[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] I have some questions about strongswan configuration.
From: Hyun-Jin Kim <be.successor () gmail ! com>
Date: 2015-08-19 4:35:28
Message-ID: CAFou1QkEmNo+Wny9u4BBgnUJZXFicEhrSskYZcHGuiyozfLpTw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/related)]
[Attachment #4 (multipart/alternative)]
Thank you for answer.
I'm sorry for the confusion.
To put it delicately, I want to add Radius server in G/W1 ==== G/W2 IPsec.
So, G/W1 and G/W2 have to work as a Radius client.
[image: 본문 이미지 1]
Currently, I tried out the tips from you.
rightauth=eap-md5 => eap-radius
> *<Server configuration>*
>
> 1) ipsec.conf
> [...]
> conn rw-eap
> rightauth=eap-radius
> [...]
*My problem is....*
*1) Why this message is generated ??*
*syslog message : Aug 19 12:14:23 radSer charon: 10[IKE] loading EAP_RADIUS
method failed*
*2) Radius Server couldn't capture any packet.*
How can I solve this problem...? Please help me.
This is my configuration.
(I raised the debugging level : charondebug="lib 3,cfg 3,net 3,ike 3, enc
3, chd 3, mgr 3, dmn 3")
*<G/W1 configuration>*
1) ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-eap
left=192.168.0.1
leftsubnet=129.254.73.0/24
leftcert=moon.pem
leftid=strongswan moon
leftauth=pubkey
leftfirewall=yes
rightid=strongswan sun
rightauth=eap-radius
rightsendcert=never
right=192.168.0.2
auto=add
2) strongswan.conf
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl
revocation hmac xcbc stroke kernel-netlink socket-default fips-prf
eap-radius updown
plugins{
eap-radius {
secret = testing123
address = 129.254.72.87
}
}
}
3) ipsec.secrets
: RSA moon.key "1p2p3p"
: RSA ca.key "1p2p3p"
4) ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.13.0-61-generic,
x86_64):
uptime: 59 minutes, since Aug 19 12:22:10 2015
malloc: sbrk 2568192, mmap 0, used 398432, free 2169760
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce
x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
fips-prf eap-radius updown
Listening IP addresses:
192.168.0.1
129.254.73.189
Connections:
rw-eap: 192.168.0.1...192.168.0.2 IKEv2
rw-eap: local: [C=KR, ST=Some-State, O=Etri, CN=strongswan moon]
uses public key authentication
rw-eap: cert: "C=KR, ST=Some-State, O=Etri, CN=strongswan moon"
rw-eap: remote: [strongswan sun] uses EAP_RADIUS authentication
rw-eap: child: 129.254.73.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
5) tail -f /var/log/syslog /var/log/auth.log
root@radSer:/home/guest/temp/strongswan-5.2.2# tail -f /var/log/syslog
/var/log/auth.log
==> /var/log/syslog <==
Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid response packet from host
129.254.190.77.
Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid response packet from host
129.254.195.208.
Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid response packet from host
129.254.172.192.
Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid response packet from host
fe80::6e3b:e5ff:fe06:ad82.
Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid response packet from host
129.254.172.139.
Aug 19 13:15:10 radSer avahi-daemon[904]: server.c: Packet too short or
invalid while reading known answer record. (Maybe a UTF-8 problem?)
Aug 19 13:17:01 radSer CRON[30816]: (root) CMD ( cd / && run-parts
--report /etc/cron.hourly)
Aug 19 13:20:21 radSer avahi-daemon[904]: message repeated 4 times: [
server.c: Packet too short or invalid while reading known answer record.
(Maybe a UTF-8 problem?)]
Aug 19 13:21:09 radSer avahi-daemon[904]: Invalid response packet from host
fe80::5265:f3ff:fe5d:c1a.
Aug 19 13:22:01 radSer avahi-daemon[904]: server.c: Packet too short or
invalid while reading known answer record. (Maybe a UTF-8 problem?)
==> /var/log/auth.log <==
Aug 19 12:22:10 radSer ipsec_starter[30718]: !!
http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Aug 19 12:22:11 radSer ipsec_starter[30739]: charon (30740) started after
20 ms
Aug 19 12:22:21 radSer charon: 12[IKE] 192.168.0.2 is initiating an IKE_SA
Aug 19 12:22:32 radSer charon: 04[IKE] 192.168.0.2 is initiating an IKE_SA
Aug 19 12:39:01 radSer CRON[30777]: pam_unix(cron:session): session opened
for user root by (uid=0)
Aug 19 12:39:01 radSer CRON[30777]: pam_unix(cron:session): session closed
for user root
Aug 19 13:09:01 radSer CRON[30800]: pam_unix(cron:session): session opened
for user root by (uid=0)
Aug 19 13:09:01 radSer CRON[30800]: pam_unix(cron:session): session closed
for user root
Aug 19 13:17:01 radSer CRON[30815]: pam_unix(cron:session): session opened
for user root by (uid=0)
Aug 19 13:17:01 radSer CRON[30815]: pam_unix(cron:session): session closed
for user root
==> /var/log/syslog <==
Aug 19 13:22:35 radSer charon: 13[NET] received packet: from
192.168.0.2[500] to 192.168.0.1[500] (692 bytes)
Aug 19 13:22:35 radSer charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Aug 19 13:22:35 radSer charon: 13[IKE] 192.168.0.2 is initiating an IKE_SA
==> /var/log/auth.log <==
Aug 19 13:22:35 radSer charon: 13[IKE] 192.168.0.2 is initiating an IKE_SA
==> /var/log/syslog <==
Aug 19 13:22:36 radSer charon: 13[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Aug 19 13:22:36 radSer charon: 13[NET] sending packet: from
192.168.0.1[500] to 192.168.0.2[500] (440 bytes)
Aug 19 13:22:36 radSer charon: 14[NET] received packet: from
192.168.0.2[4500] to 192.168.0.1[4500] (492 bytes)
Aug 19 13:22:36 radSer charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 19 13:22:36 radSer charon: 14[IKE] received cert request for "C=KR,
ST=Some-State, O=Etri, CN=strongswan1"
Aug 19 13:22:36 radSer charon: 14[CFG] looking for peer configs matching
