Issue #3251
Can't connect StrongSwan by EAP-Radius
Description
I've checked extensively on strongswan issue & this question is already asked but I failed to use any of the solutions to resolve my issue.
I would like to create strongswan vpn for client, client just using account and password for authenticate in freeradius to connect my VPN.
when i connect from Ios it say User Authentication failed
here are my config files
*ipsec.conf *
config setup charondebug="ike 4, knl 2, cfg 2, chd 2, dmn 2, lib 2, net 2" conn IOS-IPSEC keyexchange=ikev2 compress=no leftsendcert=always type=tunnel forceencaps=yes fragmentation=yes rekey=no aggressive=yes auto=route #authby=secret leftfirewall=yes leftcert=/etc/strongswan/ipsec.d/certs/peerCert.der left=%any leftsubnet=(server ip range) leftid=(ServerIP) right=%any rightid=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=10.24.24.0/14 rightauth=eap-radius eap_identity=%identity leftsubnet=0.0.0.0/0 mobike=yes
*ipsec.secret
*
# ipsec.secret s - strongSwan IPsec secrets fil : PSK Abc@123 : RSA /etc/strongswan/ipsec.d/certs/peerCert.der PLVPN : EAP Abc@123 john %any : XAUTH "Abc@123"
strongswan.conf
charon { plugins { ext-auth { load = yes script = /root/ipsec-server.git/scripts/extauth.sh } eap-radius { accounting = yes dae { enable = yes # enable DAE extension listen = 0.0.0.0 # listen address, default to all port = 8650 # port to listen for requests, default secret = Abc@123 # shared secret to verify/sign DAE messages } } } filelog { charon { # path to the log file, specify this as section name in versions prior to 5.7.0 path = /var/log/charon.log # add a timestamp prefix time_format = %b %e %T # prepend connection name, simplifies grepping ike_name = yes # overwrite existing files append = no # increase default loglevel for all daemon subsystems default = 2 # flush each line to disk flush_line = yes } stderr { # more detailed loglevel for a specific subsystem, overriding the # default loglevel. ike = 2 knl = 3 } } # and two loggers using syslog syslog { # prefix for each log message identifier = charon-custom # use default settings to log to the LOG_DAEMON facility daemon { } # very minimalistic IKE auditing logs to LOG_AUTHPRIV auth { default = -1 ike = 0 } } }
History
#1 Updated by Muhammad Tufail about 1 year ago
Charon.log
Nov 7 09:28:54 09[ENC] <10> generating ENCRYPTED payload finished Nov 7 09:28:54 09[NET] <10> sending packet: from serverIP[4500] to HostIP[4500] (80 bytes) Nov 7 09:28:54 09[MGR] <10> checkin and destroy IKE_SA (unnamed)[10] Nov 7 09:28:54 09[IKE] <10> IKE_SA (unnamed)[10] state change: CONNECTING => DESTROYING Nov 7 09:28:54 09[MGR] checkin and destroy of IKE_SA successful Nov 7 09:28:54 08[NET] sending packet: from serverIP[4500] to hostIP[4500]
#2 Updated by Muhammad Tufail about 1 year ago
no matching peer config found Nov 7 09:28:54 09[IKE] <10> processing INTERNAL_IP4_ADDRESS attribute Nov 7 09:28:54 09[IKE] <10> processing INTERNAL_IP4_DHCP attribute Nov 7 09:28:54 09[IKE] <10> processing INTERNAL_IP4_DNS attribute Nov 7 09:28:54 09[IKE] <10> processing INTERNAL_IP4_NETMASK attribute Nov 7 09:28:54 09[IKE] <10> processing INTERNAL_IP6_ADDRESS attribute Nov 7 09:28:54 09[IKE] <10> processing INTERNAL_IP6_DHCP attribute Nov 7 09:28:54 09[IKE] <10> processing INTERNAL_IP6_DNS attribute Nov 7 09:28:54 09[IKE] <10> processing (25) attribute Nov 7 09:28:54 09[IKE] <10> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 7 09:28:54 09[IKE] <10> peer supports MOBIKE Nov 7 09:28:54 09[ENC] <10> added payload of type NOTIFY to message Nov 7 09:28:54 09[ENC] <10> order payloads in message Nov 7 09:28:54 09[ENC] <10> added payload of type NOTIFY to message Nov 7 09:28:54 09[ENC] <10> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Nov 7 09:28:54 09[ENC] <10> insert payload NOTIFY into encrypted payload Nov 7 09:28:54 09[ENC] <10> generating payload of type HEADER Nov 7 09:28:54 09[ENC] <10> generating rule 0 IKE_SPI Nov 7 09:28:54 