Project

General

Profile

Issue #3261

Strongswan vpn not connecting in Ios

Added by Muhammad Tufail 8 months ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.7.2
Resolution:

Description

Hello,
I setup strong-swan on the server to use vpn connection i connect vpn using psk (Pre-Shared Key) and its working fine.
Now i setup and enable eap-Radius on server and i am connecting using username password and its saying Authentication Failed.
can you please let me know how to generate the username and password because i am using eap-radius to authenticate user on server side and check this is valid user or not.
i read multiple issues of strong they all are talking about certificate but i don't want to install certificate on client side i want to connect using userName password.

here are some details of my config files

ipsec.conf

config setup
    charondebug="ike 4, knl 2, cfg 3, chd 2, dmn 2, lib 2, net 2" 

conn IOS-IPSEC
    keyexchange=ikev2
    rekey=no
    compress=no
    type=tunnel
    reauth=no
    aggressive=no
    fragmentation=yes
    auto=add
    leftfirewall=yes   
    leftauth=pubkey
    leftsendcert=always  
    leftcert=server-cert.pem
    left=%any
    leftid=108.62.122.16
    right=%any
    rightid=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.24.24.0/24
    rightauth=eap-radius
    rightsendcert=never
    eap_identity=%identity

ipsec.secret

# ipsec.secret s - strongSwan IPsec secrets fil
 : PSK abc123
 : RSA "server-key.pem" 
PLVPN : EAP "abc123" 

i am using this username and password (PLVPN , abc123) but its not working same error i am facing.
i am getting this error in charon log

charon.log

parsing HEADER payload finished
Nov  8 13:19:09 01[ENC] parsed a IKE_AUTH request header
Nov  8 13:19:09 01[NET] waiting for data on sockets
Nov  8 13:19:09 07[MGR] checkout IKEv2 SA by message with SPIs 310f0069eaf6aa86_i db63e7560b2eb78a_r
Nov  8 13:19:09 07[MGR] IKE_SA (unnamed)[1] successfully checked out
Nov  8 13:19:09 07[NET] <1> received packet: from 182.185.148.8[4500] to 108.62.122.16[4500] (496 bytes)
Nov  8 13:19:09 07[ENC] <1> parsing body of message, first payload is ENCRYPTED
Nov  8 13:19:09 07[ENC] <1> starting parsing a ENCRYPTED payload
Nov  8 13:19:09 07[ENC] <1> parsing ENCRYPTED payload, 468 bytes left

Related issues

Related to Issue #3256: Ios strong swan authentication failed checkout IKEv2 SA by message with SPIsFeedback

History

#1 Updated by Tobias Brunner 8 months ago

  • Category set to configuration
  • Status changed from New to Feedback

Now i setup and enable eap-Radius on server and i am connecting using username password and its saying Authentication Failed.

Your log excerpt does not show anything like that. Also, if you authenticate against RADIUS, you obviously have to check the log there too if the authentication fails.

can you please let me know how to generate the username and password because i am using eap-radius to authenticate user on server side and check this is valid user or not.

Refer to your RADIUS server documentation, there are usually different methods to provide such data (e.g. text files, databases or even remote via LDAP). There are some test scenarios that use FreeRADIUS for this (see IKEv2Examples).

but i don't want to install certificate on client side i want to connect using userName password.

As explained before (#3256-9), you will have to install the CA certificate if you don't use a server certificate issued by CA the client already trusts.

i am using this username and password (PLVPN , abc123) but its not working same error i am facing.

As explained before (#3256-7), this is useless if you use RADIUS.

#2 Updated by Tobias Brunner 8 months ago

  • Related to Issue #3256: Ios strong swan authentication failed checkout IKEv2 SA by message with SPIs added

Also available in: Atom PDF