I'm not quite sure if this has failed due a bad configuration on my > side > >> or > >>> it is for other reasons that I don't quite understand how EAP should > >> work. > >>> Please be so kind and advise, > >>> Thanks, > >>> Houman > >>> > >>> > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from > >>> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes) > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT > >> request 0 > >>> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is > >> initiating > >>> an IKE_SA > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind > NAT, > >>> sending keep alives > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind > NAT > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT > >>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) > N(MULT_AUTH) > >> ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from > >>> 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes) > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from > >>> 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes) > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type > >> (25) > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request > 1 > >> [ > >>> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 > DHCP6 > >>> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs > >>> matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config > >>> 'roadwarrior' > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY > >>> method (id 0x00) > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received > >>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of ' > >> vpn2.t.com' > >>> (myself) with RSA signature successful > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert > >> "CN= > >>> vpn2.t.com" > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert > "C=US, > >>> O=Let's Encrypt, CN=Let's Encrypt Authority X3" > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH > >> response > >>> 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message > with > >>> length of 3334 bytes into 7 fragments > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH > >> response > >>> 1 [ EF(1/7) ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH > >> response > >>> 1 [ EF(2/7) ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH > >> response > >>> 1 [ EF(3/7) ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH > >> response > >>> 1 [ EF(4/7) ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH > >> response > >>> 1 [ EF(5/7) ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH > >> response > >>> 1 [ EF(6/7) ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH > >> response > >>> 1 [ EF(7/7) ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from > >>> 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes) > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ > >> 14[NET] > >>> sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 > >> bytes)] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from > >>> 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes) > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from > >>> 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes) > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request > 2 > >> [ > >>> EAP/RES/ID ] > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity > >>> 'houman' > >>> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS > >>> Access-Request to server 'server-a' > >>> Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS > >>> Access-Request (timeout: 2.8s) > >>> Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID > >> 2, > >>> already processing > >>> Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS > >>> Access-Request (timeout: 3.9s) > >>> Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID > >> 2, > >>> already processing > >>> Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS > >>> Access-Request (timeout: 5.5s) > >>> Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID > >> 2, > >>> already processing > >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[CFG] RADIUS Access-Request > >> timed > >>> out after 4 attempts > >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[IKE] initiating EAP_RADIUS > >> method > >>> failed > >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[ENC] generating IKE_AUTH > >> response > >>> 2 [ EAP/FAIL ] > >>> Nov 15 07:13:35 ip-172-31-9-51 charon: 15[NET] sending packet: from > >>> 172.31.9.51[4500] to 88.98.201.107[51248] (65 bytes) > >>> > >> It seems that your RADIUS server does not behave properly. > >> > >> Is the server online? > >> > >> Is the RADIUS service running? > >> > >> What are the logs of the RADIUS server, or in other words, what is the > >> output of freeradius -X? > >> > >> > >> Mit freundlichen Grüßen, > >> > >> -- > >> > >> [*] sys4 AG > >> > >> https://sys4.de, +49 (89) 30 90 46 64 > >> Schleißheimer Straße 26/MG,80333 München > >> > >> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > >> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief > >> Aufsichtsratsvorsitzender: Florian Kirstein > >> > >> > >> > Well, RADIUS accepts the client 0.0.0.0. But the client has the > 127.0.0.1. Please change the entry in the clients.conf of the freeradius > setup. > > Mit freundlichen Grüßen, > > -- > > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schleißheimer Straße 26/MG,80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief > Aufsichtsratsvorsitzender: Florian Kirstein > > >