192.168.0.1[C=KR, ST=Some-State, O=Etri, CN=strongswan
moon]...192.168.0.2[strongswan sun]
Aug 19 13:22:36 radSer charon: 14[CFG] selected peer config 'rw-eap'
Aug 19 13:22:36 radSer charon: 14[IKE] loading EAP_RADIUS method failed
Aug 19 13:22:36 radSer charon: 14[IKE] peer supports MOBIKE
Aug 19 13:22:36 radSer charon: 14[ENC] generating IKE_AUTH response 1 [ IDr
EAP/FAIL ]
Aug 19 13:22:36 radSer charon: 14[NET] sending packet: from
192.168.0.1[4500] to 192.168.0.2[4500] (156 bytes)
*<G/W2 configuration>*
1) ipsec.conf
config setup
# charondebug="lib 3,cfg 3,net 3,ike 3, enc 3, chd 3, mgr 3, dmn 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=192.168.0.2
leftid=strongswan sun
leftauth=eap
leftfirewall=yes
right=192.168.0.1
rightid=strongswan moon
rightsubnet=129.254.73.0/24
rightauth=pubkey
rightcert=moon.pem
auto=add
2) strongswan.conf
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl
revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5
updown
plugins{
eap-radius {
secret = testing123
address = 129.254.72.87
}
}
3) ipsec.secrets
: RSA sun.key "1p2p3p"
: RSA moon.key "1p2p3p"
strongswan sun : EAP "testing123"
4) ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.13.0-57-generic,
x86_64):
uptime: 62 minutes, since Aug 19 12:23:22 2015
malloc: sbrk 405504, mmap 0, used 344912, free 60592
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce
x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
fips-prf eap-md5 updown
Listening IP addresses:
192.168.0.55
192.168.0.2
129.254.73.188
Connections:
home: 192.168.0.2...192.168.0.1 IKEv2
home: local: [strongswan sun] uses EAP authentication
home: remote: [C=KR, ST=Some-State, O=Etri, CN=strongswan moon]
uses public key authentication
home: cert: "C=KR, ST=Some-State, O=Etri, CN=strongswan moon"
home: child: dynamic === 129.254.73.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
none
5) tail -f /var/log/syslog /var/log/auth.log
root@radClient:~# tail -f /var/log/syslog /var/log/auth.log
==> /var/log/syslog <==
Aug 19 13:24:57 radClient avahi-daemon[843]: Invalid response packet from
host fe80::fe15:b4ff:fe78:6dc3.
Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from
host fe80::3664:a9ff:fe69:ad9b.
Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from
host 129.254.194.88.
Aug 19 13:24:58 radClient avahi-daemon[843]: server.c: Packet too short or
invalid while reading known answer record. (Maybe a UTF-8 problem?)
Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from
host 129.254.172.139.
Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from
host fe80::6e3b:e5ff:fe06:ad82.
Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from
host 129.254.72.230.
Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response packet from
host fe80::a2b3:ccff:fe9b:4b2e.
Aug 19 13:24:59 radClient avahi-daemon[843]: Invalid response packet from
host fe80::a65d:36ff:fe62:e868.
Aug 19 13:24:59 radClient avahi-daemon[843]: Invalid response packet from
host 129.254.190.77.
==> /var/log/auth.log <==
Aug 19 12:23:21 radClient ipsec_starter[10575]: !!
http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Aug 19 12:23:21 radClient ipsec_starter[10596]: charon (10597) started
after 20 ms
Aug 19 12:23:39 radClient charon: 12[IKE] initiating IKE_SA home[1] to
192.168.0.1
Aug 19 12:23:39 radClient charon: 13[IKE] establishing CHILD_SA home
Aug 19 12:23:50 radClient charon: 07[IKE] initiating IKE_SA home[2] to
192.168.0.1
Aug 19 12:23:50 radClient charon: 08[IKE] establishing CHILD_SA home
Aug 19 13:17:01 radClient CRON[10644]: pam_unix(cron:session): session
opened for user root by (uid=0)
Aug 19 13:17:01 radClient CRON[10644]: pam_unix(cron:session): session
closed for user root
Aug 19 13:23:53 radClient charon: 08[IKE] initiating IKE_SA home[3] to
192.168.0.1
Aug 19 13:23:53 radClient charon: 09[IKE] establishing CHILD_SA home
==> /var/log/syslog <==
Aug 19 13:25:46 radClient charon: 05[NET] received packet: from
192.168.0.1[500] to 192.168.0.2[500] (692 bytes)
==> /var/log/auth.log <==
Aug 19 13:25:46 radClient charon: 05[IKE] 192.168.0.1 is initiating an
IKE_SA
==> /var/log/syslog <==
Aug 19 13:25:46 radClient charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Aug 19 13:25:46 radClient charon: 05[IKE] 192.168.0.1 is initiating an
IKE_SA
Aug 19 13:25:46 radClient charon: 05[IKE] sending cert request for "C=KR,
ST=Some-State, O=Etri, CN=strongswan1"
Aug 19 13:25:46 radClient charon: 05[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 19 13:25:46 radClient charon: 05[NET] sending packet: from
192.168.0.2[500] to 192.168.0.1[500] (465 bytes)
Aug 19 13:25:46 radClient charon: 07[NET] received packet: from
192.168.0.1[4500] to 192.168.0.2[4500] (1228 bytes)
Aug 19 13:25:46 radClient charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi
CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Aug 19 13:25:46 radClient charon: 07[IKE] received end entity cert "C=KR,
ST=Some-State, O=Etri, CN=strongswan moon"
Aug 19 13:25:46 radClient charon: 07[CFG] looking for peer configs matching
192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri,
CN=strongswan moon]
Aug 19 13:25:46 radClient charon: 07[CFG] selected peer config 'home'
Aug 19 13:25:46 radClient charon: 07[CFG] using trusted ca certificate
"C=KR, ST=Some-State, O=Etri, CN=strongswan1"
Aug 19 13:25:46 radClient charon: 07[CFG] checking certificate status of
"C=KR, ST=Some-State, O=Etri, CN=strongswan moon"
Aug 19 13:25:46 radClient charon: 07[CFG] certificate status is not
available
Aug 19 13:25:46 radClient charon: 07[CFG] reached self-signed root ca
with a path length of 0
Aug 19 13:25:46 radClient charon: 07[CFG] using trusted certificate
"C=KR, ST=Some-State, O=Etri, CN=strongswan moon"
Aug 19 13:25:46 radClient charon: 07[IKE] authentication of 'C=KR,
ST=Some-State, O=Etri, CN=strongswan moon' with RSA signature successful
Aug 19 13:25:46 radClient charon: 07[IKE] peer supports MOBIKE
Aug 19 13:25:46 radClient charon: 07[IKE] IKE_SA home[4] established
between 192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State,
O=Etri, CN=strongswan moon]
==> /var/log/auth.log <==
Aug 19 13:25:46 radClient charon: 07[IKE] IKE_SA home[4] established
between 192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State,
O=Etri, CN=strongswan moon]
==> /var/log/syslog <==
Aug 19 13:25:46 radClient charon: 07[IKE] scheduling reauthentication in
3316s
Aug 19 13:25:46 radClient charon: 07[IKE] maximum IKE_SA lifetime 3496s
==> /var/log/auth.log <==
Aug 19 13:25:46 radClient charon: 07[IKE] CHILD_SA home{4} established with
SPIs cf4d1089_i c47c418e_o and TS 192.168.0.2/32 === 129.254.73.0/24
==> /var/log/syslog <==
Aug 19 13:25:46 radClient charon: 07[IKE] CHILD_SA home{4} established with
SPIs cf4d1089_i c47c418e_o and TS 192.168.0.2/32 === 129.254.73.0/24
Aug 19 13:25:46 radClient vpn: + C=KR, ST=Some-State, O=Etri, CN=strongswan
moon 129.254.73.0/24 == 192.168.0.1 -- 192.168.0.2
Aug 19 13:25:46 radClient charon: 07[ENC] generating IKE_AUTH response 1 [
IDr SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Aug 19 13:25:46 radClient charon: 07[NET] sending packet: from
192.168.0.2[4500] to 192.168.0.1[4500] (220 bytes)
Aug 19 13:25:46 radClient charon: 12[NET] received packet: from
192.168.0.1[4500] to 192.168.0.2[4500] (76 bytes)
Aug 19 13:25:46 radClient charon: 12[ENC] parsed INFORMATIONAL request 2 [
N(AUTH_FAILED) ]
Aug 19 13:25:46 radClient charon: 12[IKE] received DELETE for IKE_SA home[4]
Aug 19 13:25:46 radClient charon: 12[IKE] deleting IKE_SA home[4] between
192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri,
CN=strongswan moon]
==> /var/log/auth.log <==
Aug 19 13:25:46 radClient charon: 12[IKE] deleting IKE_SA home[4] between
192.168.0.2[strongswan sun]...192.168.0.1[C=KR, ST=Some-State, O=Etri,
CN=strongswan moon]
==> /var/log/syslog <==
Aug 19 13:25:46 radClient charon: 12[IKE] IKE_SA deleted
==> /var/log/auth.log <==
Aug 19 13:25:46 radClient charon: 12[IKE] IKE_SA deleted
==> /var/log/syslog <==
Aug 19 13:25:46 radClient vpn: - C=KR, ST=Some-State, O=Etri, CN=strongswan
moon 129.254.73.0/24 == 192.168.0.1 -- 192.168.0.2
Aug 19 13:25:46 radClient charon: 12[ENC] generating INFORMATIONAL response
2 [ ]
Aug 19 13:25:46 radClient charon: 12[NET] sending packet: from
192.168.0.2[4500] to 192.168.0.1[4500] (76 bytes)
*<FreeRADIUS configuration>*
1) radiusd.conf
# radiusd.conf -- FreeRADIUS server configuration file.
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/freeradius
raddbdir = ${sysconfdir}/freeradius
radacctdir = ${logdir}/radacct
# name of the running server. See also the "-n" command-line option.
name = freeradius
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}
# libdir: Where to find the rlm_* modules.
libdir = ${exec_prefix}/lib
# pidfile: Where to place the PID of the RADIUS server.
pidfile = ${run_dir}/${name}.pid
# max_request_time: The maximum time (in seconds) to handle a request.
max_request_time = 30
# cleanup_delay: The time to wait (in seconds) before cleaning up
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
max_requests = 1024
# listen: Make the server listen on a particular IP address, and send
listen {
type = auth
ipaddr = 129.254.72.87
port = 0
}
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
type = acct
ipaddr = 129.254.72.87
port = 0
}
# hostname_lookups: Log the names of clients or just their IP addresses
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
allow_core_dumps = no
# Regular expressions
regular_expressions = yes
extended_expressions = yes
# Logging section. The various "log_*" configuration items
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# Security considerations
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
# PROXY CONFIGURATION
proxy_requests = yes
$INCLUDE proxy.conf
# CLIENTS CONFIGURATION
$INCLUDE clients.conf
# THREAD POOL CONFIGURATION
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
# MODULE CONFIGURATION
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
# Instantiation
instantiate {
exec
expr
expiration
logintime
}
# Policies
$INCLUDE policy.conf
# Include all enabled virtual hosts
$INCLUDE sites-enabled/
2) eap.conf
eap {
default_eap_type = md5
md5 {
}
}
3) clients.conf
etri1 129.254.73.189 {
secret = testing123
shortname = moon
}
etri2 129.254.73.188 {
secret = testing123
shortname = sun
}
4) users
sun Cleartext-Password := "testing123"
moon Cleartext-Password := "testing123"
5) proxy.conf
realm strongswan.org {
type = radius
authhost = LOCAL
accthost = LOCAL
}
6) strongswan.conf
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation
constraints pubkey gmp random nonce curl kernel-netlink socket-default
updown stroke
}
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
------------------------------------
Hyun-jin Kim, Master's course
Information Security Laboratory
ChungNam National University
E: be.successor@gmail.com
Tel : +82-10-4410-4292 / +82-42-821-7443
------------------------------------
2015-08-19 4:41 GMT+09:00 Noel Kuntze <noel@familie-kuntze.de>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello,
>
> > *<Server configuration>*
> >
> > 1) ipsec.conf
> > [...]
