Issue #2054
StrongSwanclient Linux Mint
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.5.0
Resolution:
No change required
Description
Hi
I'm trying to setup strongswan plugin in Linux Mint.
https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
But after installing plugin, I cannot find it in NM.
Related issues
History
#1 Updated by Vitaliy Girenko about 9 years ago
I'm use Linux Mint 18 cinnamon
When I trying to make
build the NetworkManager strongsSwan plugin
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib/NetworkManager --with-charon=/usr/lib/ipsec/charon-nm
make
main.c:43:2: error: ‘gnome_keyring_find_network_password_sync’ is deprecated: Use 'SECRET_SCHEMA_COMPAT_NETWORK' instead [-Werror=deprecated-declarations]
if (gnome_keyring_find_network_password_sync(g_get_user_name(), NULL, name,
^
In file included from main.c:25:0:
/usr/include/gnome-keyring-1/gnome-keyring.h:551:20: note: declared here
GnomeKeyringResult gnome_keyring_find_network_password_sync (const char
^
main.c:59:2: error: ‘gnome_keyring_network_password_list_free’ is deprecated [-Werror=deprecated-declarations]
gnome_keyring_network_password_list_free(list);
^
In file included from main.c:25:0:
/usr/include/gnome-keyring-1/gnome-keyring.h:537:6: note: declared here
void gnome_keyring_network_password_list_free (GList *list);
^
main.c: In function ‘main’:
main.c:207:6: error: ‘gnome_keyring_set_network_password_sync’ is deprecated: Use 'SECRET_SCHEMA_COMPAT_NETWORK' instead [-Werror=deprecated-declarations]
if (gnome_keyring_set_network_password_sync(keyring,
^
In file included from main.c:25:0:
/usr/include/gnome-keyring-1/gnome-keyring.h:573:20: note: declared here
GnomeKeyringResult gnome_keyring_set_network_password_sync (const char
^
cc1: all warnings being treated as errors
Makefile:368: recipe for target 'nm_strongswan_auth_dialog-main.o' failed
make[2]: *** [nm_strongswan_auth_dialog-main.o] Error 1
make[2]: Leaving directory '/home/vitaliy/NetworkManager-strongswan-1.3.0/auth-dialog'
Makefile:413: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/home/vitaliy/NetworkManager-strongswan-1.3.0'
Makefile:302: recipe for target 'all' failed
make: *** [all] Error 2
#2 Updated by Tobias Brunner about 9 years ago
- Is duplicate of Issue #797: NetworkManager-swansong 1.3.1 no longer compiles added
#3 Updated by Vitaliy Girenko about 9 years ago
OK. now I setup network manager with strongswan plugin.
But I cannot auth in radius
Clients on Android and Windows connecting succesfully.
Radius says
The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
My Ipsec.conf
config setup
conn %default
ikelifetime = 60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
rightdns=10.27.227.10,10.27.227.5
rightsourceip=10.20.30.2/24
rekey=no
leftsubnet=10.27.227.17/32,10.27.227.5/32,10.27.227.10
leftcert=HostCert.der
right=%any
left=%any
dpdaction = clear
dpddelay = 30s
dpdtimeout= 300s
inactivity = 60m
# leftsendcert=always
conn rw-eap
# leftid=%any
leftauth=pubkey
leftfirewall=yes
rightauth=eap-radius
leftauth=pubkey
# rightsubnet=10.20.30.2/24
eap_identity=%any
rightsendcert=never
auto=add
esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096
ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096
# rightsendcert=ifasked
my logs
Jul 14 11:49:37 L-VPN-02 strongswan: 06[IKE] sending keep alive to 46.211.136.229[55415] Jul 14 11:49:37 L-VPN-02 strongswan: 08[IKE] sending DPD request Jul 14 11:49:37 L-VPN-02 strongswan: 08[ENC] generating INFORMATIONAL request 35 [ N(NATD_S_IP) N(NATD_D_IP) ] Jul 14 11:49:37 L-VPN-02 strongswan: 08[NET] sending packet: from 10.27.230.12[4500] to 46.211.136.229[55415] (124 bytes) Jul 14 11:50:01 L-VPN-02 charon: 13[IKE] sending keep alive to 46.211.136.229[55415] Jul 14 11:50:06 L-VPN-02 charon: 08[IKE] sending DPD request Jul 14 11:50:06 L-VPN-02 charon: 08[ENC] generating INFORMATIONAL request 36 [ N(NATD_S_IP) N(NATD_D_IP) ] Jul 14 11:50:06 L-VPN-02 charon: 08[NET] sending packet: from 10.27.230.12[4500] to 46.211.136.229[55415] (124 bytes) Jul 14 11:50:10 L-VPN-02 charon: 12[NET] received packet: from 46.211.136.229[55415] to 10.27.230.12[4500] (124 bytes) Jul 14 11:50:10 L-VPN-02 charon: 12[ENC] parsed INFORMATIONAL response 36 [ N(NATD_S_IP) N(NATD_D_IP) ] Jul 14 11:50:26 L-VPN-02 charon: 13[NET] received packet: from 46.211.136.229[55331] to 10.27.230.12[500] (1000 bytes) Jul 14 11:50:26 L-VPN-02 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jul 14 11:50:26 L-VPN-02 charon: 13[IKE] 46.211.136.229 is initiating an IKE_SA Jul 14 11:50:26 L-VPN-02 charon: 13[IKE] local host is behind NAT, sending keep alives Jul 14 11:50:26 L-VPN-02 charon: 13[IKE] remote host is behind NAT Jul 14 11:50:26 L-VPN-02 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Jul 14 11:50:26 L-VPN-02 charon: 13[NET] sending packet: from 10.27.230.12[500] to 46.211.136.229[55331] (312 bytes) Jul 14 11:50:26 L-VPN-02 charon: 09[NET] received packet: from 46.211.136.229[55248] to 10.27.230.12[4500] (316 bytes) Jul 14 11:50:26 L-VPN-02 charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Jul 14 11:50:26 L-VPN-02 charon: 09[IKE] received cert request for "C=NL, O=Example Company, CN=strongSwan Root CA" Jul 14 11:50:26 L-VPN-02 charon: 09[CFG] looking for peer configs matching 10.27.230.12[%any]...46.211.136.229[vgadmin] Jul 14 11:50:26 L-VPN-02 charon: 09[CFG] selected peer config 'rw-eap' Jul 14 11:50:26 L-VPN-02 charon: 09[IKE] initiating EAP_IDENTITY method (id 0x00) Jul 14 11:50:26 L-VPN-02 charon: 09[IKE] peer supports MOBIKE Jul 14 11:50:26 L-VPN-02 charon: 09[IKE] authentication of 'C=NL, O=Example Company, CN=185.9.41.116' (myself) with RSA signature successful Jul 14 11:50:26 L-VPN-02 charon: 09[IKE] sending end entity cert "C=NL, O=Example Company, CN=185.9.41.116" Jul 14 11:50:26 L-VPN-02 charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Jul 14 11:50:26 L-VPN-02 charon: 09[NET] sending packet: from 10.27.230.12[4500] to 46.211.136.229[55248] (876 bytes) Jul 14 11:50:26 L-VPN-02 charon: 09[NET] received packet: from 46.211.136.229[55248] to 10.27.230.12[4500] (92 bytes) Jul 14 11:50:26 L-VPN-02 charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Jul 14 11:50:26 L-VPN-02 charon: 09[IKE] received EAP identity 'vgadmin' Jul 14 11:50:26 L-VPN-02 charon: 09[CFG] sending RADIUS Access-Request to server '10.27.227.5' Jul 14 11:50:26 L-VPN-02 charon: 09[CFG] received RADIUS Access-Reject from server '10.27.227.5' Jul 14 11:50:26 L-VPN-02 charon: 09[IKE] RADIUS authentication of 'vgadmin' failed Jul 14 11:50:26 L-VPN-02 charon: 09[IKE] initiating EAP_RADIUS method failed Jul 14 11:50:26 L-VPN-02 charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ] Jul 14 11:50:26 L-VPN-02 charon: 09[NET] sending packet: from 10.27.230.12[4500] to 46.211.136.229[55248] (76 bytes) Jul 14 11:50:31 L-VPN-02 charon: 14[IKE] sending keep alive to 46.211.136.229[55415]
I see That EAP Type is null...
Network Policy Server denied access to a user.
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: StrongSwan
Authentication Provider: Windows
Authentication Server: L-DC-01.axa-life.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
#4 Updated by Vitaliy Girenko about 9 years ago
Hi.
I have successfully connected from Linux Mint Client.
I have installed EAP-MVCHAPv2 plugin In Client machine.
#5 Updated by Tobias Brunner about 9 years ago
- Category set to configuration
- Status changed from New to Closed
- Resolution set to No change required