Thanks. Here is swanctl –stats (after a service restart). 2 charon_debug logfiles attached, one with a successful connection (the userid in question at the end of the list) and one with a failed connection (userid in question at the front of the list).
Xunil/var/log# swanctl --stats uptime: 10 seconds, since Nov 29 11:11:07 2017 worker threads: 16 total, 11 idle, working: 4/0/1/0 job queues: 0/0/0/0 jobs scheduled: 0 IKE_SAs: 0 total, 0 half-open mallinfo: sbrk 2564096, mmap 0, used 401792, free 2162304 loaded plugins: charon-systemd charon-systemd aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-tls xauth-generic Xunil/var/log# From: Noel Kuntze<mailto:[email protected]> Sent: Wednesday, November 29, 2017 10:31 AM To: bls s<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: [strongSwan] swanctl.conf EAP credential information Hi, Please provide a log file created with the logger configuration from the HelpRequests[1] page and the output of `swanctl --stats`. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 29.11.2017 19:27, bls s wrote: > > Curiously, if eap-user1 is at the end of the list, it authenticates > correctly, but not if first or second in the list. > > > > *From: *bls s <mailto:[email protected]> > *Sent: *Tuesday, November 28, 2017 4:43 PM > *To: *[email protected] <mailto:[email protected]> > *Subject: *[strongSwan] swanctl.conf EAP credential information > > > > I’m switching over from using IPsec.conf to charon-systemd. Everything is > working for the first user, but I have run into a strange issue (or a dumb > user error!) with the ‘secrets’ section when trying to implement multiple eap > passwords. > > > > If my secrets section has only one eap id/password in it, the client > authenticates correctly. But, if the secrets section has more than one eap > id/password in it, the MSCHAPv2 authentication fails. > > > > Here’s the failing configuration. If I remove the 2^nd and 3^rd entries, > user1 works correctly. However, using the full secrets section below, user1 > fails to authenticate. > > > > connections { > > > > ikev2-eap-mschapv2 { > > version = 2 > > # proposals = > aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default > > proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default > > rekey_time = 0s > > pools = primary-pool-ipv4 > > fragmentation = yes > > dpd_delay = 30s > > mobike = yes > > > > local-1 { > > certs = strongswanCert.pem > > id = serverid1 > > auth = psk > > } > > > > remote-1 { > > auth = eap-mschapv2 > > id = clientid1 > > eap_id = %any > > } > > > > children { > > ikev2-eap-mschapv2 { > > local_ts = 0.0.0.0/0 > > rekey_time = 0s > > dpd_action = clear > > # esp_proposals = > aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default > > esp_proposals = > aes256-sha1-modp1024,aes192-sha256-modp3072,default > > # updown = /libexec/ipsec/_updown iptables > > } > > } > > } > > ikev2-pubkey { > > version = 2 > > proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default > > rekey_time = 0s > > pools = primary-pool-ipv4 > > fragmentation = yes > > dpd_delay = 30s > > > > local-1 { > > certs = vpnHostCert.pem > > id = server1 > > } > > > > remote-1 { # defaults are fine > > } > > > > children { > > ikev2-pubkey { > > local_ts = 0.0.0.0/0 > > rekey_time = 0s > > dpd_action = clear > > esp_proposals = > aes256-sha1-modp1024,aes192-sha256-modp3072,default > > } > > } > > } > > } > > pools { > > primary-pool-ipv4 { > > addrs = 10.92.10.0/24 > > dns = 192.168.92.3, 8.8.8.8 > > } > > } > > > > secrets { > > ike-psk { > > secret=somepsk > > } > > [email protected] <mailto:[email protected]> { > > id = [email protected] > > secret=secret1 > > } > > [email protected] <mailto:[email protected]> { > > id = [email protected] > > secret=secret2 > > } > > [email protected] <mailto:[email protected]> { > > id = [email protected] > > secret=secret3 > > } > > > > >
charon-debug-authfail.log
Description: charon-debug-authfail.log
charon-debug-authOK.log
Description: charon-debug-authOK.log
