Project

General

Profile

Issue #3251

Can't connect StrongSwan by EAP-Radius

Added by Muhammad Tufail 8 days ago. Updated 7 days ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.7.2
Resolution:
No change required

Description

I've checked extensively on strongswan issue & this question is already asked but I failed to use any of the solutions to resolve my issue.
I would like to create strongswan vpn for client, client just using account and password for authenticate in freeradius to connect my VPN.
when i connect from Ios it say User Authentication failed

here are my config files

*ipsec.conf *

config setup
    charondebug="ike 4, knl 2, cfg 2, chd 2, dmn 2, lib 2, net 2" 

conn IOS-IPSEC
    keyexchange=ikev2
    compress=no
    leftsendcert=always
    type=tunnel
    forceencaps=yes
    fragmentation=yes
    rekey=no
    aggressive=yes
    auto=route
    #authby=secret
    leftfirewall=yes     
    leftcert=/etc/strongswan/ipsec.d/certs/peerCert.der
    left=%any
    leftsubnet=(server ip range)
    leftid=(ServerIP)
    right=%any
    rightid=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.24.24.0/14
    rightauth=eap-radius
    eap_identity=%identity
    leftsubnet=0.0.0.0/0
    mobike=yes

*ipsec.secret *

# ipsec.secret s - strongSwan IPsec secrets fil
 : PSK Abc@123
 : RSA /etc/strongswan/ipsec.d/certs/peerCert.der
PLVPN : EAP Abc@123
john %any : XAUTH "Abc@123" 

strongswan.conf

charon {
       plugins {
           ext-auth {
                        load = yes
                        script = /root/ipsec-server.git/scripts/extauth.sh
                }

         eap-radius {
               accounting = yes

               dae {
                  enable = yes      # enable DAE extension
                  listen = 0.0.0.0  # listen address, default to all
                  port = 8650       # port to listen for requests, default
                  secret = Abc@123      # shared secret to verify/sign DAE messages
               }
          }
       }

 filelog {
        charon {
            # path to the log file, specify this as section name in versions prior to 5.7.0
            path = /var/log/charon.log
            # add a timestamp prefix
            time_format = %b %e %T
            # prepend connection name, simplifies grepping
            ike_name = yes
            # overwrite existing files
            append = no
            # increase default loglevel for all daemon subsystems
            default = 2
            # flush each line to disk
            flush_line = yes
        }
        stderr {
            # more detailed loglevel for a specific subsystem, overriding the
            # default loglevel.
            ike = 2
            knl = 3
        }
    }
    # and two loggers using syslog
    syslog {
        # prefix for each log message
        identifier = charon-custom
        # use default settings to log to the LOG_DAEMON facility
        daemon {
        }
        # very minimalistic IKE auditing logs to LOG_AUTHPRIV
        auth {
            default = -1
            ike = 0
        }
    }
}

History

#1 Updated by Muhammad Tufail 8 days ago

Charon.log

Nov  7 09:28:54 09[ENC] <10> generating ENCRYPTED payload finished
Nov  7 09:28:54 09[NET] <10> sending packet: from serverIP[4500] to HostIP[4500] (80 bytes)
Nov  7 09:28:54 09[MGR] <10> checkin and destroy IKE_SA (unnamed)[10]
Nov  7 09:28:54 09[IKE] <10> IKE_SA (unnamed)[10] state change: CONNECTING => DESTROYING
Nov  7 09:28:54 09[MGR] checkin and destroy of IKE_SA successful
Nov  7 09:28:54 08[NET] sending packet: from serverIP[4500] to hostIP[4500]

#2 Updated by Muhammad Tufail 8 days ago

no matching peer config found
Nov  7 09:28:54 09[IKE] <10> processing INTERNAL_IP4_ADDRESS attribute
Nov  7 09:28:54 09[IKE] <10> processing INTERNAL_IP4_DHCP attribute
Nov  7 09:28:54 09[IKE] <10> processing INTERNAL_IP4_DNS attribute
Nov  7 09:28:54 09[IKE] <10> processing INTERNAL_IP4_NETMASK attribute
Nov  7 09:28:54 09[IKE] <10> processing INTERNAL_IP6_ADDRESS attribute
Nov  7 09:28:54 09[IKE] <10> processing INTERNAL_IP6_DHCP attribute
Nov  7 09:28:54 09[IKE] <10> processing INTERNAL_IP6_DNS attribute
Nov  7 09:28:54 09[IKE] <10> processing (25) attribute
Nov  7 09:28:54 09[IKE] <10> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov  7 09:28:54 09[IKE] <10> peer supports MOBIKE
Nov  7 09:28:54 09[ENC] <10> added payload of type NOTIFY to message
Nov  7 09:28:54 09[ENC] <10> order payloads in message
Nov  7 09:28:54 09[ENC] <10> added payload of type NOTIFY to message
Nov  7 09:28:54 09[ENC] <10> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov  7 09:28:54 09[ENC] <10> insert payload NOTIFY into encrypted payload
Nov  7 09:28:54 09[ENC] <10> generating payload of type HEADER
Nov  7 09:28:54 09[ENC] <10>   generating rule 0 IKE_SPI
Nov  7 09:28:54 09[ENC] <10>   generating rule 1 IKE_SPI
Nov  7 09:28:54 09[ENC] <10>   generating rule 2 U_INT_8
Nov  7 09:28:54 09[ENC] <10>   generating rule 3 U_INT_4
Nov  7 09:28:54 09[ENC] <10>   generating rule 4 U_INT_4
Nov  7 09:28:54 09[ENC] <10>   generating rule 5 U_INT_8
Nov  7 09:28:54 09[ENC] <10>   generating rule 6 RESERVED_BIT
Nov  7 09:28:54 09[ENC] <10>   generating rule 7 RESERVED_BIT
Nov  7 09:28:54 09[ENC] <10>   generating rule 8 FLAG
Nov  7 09:28:54 09[ENC] <10>   generating rule 9 FLAG
Nov  7 09:28:54 09[ENC] <10>   generating rule 10 FLAG
Nov  7 09:28:54 09[ENC] <10>   generating rule 11 FLAG
Nov  7 09:28:54 09[ENC] <10>   generating rule 12 FLAG
Nov  7 09:28:54 09[ENC] <10>   generating rule 13 FLAG
Nov  7 09:28:54 09[ENC] <10>   generating rule 14 U_INT_32
Nov  7 09:28:54 09[ENC] <10>   generating rule 15 HEADER_LENGTH
Nov  7 09:28:54 09[ENC] <10> generating HEADER payload finished
Nov  7 09:28:54 09[ENC] <10> generating payload of type NOTIFY
Nov  7 09:28:54 09[ENC] <10>   generating rule 0 U_INT_8
Nov  7 09:28:54 09[ENC] <10>   generating rule 1 FLAG
Nov  7 09:28:54 09[ENC] <10>   generating rule 2 RESERVED_BIT
Nov  7 09:28:54 09[ENC] <10>   generating rule 3 RESERVED_BIT
Nov  7 09:28:54 09[ENC] <10>   generating rule 4 RESERVED_BIT
Nov  7 09:28:54 09[ENC] <10>   generating rule 5 RESERVED_BIT
Nov  7 09:28:54 09[ENC] <10>   generating rule 6 RESERVED_BIT
Nov  7 09:28:54 09[ENC] <10>   generating rule 7 RESERVED_BIT
Nov  7 09:28:54 09[ENC] <10>   generating rule 8 RESERVED_BIT
Nov  7 09:28:54 09[ENC] <10>   generating rule 9 PAYLOAD_LENGTH
Nov  7 09:28:54 09[ENC] <10>   generating rule 10 U_INT_8
Nov  7 09:28:54 09[ENC] <10>   generating rule 11 SPI_SIZE
Nov  7 09:28:54 09[ENC] <10>   generating rule 12 U_INT_16
Nov  7 09:28:54 09[ENC] <10>   generating rule 13 SPI
Nov  7 09:28:54 09[ENC] <10>   generating rule 14 CHUNK_DATA
Nov  7 09:28:54 09[ENC] <10> generating NOTIFY payload finished
Nov  7 09:28:54 09[ENC] <10> generated content in encrypted payload
Nov  7 09:28:54 09[ENC] <10> generating payload of type ENCRYPTED
Nov  7 09:28:54 09[ENC] <10>   generating rule 0 U_INT_8
Nov  7 09:28:54 09[ENC] <10>   generating rule 1 U_INT_8
Nov  7 09:28:54 09[ENC] <10>   generating rule 2 PAYLOAD_LENGTH
Nov  7 09:28:54 09[ENC] <10>   generating rule 3 CHUNK_DATA
Nov  7 09:28:54 09[ENC] <10> generating ENCRYPTED payload finished
Nov  7 09:28:54 09[NET] <10> sending packet: from ***.**.122.16[4500] to ***.***.168.112[4500] (80 bytes)
Nov  7 09:28:54 09[MGR] <10> checkin and destroy IKE_SA (unnamed)[10]
Nov  7 09:28:54 09[IKE] <10> IKE_SA (unnamed)[10] state change: CONNECTING => DESTROYING
Nov  7 09:28:54 09[MGR] checkin and destroy of IKE_SA successful

#3 Updated by Tobias Brunner 8 days ago

  • Status changed from New to Feedback
no matching peer config found

Please read your logs (there is a message right before that that explains what the issue is).

#4 Updated by Muhammad Tufail 8 days ago

I don't know what causes the error is appeared. Could you please tell me the reason? Thanks a lot!

#5 Updated by Muhammad Tufail 8 days ago

strongswan status all response is :

  loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp ext-auth led duplicheck unity counters
Virtual IP pools (size/online/offline):
  10.24.24.0/14: 255999/0/0
Listening IP addresses:
  108.62.122.16
Connections:
   IOS-IPSEC:  %any...%any  IKEv2
   IOS-IPSEC:   local:  [C=CH, O=strongSwan, CN=peer] uses public key authentication
   IOS-IPSEC:    cert:  "C=CH, O=strongSwan, CN=peer" 
   IOS-IPSEC:   remote: uses EAP_RADIUS authentication with EAP identity 'PLVPN'
   IOS-IPSEC:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
  none

#6 Updated by Tobias Brunner 8 days ago

I don't know what causes the error is appeared. Could you please tell me the reason? Thanks a lot!

How? You cut the most important message concerning this issue from the log (read it yourself first, it might clear things up). Reading this FAQ entry might help too.

#7 Updated by Tobias Brunner 7 days ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF