Issue #2352
Not able to establish connection using eap-mschapv2
Description
Hi
I am trying to get setup similar to ikev2/rw-eap-mschapv2-id-rsa configuration and used the same ipsec configuration.
But i get error on gateway machine: "loading EAP_MSCHAPV2 method failed"
Can someone please help me in identifying the reason. Let me know if anymore details required.
Below is the configuration details and syslog dump
Carol files:
------------
- /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=10.1.1.1
leftfirewall=yes
leftauth=eap
eap_identity=carol
right=10.1.1.2
rightauth=pubkey
rightid=@moon.strongswan.org
rightsubnet=10.1.3.0/25
auto=add
- /etc/strongswan.conf - strongSwan configuration file
charon {
load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown openssl
}
- cat /etc/ipsec.secrets
- /etc/ipsec.secrets - strongSwan IPsec secrets file
carol : EAP "Ar3etTnp01qlpOgb"
- ls
rtl /etc/ipsec.d/*
/etc/ipsec.d/private/carolKey.pem
/etc/ipsec.d/certs/carolCert.pem
/etc/ipsec.d/cacerts/strongswanCert.pem
---------------------------------------------------------------------
----------------------
- cat /etc/ipsec.conf
- /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-eap
left=10.1.1.2
leftsubnet=10.1.3.0/25
leftid=@moon.strongswan.org
leftcert=moonCert.pem
leftauth=pubkey
leftfirewall=yes
right=%any
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
- cat /etc/ipsec.secrets
- /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol : EAP "Ar3etTnp01qlpOgb"
- cat /etc/strongswan.conf
- /etc/strongswan.conf - strongSwan configuration file
charon {
load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown openssl
}
- ls
rtl /etc/ipsec.d/*
/etc/ipsec.d/private/moonKey.pem
/etc/ipsec.d/certs/moonCert.pem
/etc/ipsec.d/cacerts/strongswanCert.pem
------------------------------------------------------
Carol syslog dump:
charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.4.0-31-generic, x86_64)
charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon: 00[CFG] loaded EAP secret for carol
charon: 00[LIB] loaded plugins: charon random nonce aes des sha1 sha2 pem pkcs1 gmp x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-identity updown openssl
charon: 00[JOB] spawning 16 worker threads
charon: 06[CFG] received stroke: add connection 'home'
charon: 06[CFG] added configuration 'home'
charon: 04[CFG] received stroke: initiate 'home'
charon: 08[IKE] initiating IKE_SA home1 to 10.1.1.2
charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
charon: 08[NET] sending packet: from 10.1.1.1500 to 10.1.1.2500 (1108 bytes)
charon: 09[NET] received packet: from 10.1.1.2500 to 10.1.1.1500 (592 bytes)
charon: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
charon: 09[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
charon: 09[IKE] establishing CHILD_SA home
charon: 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
charon: 09[NET] sending packet: from 10.1.1.14500 to 10.1.1.24500 (400 bytes)
charon: 10[NET] received packet: from 10.1.1.24500 to 10.1.1.14500 (1236 bytes)
charon: 10[ENC] parsed IKE_AUTH response 1 [ EF ]
charon: 10[ENC] received fragment #1 of 2, waiting for complete IKE message
charon: 11[NET] received packet: from 10.1.1.24500 to 10.1.1.14500 (292 bytes)
charon: 11[ENC] parsed IKE_AUTH response 1 [ EF ]
charon: 11[ENC] received fragment #2 of 2, reassembling fragmented IKE message
charon: 11[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon: 11[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
charon: 11[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
charon: 11[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
charon: 11[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
charon: 11[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
charon: 11[LIB] unable to fetch from http://crl.strongswan.org/strongswan.crl, no capable fetcher found
charon: 11[CFG] crl fetching failed
charon: 11[CFG] certificate status is not available
charon: 11[CFG] reached self-signed root ca with a path length of 0
charon: 11[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
charon: 11[IKE] server requested EAP_IDENTITY (id 0x00), sending 'carol'
charon: 11[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
charon: 11[NET] sending packet: from 10.1.1.14500 to 10.1.1.24500 (80 bytes)
charon: 12[NET] received packet: from 10.1.1.24500 to 10.1.1.14500 (80 bytes)
charon: 12[ENC] parsed IKE_AUTH response 2 [ EAP/FAIL ]
charon: 12[IKE] received EAP_FAILURE, EAP authentication failed
charon: 12[ENC] generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
charon: 12[NET] sending packet: from 10.1.1.14500 to 10.1.1.24500 (80 bytes)
Moon Gateway Dump:
charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.4.0-31-generic, x86_64)
charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
charon: 00[CFG] loaded EAP secret for carol
charon: 00[LIB] loaded plugins: charon random nonce aes des sha1 sha2 pem pkcs1 gmp x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-identity updown openssl
charon: 00[JOB] spawning 16 worker threads
charon: 05[CFG] received stroke: add connection 'rw-eap'
charon: 05[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
charon: 05[CFG] added configuration 'rw-eap'
charon: 06[NET] received packet: from 10.1.1.1500 to 10.1.1.2500 (1108 bytes)
charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
charon: 06[IKE] 10.1.1.1 is initiating an IKE_SA
charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
charon: 06[NET] sending packet: from 10.1.1.2500 to 10.1.1.1500 (592 bytes)
charon: 07[NET] received packet: from 10.1.1.14500 to 10.1.1.24500 (400 bytes)
charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
charon: 07[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
charon: 07[CFG] looking for peer configs matching 10.1.1.2[moon.strongswan.org]...10.1.1.1[10.1.1.1]
charon: 07[CFG] selected peer config 'rw-eap'
charon: 07[IKE] initiating EAP_IDENTITY method (id 0x00)
charon: 07[IKE] peer supports MOBIKE
charon: 07[IKE] authentication of 'moon.strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
charon: 07[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon: 07[ENC] splitting IKE message with length of 1456 bytes into 2 fragments
haron: 07[ENC] generating IKE_AUTH response 1 [ EF ]
charon: 07[ENC] generating IKE_AUTH response 1 [ EF ]
charon: 07[NET] sending packet: from 10.1.1.24500 to 10.1.1.14500 (1236 bytes)
charon: 07[NET] sending packet: from 10.1.1.24500 to 10.1.1.14500 (292 bytes)
charon: 08[NET] received packet: from 10.1.1.14500 to 10.1.1.24500 (80 bytes)
charon: 08[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
charon: 08[IKE] received EAP identity 'carol'
charon: 08[IKE] loading EAP_MSCHAPV2 method failed
charon: 08[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
charon: 08[NET] sending packet: from 10.1.1.24500 to 10.1.1.14500 (80 bytes)
Stringswan Installation:
./configure --prefix=/usr --sysconfdir=/etc --enable-kernel-pfkey --enable-eap-dynamic --enable-eap-aka --enable-eap-sim --enable-eap-peap --enable-gcm --enable-eap-radius --enable-eap-identity --enable-openssl --enable-kernel-libipsec --enable-eap-tls --enable-eap-ttls --enable-eap-tnc
-------------------------------------
Commands used:
On Carol: ipsec start, ipsec up home
On Moon: ipsec start
-------------------------------------
History
#1 Updated by Sudheer Anumolu over 8 years ago
- uname -ar
Linux 5810-ubuntu-118 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
#2 Updated by Noel Kuntze over 8 years ago
- Category set to configuration
- Status changed from New to Feedback
- Priority changed from Urgent to Normal
The eap-mschapv2 plugin is not enabled by default, so it's neither built nor installed, if you use the configure arguments that you posted. You need to build it. Why do you want to use kernel-libipsec?
#3 Updated by Sudheer Anumolu over 8 years ago
I configured strongswan as below, make & make install
./configure --prefix=/usr --sysconfdir=/etc --enable-kernel-pfkey --enable-eap-dynamic --enable-eap-aka --enable-eap-sim --enable-eap-peap --enable-gcm --enable-eap-identity --enable-openssl --enable-eap-mschapv2
#cat /etc/strongswan.conf- /etc/strongswan.conf - strongSwan configuration file
charon {
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke eap-identity eap-mschapv2 eap-openssl eap-aka eap-md5
}
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
But still ipsec statusall doesnt show mschavp2
#ipsec statusall
loaded plugins: charon sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce kernel-netlink socket-default updown stroke eap-identity eap-aka
Virtual IP pools (size/online/offline):
10.1.3.12/25: 115/0/0
------------------
But if i replace /etc/strongswan.conf with below, setup works
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
------------------
Could you let me know why in the first case , mschapv2 is not loading.
Thanks
Sudheer
#4 Updated by Noel Kuntze over 8 years ago
But still ipsec statusall doesnt show mschavp2
#ipsec statusallloaded plugins: charon sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce kernel-netlink socket-default updown stroke eap-identity eap-aka
That is because mschapv2 requires an implementation of the MD4 algorithm, which is implemented by the md4 plugin and you're not loading that.
#5 Updated by Tobias Brunner over 7 years ago
- Status changed from Feedback to Closed
- Assignee set to Noel Kuntze
- Resolution set to No feedback