Hi, It seems that you have set both auth_port and acct_port to 1812, while acct_port should be udp/1813. Can you please check if changing that fixes the issue?
Nikola September 23, 2018 8:36 AM, "Konstantin Votinov" <voti...@protonmail.com (mailto:voti...@protonmail.com?to=%22Konstantin%20Votinov%22%20<voti...@protonmail.com>)> wrote: Hi all, I am having issues with eap-radius plugin when "accounting = yes" is set. I have IPSec and IKEv2 connections set up in Strongswan. IPSec(conn IKEv1-PSK-XAuth) works correctly whether accounting is set to "no" or "yes" IKEv2(conn ikev2-mschapv2-apple) doesn't connect with accounting set to "yes", but connects with accounting set to "no" I've tried to increase the timeout, but it didn't worked. Below is the log for IKEv2 connection attempt: Sep 23 15:21:35 07[NET] received packet: from this.is.my.ip[33584] to this.is.server.ip[500] (304 bytes) Sep 23 15:21:35 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Sep 23 15:21:35 07[IKE] this.is.my.ip is initiating an IKE_SA Sep 23 15:21:35 07[IKE] remote host is behind NAT Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority" Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA" Sep 23 15:21:35 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ] Sep 23 15:21:35 07[NET] sending packet: from this.is.server.ip[500] to this.is.my.ip[33584] (385 bytes) Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (348 bytes) Sep 23 15:21:35 10[ENC] unknown attribute type (25) Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ] Sep 23 15:21:35 10[CFG] looking for peer configs matching this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137] Sep 23 15:21:35 10[CFG] selected peer config 'ikev2-mschapv2-apple' Sep 23 15:21:35 10[IKE] initiating EAP_IDENTITY method (id 0x00) Sep 23 15:21:35 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Sep 23 15:21:35 10[IKE] peer supports MOBIKE Sep 23 15:21:35 10[IKE] authentication of 'ikev2.mydomain.net' (myself) with RSA signature successful Sep 23 15:21:35 10[IKE] sending end entity cert "C=IL, CN=ikev2.mydomain.net" Sep 23 15:21:35 10[IKE] sending issuer cert "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA" Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] Sep 23 15:21:35 10[ENC] splitting IKE message with length of 3660 bytes into 4 fragments Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(1/4) ] Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(2/4) ] Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(3/4) ] Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ EF(4/4) ] Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes) Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes) Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes) Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (112 bytes) Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes) Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Sep 23 15:21:35 14[IKE] received EAP identity 'ligykpif' Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer' Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server 'radiusServer' Sep 23 15:21:35 14[IKE] initiating EAP_MD5 method (id 0x01) Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ] Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (92 bytes) Sep 23 15:21:35 08[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes) Sep 23 15:21:35 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ] Sep 23 15:21:35 08[CFG] sending RADIUS Access-Request to server 'radiusServer' Sep 23 15:21:35 08[CFG] received RADIUS Access-Challenge from server 'radiusServer' Sep 23 15:21:35 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Sep 23 15:21:35 08[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (108 bytes) Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (140 bytes) Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer' Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server 'radiusServer' Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ] Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (124 bytes) Sep 23 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes) Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ] Sep 23 15:21:35 10[CFG] sending RADIUS Access-Request to server 'radiusServer' Sep 23 15:21:35 10[CFG] received RADIUS Access-Accept from server 'radiusServer' Sep 23 15:21:35 10[IKE] RADIUS authentication of 'ligykpif' successful