09[ENC] <10> generating rule 1 IKE_SPI Nov 7 09:28:54 09[ENC] <10> generating rule 2 U_INT_8 Nov 7 09:28:54 09[ENC] <10> generating rule 3 U_INT_4 Nov 7 09:28:54 09[ENC] <10> generating rule 4 U_INT_4 Nov 7 09:28:54 09[ENC] <10> generating rule 5 U_INT_8 Nov 7 09:28:54 09[ENC] <10> generating rule 6 RESERVED_BIT Nov 7 09:28:54 09[ENC] <10> generating rule 7 RESERVED_BIT Nov 7 09:28:54 09[ENC] <10> generating rule 8 FLAG Nov 7 09:28:54 09[ENC] <10> generating rule 9 FLAG Nov 7 09:28:54 09[ENC] <10> generating rule 10 FLAG Nov 7 09:28:54 09[ENC] <10> generating rule 11 FLAG Nov 7 09:28:54 09[ENC] <10> generating rule 12 FLAG Nov 7 09:28:54 09[ENC] <10> generating rule 13 FLAG Nov 7 09:28:54 09[ENC] <10> generating rule 14 U_INT_32 Nov 7 09:28:54 09[ENC] <10> generating rule 15 HEADER_LENGTH Nov 7 09:28:54 09[ENC] <10> generating HEADER payload finished Nov 7 09:28:54 09[ENC] <10> generating payload of type NOTIFY Nov 7 09:28:54 09[ENC] <10> generating rule 0 U_INT_8 Nov 7 09:28:54 09[ENC] <10> generating rule 1 FLAG Nov 7 09:28:54 09[ENC] <10> generating rule 2 RESERVED_BIT Nov 7 09:28:54 09[ENC] <10> generating rule 3 RESERVED_BIT Nov 7 09:28:54 09[ENC] <10> generating rule 4 RESERVED_BIT Nov 7 09:28:54 09[ENC] <10> generating rule 5 RESERVED_BIT Nov 7 09:28:54 09[ENC] <10> generating rule 6 RESERVED_BIT Nov 7 09:28:54 09[ENC] <10> generating rule 7 RESERVED_BIT Nov 7 09:28:54 09[ENC] <10> generating rule 8 RESERVED_BIT Nov 7 09:28:54 09[ENC] <10> generating rule 9 PAYLOAD_LENGTH Nov 7 09:28:54 09[ENC] <10> generating rule 10 U_INT_8 Nov 7 09:28:54 09[ENC] <10> generating rule 11 SPI_SIZE Nov 7 09:28:54 09[ENC] <10> generating rule 12 U_INT_16 Nov 7 09:28:54 09[ENC] <10> generating rule 13 SPI Nov 7 09:28:54 09[ENC] <10> generating rule 14 CHUNK_DATA Nov 7 09:28:54 09[ENC] <10> generating NOTIFY payload finished Nov 7 09:28:54 09[ENC] <10> generated content in encrypted payload Nov 7 09:28:54 09[ENC] <10> generating payload of type ENCRYPTED Nov 7 09:28:54 09[ENC] <10> generating rule 0 U_INT_8 Nov 7 09:28:54 09[ENC] <10> generating rule 1 U_INT_8 Nov 7 09:28:54 09[ENC] <10> generating rule 2 PAYLOAD_LENGTH Nov 7 09:28:54 09[ENC] <10> generating rule 3 CHUNK_DATA Nov 7 09:28:54 09[ENC] <10> generating ENCRYPTED payload finished Nov 7 09:28:54 09[NET] <10> sending packet: from ***.**.122.16[4500] to ***.***.168.112[4500] (80 bytes) Nov 7 09:28:54 09[MGR] <10> checkin and destroy IKE_SA (unnamed)[10] Nov 7 09:28:54 09[IKE] <10> IKE_SA (unnamed)[10] state change: CONNECTING => DESTROYING Nov 7 09:28:54 09[MGR] checkin and destroy of IKE_SA successful
#3 Updated by Tobias Brunner about 1 year ago
- Status changed from New to Feedback
no matching peer config found
Please read your logs (there is a message right before that that explains what the issue is).
#4 Updated by Muhammad Tufail about 1 year ago
I don't know what causes the error is appeared. Could you please tell me the reason? Thanks a lot!
#5 Updated by Muhammad Tufail about 1 year ago
strongswan status all response is :
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp ext-auth led duplicheck unity counters Virtual IP pools (size/online/offline): 10.24.24.0/14: 255999/0/0 Listening IP addresses: 108.62.122.16 Connections: IOS-IPSEC: %any...%any IKEv2 IOS-IPSEC: local: [C=CH, O=strongSwan, CN=peer] uses public key authentication IOS-IPSEC: cert: "C=CH, O=strongSwan, CN=peer" IOS-IPSEC: remote: uses EAP_RADIUS authentication with EAP identity 'PLVPN' IOS-IPSEC: child: 0.0.0.0/0 === dynamic TUNNEL Security Associations (0 up, 0 connecting): none
#6 Updated by Tobias Brunner about 1 year ago
I don't know what causes the error is appeared. Could you please tell me the reason? Thanks a lot!
How? You cut the most important message concerning this issue from the log (read it yourself first, it might clear things up). Reading this FAQ entry might help too.
#7 Updated by Tobias Brunner about 1 year ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required