[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Strongswan + IKEv2 + eap-radius accounting issue
From: Konstantin Votinov <votinov () protonmail ! com>
Date: 2018-09-24 8:08:10
Message-ID: INBXset-CuBzsrd9jbB0zGD3vsfKtfjqJHQE8kbvUp-ByGZgFRUdd5PtcNAyVncsQ4Tgdtky7JTNEZGUbmJuqtT-LHn4bCtpWZNJPiyAapU= () protonmail ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi Nikola,
Thank you for pointing that out - I've just forgot to set it back to 1813 after \
trying to debug (yup, I've tried even that :) )
That being said the problem persists with correct accounting port (1813) and doesn't \
seem to be related to it.
Regards,
Konstantin.
------- Original Message -------
On Sunday, September 23, 2018 9:15 PM, Nikola Kolev <nikky@minus273.org> wrote:
> Hi,
>
> It seems that you have set both auth_port and acct_port to 1812, while acct_port \
> should be udp/1813. Can you please check if changing that fixes the issue?
> Nikola
>
> September 23, 2018 8:36 AM, "Konstantin Votinov" \
> <[votinov@protonmail.com](mailto:votinov@protonmail.com?to=%22Konstantin%20Votinov%22%20<votinov@protonmail.com>)> \
> wrote:
> > Hi all,
> >
> > I am having issues with eap-radius plugin when "accounting = yes" is set.
> >
> > I have IPSec and IKEv2 connections set up in Strongswan.
> >
> > IPSec(conn IKEv1-PSK-XAuth) works correctly whether accounting is set to "no" or \
> > "yes"
> > IKEv2(conn ikev2-mschapv2-apple) doesn't connect with accounting set to "yes", \
> > but connects with accounting set to "no"
> > I've tried to increase the timeout, but it didn't worked.
> > Below is the log for IKEv2 connection attempt:
> >
> > Sep 23 15:21:35 07[NET] received packet: from this.is.my.ip[33584] to \
> > this.is.server.ip[500] (304 bytes) Sep 23 15:21:35 07[ENC] parsed IKE_SA_INIT \
> > request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Sep 23 \
> > 15:21:35 07[IKE] this.is.my.ip is initiating an IKE_SA Sep 23 15:21:35 07[IKE] \
> > remote host is behind NAT Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, \
> > O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification \
> > Authority" Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom \
> > Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA" Sep \
> > 23 15:21:35 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) \
> > N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ] Sep 23 15:21:35 07[NET] sending \
> > packet: from this.is.server.ip[500] to this.is.my.ip[33584] (385 bytes) Sep 23 \
> > 15:21:35 10[NET] received packet: from this.is.my.ip[33585] to \
> > this.is.server.ip[4500] (348 bytes) Sep 23 15:21:35 10[ENC] unknown attribute \
> > type (25) Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) \
> > N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) \
> > N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ] Sep 23 15:21:35 10[CFG] looking for \
> > peer configs matching \
> > this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137] Sep 23 \
> > 15:21:35 10[CFG] selected peer config 'ikev2-mschapv2-apple' Sep 23 15:21:35 \
> > 10[IKE] initiating EAP_IDENTITY method (id 0x00) Sep 23 15:21:35 10[IKE] received \
> > ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Sep 23 15:21:35 \
> > 10[IKE] peer supports MOBIKE Sep 23 15:21:35 10[IKE] authentication of \
> > 'ikev2.mydomain.net' (myself) with RSA signature successful Sep 23 15:21:35 \
> > 10[IKE] sending end entity cert "C=IL, CN=ikev2.mydomain.net" Sep 23 15:21:35 \
