Project

General

Profile

Bug #501

Updated by Tobias Brunner over 6 years ago

Strongswan-5.1.0
CentOS 6.3
gcc-4.4.6
glibc-2.12

I use eap-radius plugin to auth user's connection for IPSec, But the connection between ikev1 and client often failed, the log showed:

<pre>
Jan 25 22:48:25 08[NET] received packet: from 223.240.212.251[4500] to 110.45.173.141[4500] (92 bytes)
Jan 25 22:48:25 08[ENC] parsed INFORMATIONAL_V1 request 2487758038 [ HASH N(INITIAL_CONTACT) ]
Jan 25 22:48:25 08[IKE] calculated HASH does not match HASH payload
Jan 25 22:48:25 08[CFG] switching to peer config 'IKEv1-0'
Jan 25 22:48:25 08[IKE] calculated HASH does not match HASH payload
Jan 25 22:48:25 08[CFG] switching to peer config 'PureIPSec-IKEv1'
Jan 25 22:48:25 08[IKE] calculated HASH does not match HASH payload
Jan 25 22:48:25 08[CFG] no alternative config found
Jan 25 22:48:25 08[DMN] thread 8 received 11
Jan 25 22:48:25 08[LIB] dumping 10 stack frame addresses:
Jan 25 22:48:25 08[LIB] @ 0x658000 (__kernel_sigreturn+0x0) [0x658400]
Jan 25 22:48:25 08[LIB] /lib/libc.so.6 @ 0x197000 [0x20a50f]
</pre>


there is no output any more, ikev1,ikev2 and l2tp over ipsec cant work. I checked Bug #346, which Bug#346,which is totally different from mine.

ipsec.conf

<pre>

config setup
uniqueids=never

conn %default
ikelifetime=60m
keylife=20m
keyingtries=3
rekeymargin=3m

conn IKEv1
keyexchange=ikev1
aggressive=yes
modeconfig=push
rekey=no
auto=add
dpdaction=clear
dpddelay=300s
dpdtimeout=1h
type=tunnel
leftid=ipsec
leftauth=psk
rightauth=psk
rightauth2=xauth-eap
compress=yes

conn IKEv2
keyexchange=ikev2
modeconfig=push
auto=add
rekey=no
dpdaction=clear
dpddelay=300s
dpdtimeout=1h
leftauth=pubkey
leftcert=serverCert.pem
rightauth=eap-radius
rightsendcert=never
eap_identity=%any
compress=yes

conn L2TP-PSK-noNAT
#leftfirewall=yes
#rightfirewall=yes

keyexchange=ikev1

auto=add
rekey=no
dpdaction=clear
dpddelay=300s
dpdtimeout=1h
type=transport
right=%any
authby=psk
leftprotoport=17/1701
rightprotoport=17/%any
compress=yes
</pre>



strongswan.conf

<pre>

charon {
i_dont_care_about_security_and_use_aggressive_mode_psk = yes
install_virtual_ip = yes
duplicheck.enable = no
threads = 16

dns1 = 8.8.8.8
dns2 = 8.8.4.4


filelog {
/var/log/strongswan.log {
time_format = %b %e %T
flush_line = yes
}
}

plugins {

eap-radius {
accounting = yes
servers {
radius {
address = my.radius.com
secret = mysecret
}
}
}

xauth-eap {
backend = radius
}
}
}
pluto {
}

libstrongswan {

}
</pre>

Back