Sep 23 15:21:35 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ] Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes) Sep 23 15:21:36 15[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes) Sep 23 15:21:36 15[ENC] parsed IKE_AUTH request 6 [ AUTH ] Sep 23 15:21:36 15[IKE] authentication of '192.168.1.137' with EAP successful Sep 23 15:21:36 15[IKE] authentication of 'ikev2.mydomain.net' (myself) with EAP Sep 23 15:21:36 15[IKE] IKE_SA ikev2-mschapv2-apple[2] established between this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137] Sep 23 15:21:36 15[IKE] peer requested virtual IP %any Sep 23 15:21:36 15[CFG] reassigning offline lease to 'ligykpif' Sep 23 15:21:36 15[IKE] assigning virtual IP 10.0.12.1 to peer 'ligykpif' Sep 23 15:21:36 15[IKE] peer requested virtual IP %any6 Sep 23 15:21:36 15[IKE] no virtual IP found for %any6 requested by 'ligykpif' Sep 23 15:21:36 15[IKE] CHILD_SA ikev2-mschapv2-apple{2} established with SPIs c8cc7f31_i 0164b11e_o and TS 0.0.0.0/0 ::/0 === 10.0.12.1/32 Sep 23 15:21:36 15[CFG] sending RADIUS Accounting-Request to server 'radiusServer' Sep 23 15:21:38 15[CFG] retransmit 1 of RADIUS Accounting-Request (timeout: 2.8s) Sep 23 15:21:40 15[CFG] retransmit 2 of RADIUS Accounting-Request (timeout: 3.9s) Sep 23 15:21:44 15[CFG] retransmit 3 of RADIUS Accounting-Request (timeout: 5.5s) Sep 23 15:21:46 16[MGR] ignoring request with ID 6, already processing Sep 23 15:21:50 15[CFG] RADIUS Accounting-Request timed out after 4 attempts Sep 23 15:21:50 15[CFG] deleting IKE_SA after RADIUS timeout Sep 23 15:21:50 15[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Sep 23 15:21:50 15[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (284 bytes) Sep 23 15:21:50 13[IKE] deleting IKE_SA ikev2-mschapv2-apple[2] between this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137] Sep 23 15:21:50 13[IKE] sending DELETE for IKE_SA ikev2-mschapv2-apple[2] Sep 23 15:21:50 13[ENC] generating INFORMATIONAL request 0 [ D ] Sep 23 15:21:50 13[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes) Sep 23 15:21:50 16[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes) Sep 23 15:21:50 16[ENC] parsed INFORMATIONAL response 0 [ ] Sep 23 15:21:50 16[IKE] IKE_SA deleted Sep 23 15:21:50 16[CFG] sending RADIUS Accounting-Request to server 'radiusServer' ipsec.conf is as follows: config setup uniqueids=no charondebug="cfg 2, dmn 2, ike 2, net 0" conn %default dpdaction=clear dpddelay=300s rekey=no left=%defaultroute leftfirewall=yes right=%any ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 auto=add conn L2TP-IKEv1-PSK type=transport keyexchange=ikev1 authby=secret leftprotoport=udp/l2tp left=%any right=%any rekey=no forceencaps=yes conn Non-L2TP leftsubnet=0.0.0.0/0 rightsubnet=10.0.2.0/24 rightsourceip=10.0.2.0/24 # Cisco IPSec conn IKEv1-PSK-XAuth also=Non-L2TP keyexchange=ikev1 leftauth=psk rightauth=psk rightauth2=xauth-radius conn ikev2-mschapv2 ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1! keyexchange=ikev2 auto=add reauth=no fragmentation=yes leftcert=ius.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/ leftsendcert=always leftsubnet=0.0.0.0/0 eap_identity=%identity rightsubnet=10.0.12.0/24 rightsourceip=10.0.12.0/24 rightdns=8.8.8.8 rightauth=eap-radius # Apple clients usually goes here conn ikev2-mschapv2-apple ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1! keyexchange=ikev2 auto=add reauth=no fragmentation=yes leftcert=ius.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/ leftsendcert=always leftsubnet=0.0.0.0/0,::/0 eap_identity=%identity rightsubnet=10.0.12.0/24 rightsourceip=10.0.12.0/24 rightdns=8.8.8.8 rightauth=eap-radius leftid=ikev2.mydomain.net strongswan.conf is below: charon { use_ipv6 = no load_modular = yes send_vendor_id = yes filelog { /var/log/strongswan.charon.log { time_format = %b %e %T default = 1 append = no flush_line = yes } } plugins { eap-radius { station_id_with_port = no accounting = yes servers { radiusServer { nas_identifer = this.is.server.ip secret = radiuspassword address = radius.server.ip auth_port = 1812 # default acct_port = 1812 # default } } } include strongswan.d/charon/*.conf attr { dns = 8.8.8.8, 8.8.4.4 } } } include strongswan.d/*.conf I am really out of the ideas on what can cause the issue. Maybe someone had a similar problem? Any help will be appreciated! Thanks in advance!