> > 10[IKE] sending issuer cert "C=IL, O=StartCom Ltd., OU=StartCom Certification \
> > Authority, CN=StartCom Class 1 DV Server CA" Sep 23 15:21:35 10[ENC] generating \
> > IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] Sep 23 15:21:35 10[ENC] \
> > splitting IKE message with length of 3660 bytes into 4 fragments Sep 23 15:21:35 \
> > 10[ENC] generating IKE_AUTH response 1 [ EF(1/4) ] Sep 23 15:21:35 10[ENC] \
> > generating IKE_AUTH response 1 [ EF(2/4) ] Sep 23 15:21:35 10[ENC] generating \
> > IKE_AUTH response 1 [ EF(3/4) ] Sep 23 15:21:35 10[ENC] generating IKE_AUTH \
> > response 1 [ EF(4/4) ] Sep 23 15:21:35 10[NET] sending packet: from \
> > this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes) Sep 23 15:21:35 \
> > 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] \
> > (1248 bytes) Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] \
> > to this.is.my.ip[33585] (1248 bytes) Sep 23 15:21:35 10[NET] sending packet: from \
> > this.is.server.ip[4500] to this.is.my.ip[33585] (112 bytes) Sep 23 15:21:35 \
> > 14[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (92 \
> > bytes) Sep 23 15:21:35 14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
> > Sep 23 15:21:35 14[IKE] received EAP identity 'ligykpif'
> > Sep 23 15:21:35 14[CFG] sending RADIUS Access-Request to server 'radiusServer'
> > Sep 23 15:21:35 14[CFG] received RADIUS Access-Challenge from server \
> > 'radiusServer' Sep 23 15:21:35 14[IKE] initiating EAP_MD5 method (id 0x01)
> > Sep 23 15:21:35 14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
> > Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] to \
> > this.is.my.ip[33585] (92 bytes) Sep 23 15:21:35 08[NET] received packet: from \
> > this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes) Sep 23 15:21:35 \
> > 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ] Sep 23 15:21:35 08[CFG] sending \
> > RADIUS Access-Request to server 'radiusServer' Sep 23 15:21:35 08[CFG] received \
> > RADIUS Access-Challenge from server 'radiusServer' Sep 23 15:21:35 08[ENC] \
> > generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Sep 23 15:21:35 08[NET] \
> > sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (108 bytes) \
> > Sep 23 15:21:35 14[NET] received packet: from this.is.my.ip[33585] to \
> > this.is.server.ip[4500] (140 bytes) Sep 23 15:21:35 14[ENC] parsed IKE_AUTH \
> > request 4 [ EAP/RES/MSCHAPV2 ] Sep 23 15:21:35 14[CFG] sending RADIUS \
> > Access-Request to server 'radiusServer' Sep 23 15:21:35 14[CFG] received RADIUS \
> > Access-Challenge from server 'radiusServer' Sep 23 15:21:35 14[ENC] generating \
> > IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ] Sep 23 15:21:35 14[NET] sending packet: \
> > from this.is.server.ip[4500] to this.is.my.ip[33585] (124 bytes) Sep 23 15:21:35 \
> > 10[NET] received packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 \
> > bytes) Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
> > Sep 23 15:21:35 10[CFG] sending RADIUS Access-Request to server 'radiusServer'
> > Sep 23 15:21:35 10[CFG] received RADIUS Access-Accept from server 'radiusServer'
> > Sep 23 15:21:35 10[IKE] RADIUS authentication of 'ligykpif' successful
> > Sep 23 15:21:35 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
> > Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]
> > Sep 23 15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to \
> > this.is.my.ip[33585] (76 bytes) Sep 23 15:21:36 15[NET] received packet: from \
> > this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes) Sep 23 15:21:36 \
> > 15[ENC] parsed IKE_AUTH request 6 [ AUTH ] Sep 23 15:21:36 15[IKE] authentication \
> > of '192.168.1.137' with EAP successful Sep 23 15:21:36 15[IKE] authentication of \
> > 'ikev2.mydomain.net' (myself) with EAP Sep 23 15:21:36 15[IKE] IKE_SA \
> > ikev2-mschapv2-apple[2] established between \
> > this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137] Sep 23 \
> > 15:21:36 15[IKE] peer requested virtual IP %any Sep 23 15:21:36 15[CFG] \
> > reassigning offline lease to 'ligykpif' Sep 23 15:21:36 15[IKE] assigning virtual \
> > IP 10.0.12.1 to peer 'ligykpif' Sep 23 15:21:36 15[IKE] peer requested virtual IP \
> > %any6 Sep 23 15:21:36 15[IKE] no virtual IP found for %any6 requested by \
> > 'ligykpif' Sep 23 15:21:36 15[IKE] CHILD_SA ikev2-mschapv2-apple{2} established \
> > with SPIs c8cc7f31_i 0164b11e_o and TS 0.0.0.0/0 ::/0 === 10.0.12.1/32 Sep 23 \
> > 15:21:36 15[CFG] sending RADIUS Accounting-Request to server 'radiusServer' Sep \
> > 23 15:21:38 15[CFG] retransmit 1 of RADIUS Accounting-Request (timeout: 2.8s) Sep \
> > 23 15:21:40 15[CFG] retransmit 2 of RADIUS Accounting-Request (timeout: 3.9s) Sep \
> > 23 15:21:44 15[CFG] retransmit 3 of RADIUS Accounting-Request (timeout: 5.5s) Sep \
> > 23 15:21:46 16[MGR] ignoring request with ID 6, already processing Sep 23 \
> > 15:21:50 15[CFG] RADIUS Accounting-Request timed out after 4 attempts Sep 23 \
> > 15:21:50 15[CFG] deleting IKE_SA after RADIUS timeout Sep 23 15:21:50 15[ENC] \
> > generating IKE_AUTH response 6 [ AUTH CPRP(ADDR DNS DNS DNS) SA TSi TSr \
> > N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Sep 23 15:21:50 15[NET] sending packet: from \
> > this.is.server.ip[4500] to this.is.my.ip[33585] (284 bytes) Sep 23 15:21:50 \
> > 13[IKE] deleting IKE_SA ikev2-mschapv2-apple[2] between \
> > this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137] Sep 23 \
> > 15:21:50 13[IKE] sending DELETE for IKE_SA ikev2-mschapv2-apple[2] Sep 23 \
> > 15:21:50 13[ENC] generating INFORMATIONAL request 0 [ D ] Sep 23 15:21:50 13[NET] \
> > sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes) \
> > Sep 23 15:21:50 16[NET] received packet: from this.is.my.ip[33585] to \
> > this.is.server.ip[4500] (76 bytes) Sep 23 15:21:50 16[ENC] parsed INFORMATIONAL \
> > response 0 [ ] Sep 23 15:21:50 16[IKE] IKE_SA deleted
> > Sep 23 15:21:50 16[CFG] sending RADIUS Accounting-Request to server \
> > 'radiusServer'
> > ipsec.conf is as follows:
> >
> > config setup
> > uniqueids=no
> > charondebug="cfg 2, dmn 2, ike 2, net 0"
> >
> > conn %default
> > dpdaction=clear
> > dpddelay00s
> > rekey=no
> > left=%defaultroute
> > leftfirewall=yes
> > right=%any
> > ikelifetime`m
> > keylife m
> > rekeymargin=3m
> > keyingtries=1
> > autod
> >
> > conn L2TP-IKEv1-PSK
> > type=transport
> > keyexchange=ikev1
> > authby=secret
> > leftprotoport=udp/l2tp
> > left=%any
> > right=%any
> > rekey=no
> > forceencaps=yes
> >
> > conn Non-L2TP
> > leftsubnet=0.0.0.0/0
> > rightsubnet�.0.2.0/24
> > rightsourceip�.0.2.0/24
> >
> > # Cisco IPSec
> > conn IKEv1-PSK-XAuth
> > also=Non-L2TP
> > keyexchange=ikev1
> > leftauth=psk
> > rightauth=psk
> > rightauth2=xauth-radius
> >
> > conn ikev2-mschapv2
> > ike®s256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