> > conn rw-eap
> > rightauth=eap-md5
> > [...]
>
> That tells strongSwan to try to authenticate the other side using eap-md5.
> This doesn't make sense, if you want to delegate the eap authentication
> to a RADIUS server. You need to set that value to eap-radius.
>
> Judging from your diagram and the configs, you want to authenticate the
> server
> to the client using a cerificate and delegate the EAP authentication,
> which happens after the certificate authentication, to a RADIUS server?
>
> In that case, strongSwan only relays the EAP messages in the IKE exchange
> to
> the RADIUS server and does not do any EAP exchanges with the client.
> Therefore you need to tell it to use the eap-radius plugin for
> authenticating the client.
> If you had followed the configuration file[1] for moon correctly, you had
> seen that:
>
> > [...]
> > conn rw-eap
> > rightauth=eap-radius
> > [...]
>
> Also, the auth.log file on the server tells you the problem:
>
> > Aug 18 16:21:23 radSer charon: 06[CFG] selected peer config 'rw-eap'
> > Aug 18 16:21:23 radSer charon: 06[IKE] loading EAP_MD5 method failed
> > Aug 18 16:21:23 radSer charon: 06[ENC] generating IKE_AUTH response 1 [
> IDr EAP/FAIL ]
>
>
>
>
> [1]
> https://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-radius/moon.ipsec.conf
>
> - --
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJV04pcAAoJEDg5KY9j7GZYT2MP/iJr11MEX4AyiouOqODaW9yD
> BnBJeIb+kRInQSs1HW00sX06mwvoXSZRHjBEhwFNiSyangpsrjITeNMEk1BK++Sx
> ZQnEP99FwPOUiJz4gKeZQ/5bqbJpI/MX7UHGj24aqGZEjOfUdso/Tk4dA0QuH7oy
> vjYLJObaNIxERCMey1Aqwe4/Msja6S3WNqO/CGxaMCdGj7kd3VN5H97r06ZnQRTY
> LbruPPeBYqGpcEshu1DuYwdwf2yK0MKEQ/JuKOmRKx/yDVGhKQxVk/MEEKnIQfWx
> hIrYLr2gma4guLCFiKgKrrV5dpE5VVffhCJrkg948QQVDNDNpQiVG3q2SkwM0TEV
> 4CEA6y84V6rcuhBSXjw5QQoaIW/E2zk9T1ItqtRReDRxRt1B9ATR/+3C0fYIgCNn
> cJaxjeUaj/9DCC0gq+vlEoEx4D4L2CBRU53qohyiAersRwLZaMRqHuibDWsDOyJF
> hLSpRHz+AzvXTgl1xBMx2Amiai/QzasEo175LsC3iro2iNVEd0XnCJfZYy3Kso9E
> EGkN/fdv+T+P3E9XIqvLrM2tkdVEiqDvQZ8azPeadC1Bte5g+aeNGjkuzb7aWG41
> /QW6oSEf7Ns8QZww6swKFyIVEFPtw1Cqq7pGE8ay3MXAhPsAVqKL22a+vYcVNTC2
> 5nMt6eS37EXmDUzAkdH8
> =fzqJ
> -----END PGP SIGNATURE-----
>
>
>
[Attachment #7 (text/html)]
<div dir="ltr"><div>Thank you for answer.</div><div><br></div>I'm sorry for the \
confusion.<div><br></div><div>To put it delicately, I want to add Radius server in \
G/W1 ==== G/W2 IPsec.<br></div><div><br></div><div>So, G/W1 and G/W2 have to work as \
a Radius client.</div><div><br></div><div><img src="cid:ii_14f43f8eceafeed2" \
alt="본문 이미지 1" width="503" \
height="260"><br></div><div><br></div><div><br></div><div>Currently, I tried out the \
tips from you.</div><div><br></div><div>rightauth=eap-md5 => \
eap-radius</div><div><br></div><div><br></div><div><span style="font-size:14px">> \
*<Server configuration>*</span><br style="font-size:14px"><span \
style="font-size:14px">></span><br style="font-size:14px"><span \
style="font-size:14px">> 1) ipsec.conf</span><br style="font-size:14px"><span \
style="font-size:14px">> [...]</span><br style="font-size:14px"><span \
style="font-size:14px">> conn rw-eap</span><br style="font-size:14px"><span \
style="font-size:14px">> rightauth=eap-radius</span><br \
style="font-size:14px"><span style="font-size:14px">> \
[...]</span><br></div><div><br></div><div><br></div><div><b>My problem \
is....</b></div><div><b><br></b></div><div><b>1) Why this message is generated \
??</b></div><div><b><br></b></div><div><b>syslog message : Aug 19 12:14:23 radSer \
charon: 10[IKE] loading EAP_RADIUS method \
failed</b></div><div><b><br></b></div><div><b><br></b></div><div><b>2) Radius Server \
couldn't capture any packet.</b></div><div><br></div><div><br></div><div>How can \
I solve this problem...? Please help \
me.</div><div><br></div><div><br></div><div><br></div><div><br></div><div><span \
style="font-size:14px">This is my configuration. </span></div><div><span \
style="font-size:14px">(I raised the debugging level : charondebug="lib 3,cfg \
3,net 3,ike 3, enc 3, chd 3, mgr 3, dmn \
3")</span></div><div><br></div><div><br></div><div><div \
style="font-size:14px"><b><font size="4"><G/W1 \
configuration></font></b></div><div style="font-size:14px"><br></div><div \
style="font-size:14px"><font size="4">1) \
ipsec.conf</font></div></div><div><div>config setup</div><div><br></div><div>conn \
%default</div><div> ikelifetime=60m</div><div> \
keylife=20m</div><div> rekeymargin=3m</div><div> \
keyingtries=1</div><div> keyexchange=ikev2</div><div><br></div><div>conn \
rw-eap</div><div> left=192.168.0.1</div><div> leftsubnet=<a \
href="http://129.254.73.0/24">129.254.73.0/24</a></div><div> \
leftcert=moon.pem</div><div> leftid=strongswan moon</div><div> \
leftauth=pubkey</div><div> leftfirewall=yes</div><div> \
rightid=strongswan sun</div><div> <font \
color="#ff0000">rightauth=eap-radius</font></div><div> \
rightsendcert=never</div><div> right=192.168.0.2</div><div> \
auto=add</div></div><div><br></div><div style="font-size:14px"><span \
style="font-size:large">2) strongswan.conf</span><font size="4"><br></font></div><div \
style="font-size:14px"><span \
style="font-size:large"><br></span></div><div><div>charon {</div><div> load = aes \
des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke \
kernel-netlink socket-default fips-prf eap-radius \
updown</div><div><br></div><div>plugins{</div><div> eap-radius {</div><div> \
secret = testing123</div><div> address = 129.254.72.87</div><div> \
}</div><div> }</div><div>}</div></div><div><br></div><div><br></div><div \
style="font-size:14px"><span style="font-size:large">3) ipsec.secrets</span><span \
style="font-size:large"><br></span></div><div style="font-size:14px"><span \
style="font-size:large"><br></span></div><div><div>: RSA moon.key \
"1p2p3p"</div><div>: RSA ca.key "1p2p3p"</div><div \
style="font-size:14px"><br></div></div><div style="font-size:14px"><span \
style="font-size:large">4) ipsec statusall</span><span \
style="font-size:large"><br></span></div><div style="font-size:14px"><span \
style="font-size:large"><br></span></div><div><div>Status of IKE charon daemon \
(strongSwan 5.2.2, Linux 3.13.0-61-generic, x86_64):</div><div> uptime: 59 minutes, \
since Aug 19 12:22:10 2015</div><div> malloc: sbrk 2568192, mmap 0, used 398432, \
free 2169760</div><div> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: \
0/0/0/0, scheduled: 0</div><div> loaded plugins: charon aes des sha1 sha2 md5 pem \
pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink \
socket-default fips-prf eap-radius updown</div><div>Listening IP \
addresses:</div><div> 192.168.0.1</div><div> \
129.254.73.189</div><div>Connections:</div><div> rw-eap: \
192.168.0.1...192.168.0.2 IKEv2</div><div> rw-eap: local: [C=KR, \
ST=Some-State, O=Etri, CN=strongswan moon] uses public key authentication</div><div> \
rw-eap: cert: "C=KR, ST=Some-State, O=Etri, CN=strongswan \
moon"</div><div> rw-eap: remote: [strongswan sun] uses EAP_RADIUS \
authentication</div><div> rw-eap: child: <a \
href="http://129.254.73.0/24">129.254.73.0/24</a> === dynamic \
TUNNEL</div><div>Security Associations (0 up, 0 connecting):</div><div> \
none</div></div><div style="font-size:14px"><span \
style="font-size:large"><br></span></div><div><span style="font-size:large">5) \
</span><font size="4">tail -f /var/log/syslog /var/log/auth.log</font><span \
style="font-size:large"><br></span></div><div><font \
size="4"><br></font></div><div><div>root@radSer:/home/guest/temp/strongswan-5.2.2# \
tail -f /var/log/syslog /var/log/auth.log</div><div>==> /var/log/syslog \
<==</div><div>Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid response packet \
from host 129.254.190.77.</div><div>Aug 19 13:15:00 radSer avahi-daemon[904]: Invalid \
response packet from host 129.254.195.208.</div><div>Aug 19 13:15:00 radSer \
avahi-daemon[904]: Invalid response packet from host 129.254.172.192.</div><div>Aug \
19 13:15:00 radSer avahi-daemon[904]: Invalid response packet from host \
fe80::6e3b:e5ff:fe06:ad82.</div><div>Aug 19 13:15:00 radSer avahi-daemon[904]: \
Invalid response packet from host 129.254.172.139.</div><div>Aug 19 13:15:10 radSer \
avahi-daemon[904]: server.c: Packet too short or invalid while reading known answer \
record. (Maybe a UTF-8 problem?)</div><div>Aug 19 13:17:01 radSer CRON[30816]: (root) \
CMD ( cd / && run-parts --report /etc/cron.hourly)</div><div>Aug 19 \
13:20:21 radSer avahi-daemon[904]: message repeated 4 times: [ server.c: Packet too \
short or invalid while reading known answer record. (Maybe a UTF-8 \
problem?)]</div><div>Aug 19 13:21:09 radSer avahi-daemon[904]: Invalid response \
packet from host fe80::5265:f3ff:fe5d:c1a.</div><div>Aug 19 13:22:01 radSer \
avahi-daemon[904]: server.c: Packet too short or invalid while reading known answer \
record. (Maybe a UTF-8 problem?)</div><div><br></div><div>==> /var/log/auth.log \
<==</div><div>Aug 19 12:22:10 radSer ipsec_starter[30718]: !! <a \
href="http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad">http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad</a></div><div>Aug \
19 12:22:11 radSer ipsec_starter[30739]: charon (30740) started after 20 \
ms</div><div>Aug 19 12:22:21 radSer charon: 12[IKE] 192.168.0.2 is initiating an \
IKE_SA</div><div>Aug 19 12:22:32 radSer charon: 04[IKE] 192.168.0.2 is initiating an \
IKE_SA</div><div>Aug 19 12:39:01 radSer CRON[30777]: pam_unix(cron:session): session \
opened for user root by (uid=0)</div><div>Aug 19 12:39:01 radSer CRON[30777]: \
pam_unix(cron:session): session closed for user root</div><div>Aug 19 13:09:01 radSer \
CRON[30800]: pam_unix(cron:session): session opened for user root by \
(uid=0)</div><div>Aug 19 13:09:01 radSer CRON[30800]: pam_unix(cron:session): session \
closed for user root</div><div>Aug 19 13:17:01 radSer CRON[30815]: \
pam_unix(cron:session): session opened for user root by (uid=0)</div><div>Aug 19 \
13:17:01 radSer CRON[30815]: pam_unix(cron:session): session closed for user \
root</div><div><br></div><div>==> /var/log/syslog <==</div><div>Aug 19 13:22:35 \
radSer charon: 13[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] \
(692 bytes)</div><div>Aug 19 13:22:35 radSer charon: 13[ENC] parsed IKE_SA_INIT \
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div><div>Aug 19 13:22:35 radSer \
charon: 13[IKE] 192.168.0.2 is initiating an IKE_SA</div><div><br></div><div>==> \
/var/log/auth.log <==</div><div>Aug 19 13:22:35 radSer charon: 13[IKE] 192.168.0.2 \
is initiating an IKE_SA</div><div><br></div><div>==> /var/log/syslog \
<==</div><div>Aug 19 13:22:36 radSer charon: 13[ENC] generating IKE_SA_INIT \
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]</div><div>Aug 19 \
13:22:36 radSer charon: 13[NET] sending packet: from 192.168.0.1[500] to \
192.168.0.2[500] (440 bytes)</div><div>Aug 19 13:22:36 radSer charon: 14[NET] \
received packet: from 192.168.0.2[4500] to 192.168.0.1[4500] (492 \
bytes)</div><div>Aug 19 13:22:36 radSer charon: 14[ENC] parsed IKE_AUTH request 1 [ \
IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) \
N(MULT_AUTH) N(EAP_ONLY) ]</div><div>Aug 19 13:22:36 radSer charon: 14[IKE] received \
cert request for "C=KR, ST=Some-State, O=Etri, \
CN=strongswan1"</div><div>Aug 19 13:22:36 radSer charon: 14[CFG] looking for \
peer configs matching 192.168.0.1[C=KR, ST=Some-State, O=Etri, CN=strongswan \
moon]...192.168.0.2[strongswan sun]</div><div>Aug 19 13:22:36 radSer charon: 14[CFG] \
selected peer config 'rw-eap'</div><div><span \
style="background-color:rgb(255,0,0)">Aug 19 13:22:36 radSer charon: 14[IKE] loading \
EAP_RADIUS method failed</span></div><div>Aug 19 13:22:36 radSer charon: 14[IKE] peer \
supports MOBIKE</div><div>Aug 19 13:22:36 radSer charon: 14[ENC] generating IKE_AUTH \
response 1 [ IDr EAP/FAIL ]</div><div>Aug 19 13:22:36 radSer charon: 14[NET] sending \
packet: from 192.168.0.1[4500] to 192.168.0.2[4500] (156 \
bytes)</div></div><div><br></div><div><br></div><div><br></div><div><div \
style="font-size:14px"><b><font size="4"><G/W2 \
configuration></font></b></div><div \
style="font-size:14px"><br></div><div><div><div style="font-size:14px"><font \
size="4">1) ipsec.conf</font></div><div style="font-size:14px"><font \
size="4"><br></font></div><div><div>config setup</div><div># \
charondebug="lib 3,cfg 3,net 3,ike 3, enc 3, chd 3, mgr 3, dmn \
3"</div><div><br></div><div>conn %default</div><div> \
ikelifetime=60m</div><div> keylife=20m</div><div> \
rekeymargin=3m</div><div> keyingtries=1</div><div> \
keyexchange=ikev2</div><div><br></div><div>conn home</div><div> \
left=192.168.0.2</div><div> leftid=strongswan sun</div><div> \
leftauth=eap</div><div> leftfirewall=yes</div><div> \
right=192.168.0.1</div><div> rightid=strongswan moon</div><div> \
rightsubnet=<a href="http://129.254.73.0/24">129.254.73.0/24</a></div><div> \
rightauth=pubkey</div><div> rightcert=moon.pem</div><div> \
auto=add</div></div></div><div><br></div><div style="font-size:14px"><span \
style="font-size:large">2) strongswan.conf</span><font \
size="4"><br></font></div><div><div>charon {</div><div> load = aes des sha1 sha2 \
md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink \
socket-default fips-prf eap-md5 updown</div><div><br></div><div>plugins{</div><div> \
eap-radius {</div><div> secret = testing123</div><div> address = \
129.254.72.87</div><div> }</div><div> }</div></div><div><font \
size="4"><br></font></div><div style="font-size:14px"><span \
style="font-size:large">3) ipsec.secrets</span><span \
style="font-size:large"><br></span></div><div style="font-size:14px"><span \
style="font-size:large"><br></span></div><div><div>: RSA sun.key \
"1p2p3p"</div><div>: RSA moon.key "1p2p3p"</div><div>strongswan \
sun : EAP "testing123"</div></div><div><br></div><div \
style="font-size:14px"><span style="font-size:large">4) ipsec statusall</span><span \
style="font-size:large"><br></span></div><div style="font-size:14px"><span \
style="font-size:large"><br></span></div><div><div>Status of IKE charon daemon \
(strongSwan 5.2.2, Linux 3.13.0-57-generic, x86_64):</div><div> uptime: 62 minutes, \
since Aug 19 12:23:22 2015</div><div> malloc: sbrk 405504, mmap 0, used 344912, \
free 60592</div><div> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: \
0/0/0/0, scheduled: 0</div><div> loaded plugins: charon aes des sha1 sha2 md5 pem \
pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink \
socket-default fips-prf eap-md5 updown</div><div>Listening IP addresses:</div><div> \
192.168.0.55</div><div> 192.168.0.2</div><div> \
129.254.73.188</div><div>Connections:</div><div> home: \
192.168.0.2...192.168.0.1 IKEv2</div><div> home: local: [strongswan \
sun] uses EAP authentication</div><div> home: remote: [C=KR, \
ST=Some-State, O=Etri, CN=strongswan moon] uses public key authentication</div><div> \
home: cert: "C=KR, ST=Some-State, O=Etri, CN=strongswan \
moon"</div><div> home: child: dynamic === <a \
href="http://129.254.73.0/24">129.254.73.0/24</a> TUNNEL</div><div>Security \
Associations (0 up, 0 connecting):</div><div> none</div></div><div><br></div><div \
style="font-size:small"><span style="font-size:large">5) </span><font size="4">tail \
-f /var/log/syslog /var/log/auth.log</font><span \
style="font-size:large"><br></span></div><div style="font-size:14px"><font \
size="4"><br></font></div><div><div>root@radClient:~# tail -f /var/log/syslog \
/var/log/auth.log</div><div>==> /var/log/syslog <==</div><div>Aug 19 13:24:57 \
radClient avahi-daemon[843]: Invalid response packet from host \
fe80::fe15:b4ff:fe78:6dc3.</div><div>Aug 19 13:24:58 radClient avahi-daemon[843]: \
Invalid response packet from host fe80::3664:a9ff:fe69:ad9b.</div><div>Aug 19 \
13:24:58 radClient avahi-daemon[843]: Invalid response packet from host \
129.254.194.88.</div><div>Aug 19 13:24:58 radClient avahi-daemon[843]: server.c: \
Packet too short or invalid while reading known answer record. (Maybe a UTF-8 \
problem?)</div><div>Aug 19 13:24:58 radClient avahi-daemon[843]: Invalid response \
packet from host 129.254.172.139.</div><div>Aug 19 13:24:58 radClient \
avahi-daemon[843]: Invalid response packet from host \
fe80::6e3b:e5ff:fe06:ad82.</div><div>Aug 19 13:24:58 radClient avahi-daemon[843]: \
Invalid response packet from host 129.254.72.230.</div><div>Aug 19 13:24:58 radClient \
avahi-daemon[843]: Invalid response packet from host \
fe80::a2b3:ccff:fe9b:4b2e.</div><div>Aug 19 13:24:59 radClient avahi-daemon[843]: \
Invalid response packet from host fe80::a65d:36ff:fe62:e868.</div><div>Aug 19 \
13:24:59 radClient avahi-daemon[843]: Invalid response packet from host \
129.254.190.77.</div><div><br></div><div>==> /var/log/auth.log \
<==</div><div>Aug 19 12:23:21 radClient ipsec_starter[10575]: !! <a \
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/freeradius
raddbdir = ${sysconfdir}/freeradius
radacctdir = ${logdir}/radacct
# name of the running server. See also the "-n" command-line option.
name = freeradius
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}
# libdir: Where to find the rlm_* modules.
libdir = ${exec_prefix}/lib
# pidfile: Where to place the PID of the RADIUS server.
pidfile = ${run_dir}/${name}.pid
# max_request_time: The maximum time (in seconds) to handle a request.
max_request_time = 30
# cleanup_delay: The time to wait (in seconds) before cleaning up
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
max_requests = 1024
# listen: Make the server listen on a particular IP address, and send
listen {
type = auth
ipaddr = 129.254.72.87
port = 0
}
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
type = acct
ipaddr = <span style="font-family:arial,sans-serif">129.254.72.87</span>
port = 0
}
# hostname_lookups: Log the names of clients or just their IP addresses
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
allow_core_dumps = no
# Regular expressions
regular_expressions = yes
extended_expressions = yes
# Logging section. The various "log_*" configuration items
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# Security considerations
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
# PROXY CONFIGURATION
proxy_requests = yes
$INCLUDE proxy.conf
# CLIENTS CONFIGURATION
$INCLUDE clients.conf
# THREAD POOL CONFIGURATION
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
# MODULE CONFIGURATION
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
# Instantiation
instantiate {
exec
expr
expiration
logintime
}
# Policies
$INCLUDE policy.conf
# Include all enabled virtual hosts
$INCLUDE sites-enabled/</pre></div><div style="font-size:14px"><span \
style="font-size:large">2) eap.conf</span><font size="4"><br></font></div><div><pre \
style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">eap { \
default_eap_type = md5 md5 {
}
}</pre></div><div style="font-size:14px"><span style="font-size:large">3) \
</span><span style="font-size:large">clients.conf</span></div><div \
style="font-size:14px"><span style="font-size:large"><br></span></div><div><div>etri1 \
129.254.73.189 {</div><div> secret = testing123</div><div> \
shortname = moon</div><div>}</div><div>etri2 129.254.73.188 {</div><div> secret \
= testing123</div><div> shortname = sun</div><div>}</div><div \
style="font-size:14px"><br></div></div><div style="font-size:14px"><span \
style="font-size:large">4) </span><span \
style="font-size:large">users</span></div><div style="font-size:14px"><span \
style="font-size:large"><br></span></div><div>sun Cleartext-Password := \
"testing123"<br></div><div>moon Cleartext-Password := \
"testing123"<font size="4"><br></font></div><div><br></div><div \
style="font-size:14px"><span style="font-size:large">5) proxy.conf</span></div><div \
style="font-size:14px"><pre \
style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">realm <a \
href="http://strongswan.org">strongswan.org</a> { type = radius
authhost = LOCAL
accthost = LOCAL
}</pre></div><div style="font-size:14px"><span style="font-size:large">6) \
strongswan.conf</span></div><div style="font-size:small"><pre \
style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"># \
/etc/strongswan.conf - strongSwan configuration file
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp \
random nonce curl kernel-netlink socket-default updown stroke }
libstrongswan {
dh_exponent_ansi_x9_42 = no
}</pre></div></div></div></div></div></div></div><div class="gmail_extra"><br \
clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><span \
style="font-family:Gulim;font-size:13px">------------------------------</span><span \
style="font-family:Gulim;font-size:13px">------</span><br \
style="font-family:Gulim;font-size:13px"><span \
style="font-family:Gulim;font-size:13px">Hyun-jin Kim, Master's course</span><br \
style="font-family:Gulim;font-size:13px"><span \
style="font-family:Gulim;font-size:13px">Information Security Laboratory</span><br \
style="font-family:Gulim;font-size:13px"><span \
style="font-family:Gulim;font-size:13px">ChungNam National University </span><br \
style="font-family:Gulim;font-size:13px"><span \
style="font-family:Gulim;font-size:13px">E: </span><a \
href="mailto:be.successor@gmail.com" \
style="color:rgb(17,85,204);font-family:Gulim;font-size:13px" \
target="_blank">be.successor@gmail.com</a><br \
style="font-family:Gulim;font-size:13px"><span \
style="font-family:Gulim;font-size:13px">Tel : +82-10-4410-4292 / \
+82-42-821-7443</span><br style="font-family:Gulim;font-size:13px"><span \
style="font-family:Gulim;font-size:13px">------------------------------</span><span \
style="font-family:Gulim;font-size:13px">------</span><br></div></div></div></div></div></div></div>
<br><div class="gmail_quote">2015-08-19 4:41 GMT+09:00 Noel Kuntze <span \
dir="ltr"><<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello,<br>
<br>
> *<Server configuration>*<br>
><br>
> 1) ipsec.conf<br>
> [...]<br>
> conn rw-eap<br>
> rightauth=eap-md5<br>
> [...]<br>
<br>
That tells strongSwan to try to authenticate the other side using eap-md5.<br>
This doesn't make sense, if you want to delegate the eap authentication<br>
to a RADIUS server. You need to set that value to eap-radius.<br>
<br>
Judging from your diagram and the configs, you want to authenticate the server<br>
to the client using a cerificate and delegate the EAP authentication,<br>
which happens after the certificate authentication, to a RADIUS server?<br>
<br>
In that case, strongSwan only relays the EAP messages in the IKE exchange to<br>
the RADIUS server and does not do any EAP exchanges with the client.<br>
Therefore you need to tell it to use the eap-radius plugin for authenticating the \
client.<br> If you had followed the configuration file[1] for moon correctly, you had \
seen that:<br> <br>
> [...]<br>
> conn rw-eap<br>
> rightauth=eap-radius<br>
> [...]<br>
<br>
Also, the auth.log file on the server tells you the problem:<br>
<span class=""><br>
> Aug 18 16:21:23 radSer charon: 06[CFG] selected peer config 'rw-eap'<br>
> Aug 18 16:21:23 radSer charon: 06[IKE] loading EAP_MD5 method failed<br>
> Aug 18 16:21:23 radSer charon: 06[ENC] generating IKE_AUTH response 1 [ IDr \
EAP/FAIL ]<br> <br>
<br>
<br>
<br>
</span>[1] <a href="https://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-radius/moon.ipsec.conf" \
rel="noreferrer" target="_blank">https://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-radius/moon.ipsec.conf</a><br>
<br>
- --<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iQIcBAEBCAAGBQJV04pcAAoJEDg5KY9j7GZYT2MP/iJr11MEX4AyiouOqODaW9yD<br>
BnBJeIb+kRInQSs1HW00sX06mwvoXSZRHjBEhwFNiSyangpsrjITeNMEk1BK++Sx<br>
ZQnEP99FwPOUiJz4gKeZQ/5bqbJpI/MX7UHGj24aqGZEjOfUdso/Tk4dA0QuH7oy<br>
vjYLJObaNIxERCMey1Aqwe4/Msja6S3WNqO/CGxaMCdGj7kd3VN5H97r06ZnQRTY<br>
LbruPPeBYqGpcEshu1DuYwdwf2yK0MKEQ/JuKOmRKx/yDVGhKQxVk/MEEKnIQfWx<br>
hIrYLr2gma4guLCFiKgKrrV5dpE5VVffhCJrkg948QQVDNDNpQiVG3q2SkwM0TEV<br>
4CEA6y84V6rcuhBSXjw5QQoaIW/E2zk9T1ItqtRReDRxRt1B9ATR/+3C0fYIgCNn<br>
cJaxjeUaj/9DCC0gq+vlEoEx4D4L2CBRU53qohyiAersRwLZaMRqHuibDWsDOyJF<br>
hLSpRHz+AzvXTgl1xBMx2Amiai/QzasEo175LsC3iro2iNVEd0XnCJfZYy3Kso9E<br>
EGkN/fdv+T+P3E9XIqvLrM2tkdVEiqDvQZ8azPeadC1Bte5g+aeNGjkuzb7aWG41<br>
/QW6oSEf7Ns8QZww6swKFyIVEFPtw1Cqq7pGE8ay3MXAhPsAVqKL22a+vYcVNTC2<br>
5nMt6eS37EXmDUzAkdH8<br>
=fzqJ<br>
-----END PGP SIGNATURE-----<br>
<br>
<br>
</blockquote></div><br></div>
--089e0122a5b895440b051da29104--
["image.png" (image/png)]
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic