search

strongswan / strongMan

Management UI for strongSwan
https://www.strongswan.org/
Other
114 stars 39 forks source link

peer requested EAP, config unacceptable #145

Closed TelDragon closed 11 months ago

TelDragon commented 11 months ago

I have configured the EAP user list in the GUI. (http://ipsec.xxx.com.cn:1515/eap_secrets/) And the required password digits are compounded, and the server's cli log indicates that it has been successfully loaded

charon-systemd: loaded EAP shared key for: 'yuanyl'

This is the current GUI configuration of my server

Method                                   IKEv2 Certificate + EAP (Username/Password)
Name                                      Service1
IKE Version                              2
Server Address                        172.17.62.205
Remote Address                      -
Pool Name                               Private_Network_1
Pool Addresses                       10.1.0.0/16
Pool Attribute                         dns
Pool Attribute values              114.114.114.114
Send Certificate Request         True
Start Action                              start
Remote Authentication            eap-mschapv2
Server Certificate                      C=CH, L=, ST=, O=51EPD, OU=, CN=ipsec.xxx.com.cn
Identity                                     ipsec.xxx.com.cn
Identity Type                             subjectAltName
CA/Peer Certificate                    -
CA Identity                                %any
Local traffic selector                  0.0.0.0/0
Remote traffic selector               -

Python Version

python3 -V
Python 3.12.0

When the client connects, the IKE authentication certificate is displayed as unacceptable

Oct 20 09:56:15 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: selected peer config 'Service1'
Oct 20 09:56:15 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: peer requested EAP, config unacceptable
Oct 20 09:56:15 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: no alternative config found
Oct 20 09:56:15 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: peer supports MOBIKE
tobiasbrunner commented 11 months ago

Method IKEv2 Certificate + EAP (Username/Password)

That's a combined method in which the client is expected to first authenticate with a certificate and then with EAP. If you only want EAP, as the client currently proposes, you have to select IKEv2 EAP (Username/Password) as authentication method in the GUI.

TelDragon commented 11 months ago

Method IKEv2 Certificate + EAP (Username/Password)

That's a combined method in which the client is expected to first authenticate with a certificate and then with EAP. If you only want EAP, as the client currently proposes, you have to select IKEv2 EAP (Username/Password) as authentication method in the GUI.

No, my main point is that when adding EAP Secrets in the GUI, whether the client is IKEv2 EAP (username/password) or IKEv2 Certificate+EAP (username/password). EAP certification has not been passed. I feel that the EAP user added in the GUI is invalid!

tobiasbrunner commented 11 months ago

How is that your main point? Look at the log!

TelDragon commented 11 months ago

How is that your main point? Look at the log!

Example :

Connection Edit connection Server1_EAP

Your chosen authentication method.
Method                     IKEv2 EAP (Username/Password)
Connection Type       Remote Access

Name your connection so you can recognize it.
Name                        Server1_EAP
IKE Version                IKEv2
Server Address          
Remote Address        
Pools                        Private_Network_1
Send Certificate Request          Unchecked
Start Action              start

Local certificates
Choose the certificate which authenticates the server. Only certificates with private key's are shown.
Server certificate     C=CH, L=, ST=, O=51EPD, OU=, CN=ipsec.xxx.com.cn
Identity                    ipsec.xxx.com.cn subjectAltName

Remote settings
Remote authentication    eap-mschapv2

Traffic selectors
Local traffic selector    0.0.0.0/0
Remote traffic selector

server_connections

Method                                       IKEv2 EAP (Username/Password)
Name                                          Server1_EAP
IKE Version                                  2
Server Address                            -
Remote Address                          -
Pool Name                                  Private_Network_1
Pool Addresses                           10.1.0.0/16
Pool Attribute                             dns
Pool Attribute values                  114.114.114.114
Send Certificate Request             False
Start Action                                  start
Remote Authentication                eap-mschapv2
Server Certificate                          C=CH, L=, ST=, O=51EPD, OU=, CN=ipsec.xxx.com.cn
Identity                                         ipsec.xxx.com.cn
Identity Type                                subjectAltName
CA/Peer Certificate                       -
CA Identity                                    -
Local traffic selector                     0.0.0.0/0
Remote traffic selector                 -

Pools 

pool name     Private_Network_1
Addresses*    10.1.0.0/16
Attribute    dns
Attribute values    114.114.114.114

The client is Windows 10 and has filled in the correct EAP username and password, But still ask me to input the verification account name and password again.

Server logs

charon-systemd: added vici connection: Server1_EAP
Oct 24 10:00:51 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: initiating 'Server1_EAP'
Oct 24 10:00:51 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: unable to resolve %any, initiate aborted
Oct 24 10:00:51 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: loaded RSA private key
Oct 24 10:00:51 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: loaded certificate 'C=CH, O=51EPD, CN=ipsec.xxx.com.cn'
Oct 24 10:00:51 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: loaded certificate 'C=CH, O=51EPD, CN=51EPD IPSecRoot CA'
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received packet: from 60.1.3.115[4309] to 172.17.62.205[500] (1104 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received MS NT5 ISAKMPOAKLEY v9 vendor ID
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received MS-Negotiation Discovery Capable vendor ID
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received Vid-Initial-Contact vendor ID
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: 60.1.3.115 is initiating an IKE_SA
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: local host is behind NAT, sending keep alives
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: remote host is behind NAT
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending packet: from 172.17.62.205[500] to 60.1.3.115[4309] (324 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received packet: from 60.1.3.115[4310] to 172.17.62.205[4500] (568 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: parsed IKE_AUTH request 1 [ EF(1/2) ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received fragment #1 of 2, waiting for complete IKE message
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received packet: from 60.1.3.115[4310] to 172.17.62.205[4500] (520 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: parsed IKE_AUTH request 1 [ EF(2/2) ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received fragment #2 of 2, reassembled fragmented IKE message (1020 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received cert request for "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received 28 cert requests for an unknown ca
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: looking for peer configs matching 172.17.62.205[%any]...60.1.3.115[192.168.1.29]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: selected peer config 'Server1_EAP'
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: initiating EAP_MSCHAPV2 method (id 0x03)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: peer supports MOBIKE
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: authentication of 'ipsec.xxx.com.cn' (myself) with RSA signature successful
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending end entity cert "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: splitting IKE message (1508 bytes) into 2 fragments
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending packet: from 172.17.62.205[4500] to 60.1.3.115[4310] (1248 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending packet: from 172.17.62.205[4500] to 60.1.3.115[4310] (320 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received packet: from 60.1.3.115[4310] to 172.17.62.205[4500] (124 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: EAP-MS-CHAPv2 username: '%any'
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: no EAP key found for hosts '%any' - '%any'
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: EAP-MS-CHAPv2 verification failed, retry (1)
Oct 24 10:00:58 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: ignoring request with ID 2, already processing
Oct 24 10:00:59 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Oct 24 10:00:59 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending packet: from 172.17.62.205[4500] to 60.1.3.115[4310] (116 bytes)
Oct 24 10:00:59 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received packet: from 60.1.3.115[4310] to 172.17.62.205[4500] (124 bytes)
Oct 24 10:00:59 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received retransmit of request with ID 2, retransmitting response
Oct 24 10:00:59 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending packet: from 172.17.62.205[4500] to 60.1.3.115[4310] (116 bytes)
TelDragon commented 11 months ago

After my repeated testing, this may be due to a bug in a certain version of Windows 10. Even if you remember the account password you entered. It still requires input again to connect

Sorry..

tobiasbrunner commented 11 months ago

Windows needs an EAP-Identity exchange. That in turn requires the _eapidentity plugin loaded by the IKE daemon but also a configuration that sets eap_id (vici/swanctl) to %any. The latter doesn't seem to be the case for the configs loaded by strongMan.