> > esp®s128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes1 \
> > 28-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
> > keyexchange=ikev2
> > autod
> > reauth=no
> > fragmentation=yes
> > leftcert=ius.mydomain.net.crt # Filename of certificate located at \
> > /etc/ipsec.d/certs/ leftsendcert=always
> > leftsubnet=0.0.0.0/0
> > eap_identity=%identity
> > rightsubnet�.0.12.0/24
> > rightsourceip�.0.12.0/24
> > rightdns=8.8.8.8
> > rightauthęp-radius
> >
> > # Apple clients usually goes here
> > conn ikev2-mschapv2-apple
> > ike®s256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
> > esp®s128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes1 \
> > 28-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
> > keyexchange=ikev2
> > autod
> > reauth=no
> > fragmentation=yes
> > leftcert=ius.mydomain.net.crt # Filename of certificate located at \
> > /etc/ipsec.d/certs/ leftsendcert=always
> > leftsubnet=0.0.0.0/0,::/0
> > eap_identity=%identity
> > rightsubnet�.0.12.0/24
> > rightsourceip�.0.12.0/24
> > rightdns=8.8.8.8
> > rightauthęp-radius
> > leftid=ikev2.mydomain.net
> >
> > strongswan.conf is below:
> >
> > charon {
> > use_ipv6 = no
> > load_modular = yes
> > send_vendor_id = yes
> > filelog {
> > /var/log/strongswan.charon.log {
> > time_format = %b %e %T
> > default = 1
> > append = no
> > flush_line = yes
> > }
> > }
> >
> > plugins {
> > eap-radius {
> > station_id_with_port = no
> > accounting = yes
> > servers {
> > radiusServer {
> > nas_identifer = this.is.server.ip
> > secret = radiuspassword
> > address = radius.server.ip
> > auth_port = 1812 # default
> > acct_port = 1812 # default
> > }
> >
> > }
> > }
> > include strongswan.d/charon/*.conf
> > attr {
> > dns = 8.8.8.8, 8.8.4.4
> > }
> > }
> > }
> > include strongswan.d/*.conf
> >
> > I am really out of the ideas on what can cause the issue.
> > Maybe someone had a similar problem?
> > Any help will be appreciated!
> >
> > Thanks in advance!
[Attachment #3 (text/html)]
<div>Hi Nikola,<br></div><div><br></div><div>Thank you for pointing that out - I've \
just forgot to set it back to 1813 after trying to debug (yup, I've tried even that \
:) ) <br></div><div><br></div><div>That being said the problem persists \
with correct accounting port (1813) and doesn't seem to be related to \
it.<br></div><div><br></div><div>Regards,<br></div><div>Konstantin.</div><div><br></div><div>------- \
Original Message -------<br></div><div> On Sunday, September 23, 2018 9:15 PM, Nikola \
Kolev <nikky@minus273.org> wrote:<br></div><div> <br></div><blockquote \
type="cite" class="protonmail_quote"><div data-html-editor-font-wrapper="true" \
style="font-family: arial, sans-serif; font-size: \
13px;"><div>Hi,<br></div><div><br></div><div>It seems that you have set both \
auth_port and acct_port to 1812, while acct_port should be udp/1813. Can you please \
check if changing that fixes the \
issue?<br></div><div><br></div><div>Nikola<br></div><div><br></div><div>September 23, \
2018 8:36 AM, "Konstantin Votinov" <<a target="_blank" tabindex="-1" \
href="mailto:votinov@protonmail.com?to=%22Konstantin%20Votinov%22%20<votinov@protonmail.com>">votinov@protonmail.com</a>> \
wrote:<br></div><div> <br></div><blockquote><div><div><div>Hi \
all,<br></div><div><br></div><div>I am having issues with eap-radius plugin when \
"accounting = yes" is set.<br></div><div><br></div><div>I have IPSec and IKEv2 \
connections set up in Strongswan.<br></div><div><br></div><div>IPSec(conn \
IKEv1-PSK-XAuth) works correctly whether accounting is set to "no" or \
"yes"<br></div><div><br></div><div>IKEv2(conn ikev2-mschapv2-apple) doesn't connect \
with accounting set to "yes", but connects with accounting set to \
"no"<br></div><div><br></div><div>I've tried to increase the timeout, but it didn't \
worked.<br></div><div>Below is the log for IKEv2 connection \
attempt:<br></div><div><br></div><div>Sep 23 15:21:35 07[NET] received packet: from \
this.is.my.ip[33584] to this.is.server.ip[500] (304 bytes)<br></div><div>Sep 23 \
15:21:35 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) \
N(NATD_D_IP) N(FRAG_SUP) ]<br></div><div>Sep 23 15:21:35 07[IKE] this.is.my.ip is \
initiating an IKE_SA<br></div><div>Sep 23 15:21:35 07[IKE] remote host is behind \
NAT<br></div><div>Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, O=StartCom \
Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification \
Authority"<br></div><div>Sep 23 15:21:35 07[IKE] sending cert request for "C=IL, \
O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server \
CA"<br></div><div>Sep 23 15:21:35 07[ENC] generating IKE_SA_INIT response 0 [ SA KE \
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]<br></div><div>Sep \
23 15:21:35 07[NET] sending packet: from this.is.server.ip[500] to \
this.is.my.ip[33584] (385 bytes)<br></div><div>Sep 23 15:21:35 10[NET] received \
packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (348 \
bytes)<br></div><div>Sep 23 15:21:35 10[ENC] unknown attribute type \
(25)<br></div><div>Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 1 [ IDi \
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) \
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]<br></div><div>Sep 23 \
15:21:35 10[CFG] looking for peer configs matching \
this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]<br></div><div>Sep \
23 15:21:35 10[CFG] selected peer config 'ikev2-mschapv2-apple'<br></div><div>Sep 23 \
15:21:35 10[IKE] initiating EAP_IDENTITY method (id 0x00)<br></div><div>Sep 23 \
15:21:35 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC \
padding<br></div><div>Sep 23 15:21:35 10[IKE] peer supports MOBIKE<br></div><div>Sep \
23 15:21:35 10[IKE] authentication of 'ikev2.mydomain.net' (myself) with RSA \
signature successful<br></div><div>Sep 23 15:21:35 10[IKE] sending end entity cert \
"C=IL, CN=ikev2.mydomain.net"<br></div><div>Sep 23 15:21:35 10[IKE] sending issuer \
cert "C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 \
DV Server CA"<br></div><div>Sep 23 15:21:35 10[ENC] generating IKE_AUTH response 1 [ \
IDr CERT CERT AUTH EAP/REQ/ID ]<br></div><div>Sep 23 15:21:35 10[ENC] splitting IKE \
message with length of 3660 bytes into 4 fragments<br></div><div>Sep 23 15:21:35 \
10[ENC] generating IKE_AUTH response 1 [ EF(1/4) ]<br></div><div>Sep 23 15:21:35 \
10[ENC] generating IKE_AUTH response 1 [ EF(2/4) ]<br></div><div>Sep 23 15:21:35 \
10[ENC] generating IKE_AUTH response 1 [ EF(3/4) ]<br></div><div>Sep 23 15:21:35 \
10[ENC] generating IKE_AUTH response 1 [ EF(4/4) ]<br></div><div>Sep 23 15:21:35 \
10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (1248 \
bytes)<br></div><div>Sep 23 15:21:35 10[NET] sending packet: from \
this.is.server.ip[4500] to this.is.my.ip[33585] (1248 bytes)<br></div><div>Sep 23 \
15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] \
(1248 bytes)<br></div><div>Sep 23 15:21:35 10[NET] sending packet: from \
this.is.server.ip[4500] to this.is.my.ip[33585] (112 bytes)<br></div><div>Sep 23 \
15:21:35 14[NET] received packet: from this.is.my.ip[33585] to \
this.is.server.ip[4500] (92 bytes)<br></div><div>Sep 23 15:21:35 14[ENC] parsed \
IKE_AUTH request 2 [ EAP/RES/ID ]<br></div><div>Sep 23 15:21:35 14[IKE] received EAP \
identity 'ligykpif'<br></div><div>Sep 23 15:21:35 14[CFG] sending RADIUS \
Access-Request to server 'radiusServer'<br></div><div>Sep 23 15:21:35 14[CFG] \
received RADIUS Access-Challenge from server 'radiusServer'<br></div><div>Sep 23 \
15:21:35 14[IKE] initiating EAP_MD5 method (id 0x01)<br></div><div>Sep 23 15:21:35 \
14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]<br></div><div>Sep 23 15:21:35 \
14[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] (92 \
bytes)<br></div><div>Sep 23 15:21:35 08[NET] received packet: from \
this.is.my.ip[33585] to this.is.server.ip[4500] (76 bytes)<br></div><div>Sep 23 \
15:21:35 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]<br></div><div>Sep 23 \
15:21:35 08[CFG] sending RADIUS Access-Request to server \
'radiusServer'<br></div><div>Sep 23 15:21:35 08[CFG] received RADIUS Access-Challenge \
from server 'radiusServer'<br></div><div>Sep 23 15:21:35 08[ENC] generating IKE_AUTH \
response 3 [ EAP/REQ/MSCHAPV2 ]<br></div><div>Sep 23 15:21:35 08[NET] sending packet: \
from this.is.server.ip[4500] to this.is.my.ip[33585] (108 bytes)<br></div><div>Sep 23 \
15:21:35 14[NET] received packet: from this.is.my.ip[33585] to \
this.is.server.ip[4500] (140 bytes)<br></div><div>Sep 23 15:21:35 14[ENC] parsed \
IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]<br></div><div>Sep 23 15:21:35 14[CFG] sending \
RADIUS Access-Request to server 'radiusServer'<br></div><div>Sep 23 15:21:35 14[CFG] \
received RADIUS Access-Challenge from server 'radiusServer'<br></div><div>Sep 23 \
15:21:35 14[ENC] generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 \
]<br></div><div>Sep 23 15:21:35 14[NET] sending packet: from this.is.server.ip[4500] \
to this.is.my.ip[33585] (124 bytes)<br></div><div>Sep 23 15:21:35 10[NET] received \
packet: from this.is.my.ip[33585] to this.is.server.ip[4500] (76 \
bytes)<br></div><div>Sep 23 15:21:35 10[ENC] parsed IKE_AUTH request 5 [ \
EAP/RES/MSCHAPV2 ]<br></div><div>Sep 23 15:21:35 10[CFG] sending RADIUS \
Access-Request to server 'radiusServer'<br></div><div>Sep 23 15:21:35 10[CFG] \
received RADIUS Access-Accept from server 'radiusServer'<br></div><div>Sep 23 \
15:21:35 10[IKE] RADIUS authentication of 'ligykpif' successful<br></div><div>Sep 23 \
15:21:35 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established<br></div><div>Sep \
23 15:21:35 10[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]<br></div><div>Sep 23 \
15:21:35 10[NET] sending packet: from this.is.server.ip[4500] to this.is.my.ip[33585] \
(76 bytes)<br></div><div>Sep 23 15:21:36 15[NET] received packet: from \
this.is.my.ip[33585] to this.is.server.ip[4500] (92 bytes)<br></div><div>Sep 23 \
15:21:36 15[ENC] parsed IKE_AUTH request 6 [ AUTH ]<br></div><div>Sep 23 15:21:36 \
15[IKE] authentication of '192.168.1.137' with EAP successful<br></div><div>Sep 23 \
15:21:36 15[IKE] authentication of 'ikev2.mydomain.net' (myself) with \
EAP<br></div><div>Sep 23 15:21:36 15[IKE] IKE_SA ikev2-mschapv2-apple[2] established \
between this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]<br></div><div>Sep \
23 15:21:36 15[IKE] peer requested virtual IP %any<br></div><div>Sep 23 15:21:36 \
15[CFG] reassigning offline lease to 'ligykpif'<br></div><div>Sep 23 15:21:36 15[IKE] \
assigning virtual IP 10.0.12.1 to peer 'ligykpif'<br></div><div>Sep 23 15:21:36 \
15[IKE] peer requested virtual IP %any6<br></div><div>Sep 23 15:21:36 15[IKE] no \
virtual IP found for %any6 requested by 'ligykpif'<br></div><div>Sep 23 15:21:36 \
15[IKE] CHILD_SA ikev2-mschapv2-apple{2} established with SPIs c8cc7f31_i 0164b11e_o \
and TS 0.0.0.0/0 ::/0 === 10.0.12.1/32<br></div><div>Sep 23 15:21:36 15[CFG] sending \
RADIUS Accounting-Request to server 'radiusServer'<br></div><div>Sep 23 15:21:38 \
15[CFG] retransmit 1 of RADIUS Accounting-Request (timeout: 2.8s)<br></div><div>Sep \
23 15:21:40 15[CFG] retransmit 2 of RADIUS Accounting-Request (timeout: \
3.9s)<br></div><div>Sep 23 15:21:44 15[CFG] retransmit 3 of RADIUS Accounting-Request \
(timeout: 5.5s)<br></div><div>Sep 23 15:21:46 16[MGR] ignoring request with ID 6, \
already processing<br></div><div>Sep 23 15:21:50 15[CFG] RADIUS Accounting-Request \
timed out after 4 attempts<br></div><div>Sep 23 15:21:50 15[CFG] deleting IKE_SA \
after RADIUS timeout<br></div><div>Sep 23 15:21:50 15[ENC] generating IKE_AUTH \
response 6 [ AUTH CPRP(ADDR DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) \
]<br></div><div>Sep 23 15:21:50 15[NET] sending packet: from this.is.server.ip[4500] \
to this.is.my.ip[33585] (284 bytes)<br></div><div>Sep 23 15:21:50 13[IKE] deleting \
IKE_SA ikev2-mschapv2-apple[2] between \
this.is.server.ip[ikev2.mydomain.net]...this.is.my.ip[192.168.1.137]<br></div><div>Sep \
23 15:21:50 13[IKE] sending DELETE for IKE_SA \
ikev2-mschapv2-apple[2]<br></div><div>Sep 23 15:21:50 13[ENC] generating \
INFORMATIONAL request 0 [ D ]<br></div><div>Sep 23 15:21:50 13[NET] sending packet: \
from this.is.server.ip[4500] to this.is.my.ip[33585] (76 bytes)<br></div><div>Sep 23 \
15:21:50 16[NET] received packet: from this.is.my.ip[33585] to \
this.is.server.ip[4500] (76 bytes)<br></div><div>Sep 23 15:21:50 16[ENC] parsed \
INFORMATIONAL response 0 [ ]<br></div><div>Sep 23 15:21:50 16[IKE] IKE_SA \
deleted<br></div><div>Sep 23 15:21:50 16[CFG] sending RADIUS Accounting-Request to \
server 'radiusServer'<br></div><div><br></div><div>ipsec.conf is as \
follows:<br></div><div><br></div><div>config \
setup<br></div><div>uniqueids=no<br></div><div>charondebug="cfg 2, dmn 2, ike 2, net \
0"<br></div><div><br></div><div>conn \
%default<br></div><div>dpdaction=clear<br></div><div>dpddelay00s<br></div><div>rekey=n \
o<br></div><div>left=%defaultroute<br></div><div>leftfirewall=yes<br></div><div>right=%any<br></div><div>ikelifetime`m<br></div><div>keylife \
m<br></div><div>rekeymargin=3m<br></div><div>keyingtries=1<br></div><div>autod<br></div><div><br></div><div>conn \
L2TP-IKEv1-PSK<br></div><div>type=transport<br></div><div>keyexchange=ikev1<br></div>< \
div>authby=secret<br></div><div>leftprotoport=udp/l2tp<br></div><div>left=%any<br></di \
v><div>right=%any<br></div><div>rekey=no<br></div><div>forceencaps=yes<br></div><div><br></div><div>conn \
Non-L2TP<br></div><div>leftsubnet=0.0.0.0/0<br></div><div>rightsubnet�.0.2.0/24<br></div><div>rightsourceip�.0.2.0/24<br></div><div><br></div><div># \
Cisco IPSec<br></div><div>conn \
IKEv1-PSK-XAuth<br></div><div>also=Non-L2TP<br></div><div>keyexchange=ikev1<br></div>< \
div>leftauth=psk<br></div><div>rightauth=psk<br></div><div>rightauth2=xauth-radius<br></div><div><br></div><div>conn \
ikev2-mschapv2<br></div><div>ike®s256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256- \
sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3 \
des-sha1-modp1024!<br></div><div>esp®s128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-mod \
p2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sh \
a1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-s \
ha1,3des-sha1!<br></div><div>keyexchange=ikev2<br></div><div>autod<br></div><div>reau \
th=no<br></div><div>fragmentation=yes<br></div><div>leftcert=ius.mydomain.net.crt # \
Filename of certificate located at \
/etc/ipsec.d/certs/<br></div><div>leftsendcert=always<br></div><div>leftsubnet=0.0.0.0 \
/0<br></div><div>eap_identity=%identity<br></div><div>rightsubnet�.0.12.0/24<br></div> \
<div>rightsourceip�.0.12.0/24<br></div><div>rightdns=8.8.8.8<br></div><div>rightauthęp-radius<br></div><div><br></div><div># \
Apple clients usually goes here<br></div><div>conn \
ikev2-mschapv2-apple<br></div><div>ike®s256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-s \
ha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp \
1024,3des-sha1-modp1024!<br></div><div>esp®s128gcm12-aes128gcm16-aes256gcm12-aes256gcm \
16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes \
128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,ae \
s128-sha1,3des-sha1!<br></div><div>keyexchange=ikev2<br></div><div>autod<br></div><di \
v>reauth=no<br></div><div>fragmentation=yes<br></div><div>leftcert=ius.mydomain.net.crt \
# Filename of certificate located at \
/etc/ipsec.d/certs/<br></div><div>leftsendcert=always<br></div><div>leftsubnet=0.0.0.0 \
/0,::/0<br></div><div>eap_identity=%identity<br></div><div>rightsubnet�.0.12.0/24<br>< \
/div><div>rightsourceip�.0.12.0/24<br></div><div>rightdns=8.8.8.8<br></div><div>righta \
uthęp-radius<br></div><div>leftid=ikev2.mydomain.net<br></div><div><br></div><div><br></div><div>strongswan.conf \
is below:<br></div><div><br></div><div>charon {<br></div><div>use_ipv6 = \
no<br></div><div>load_modular = yes<br></div><div>send_vendor_id = \
yes<br></div><div>filelog {<br></div><div>/var/log/strongswan.charon.log \
{<br></div><div>time_format = %b %e %T<br></div><div>default = 1<br></div><div>append \
= no<br></div><div>flush_line = \
yes<br></div><div>}<br></div><div>}<br></div><div><br></div><div>plugins \
{<br></div><div>eap-radius {<br></div><div>station_id_with_port = \
no<br></div><div>accounting = yes<br></div><div>servers {<br></div><div>radiusServer \
{<br></div><div>nas_identifer = this.is.server.ip<br></div><div>secret = \
radiuspassword<br></div><div>address = radius.server.ip<br></div><div>auth_port = \
1812 # default<br></div><div>acct_port = 1812 # \
default<br></div><div>}<br></div><div><br></div><div>}<br></div><div>}<br></div><div>include \
strongswan.d/charon/*.conf<br></div><div>attr {<br></div><div>dns = 8.8.8.8, \
8.8.4.4<br></div><div>}<br></div><div>}<br></div><div>}<br></div><div>include \
strongswan.d/*.conf<br></div><div><br></div><div><br></div><div>I am really out of \
the ideas on what can cause the issue.<br></div><div>Maybe someone had a similar \
problem?<br></div><div>Any help will be \
appreciated!<br></div><div><br></div><div>Thanks in \
advance!<br></div><div><br></div></div></div></blockquote><div><br></div></div></blockquote><div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic