Closed TelDragon closed 11 months ago
Method IKEv2 Certificate + EAP (Username/Password)
That's a combined method in which the client is expected to first authenticate with a certificate and then with EAP. If you only want EAP, as the client currently proposes, you have to select IKEv2 EAP (Username/Password)
as authentication method in the GUI.
Method IKEv2 Certificate + EAP (Username/Password)
That's a combined method in which the client is expected to first authenticate with a certificate and then with EAP. If you only want EAP, as the client currently proposes, you have to select
IKEv2 EAP (Username/Password)
as authentication method in the GUI.
No, my main point is that when adding EAP Secrets in the GUI, whether the client is IKEv2 EAP (username/password) or IKEv2 Certificate+EAP (username/password). EAP certification has not been passed. I feel that the EAP user added in the GUI is invalid!
How is that your main point? Look at the log!
How is that your main point? Look at the log!
Example :
Connection Edit connection Server1_EAP
Your chosen authentication method.
Method IKEv2 EAP (Username/Password)
Connection Type Remote Access
Name your connection so you can recognize it.
Name Server1_EAP
IKE Version IKEv2
Server Address
Remote Address
Pools Private_Network_1
Send Certificate Request Unchecked
Start Action start
Local certificates
Choose the certificate which authenticates the server. Only certificates with private key's are shown.
Server certificate C=CH, L=, ST=, O=51EPD, OU=, CN=ipsec.xxx.com.cn
Identity ipsec.xxx.com.cn subjectAltName
Remote settings
Remote authentication eap-mschapv2
Traffic selectors
Local traffic selector 0.0.0.0/0
Remote traffic selector
server_connections
Method IKEv2 EAP (Username/Password)
Name Server1_EAP
IKE Version 2
Server Address -
Remote Address -
Pool Name Private_Network_1
Pool Addresses 10.1.0.0/16
Pool Attribute dns
Pool Attribute values 114.114.114.114
Send Certificate Request False
Start Action start
Remote Authentication eap-mschapv2
Server Certificate C=CH, L=, ST=, O=51EPD, OU=, CN=ipsec.xxx.com.cn
Identity ipsec.xxx.com.cn
Identity Type subjectAltName
CA/Peer Certificate -
CA Identity -
Local traffic selector 0.0.0.0/0
Remote traffic selector -
Pools
pool name Private_Network_1
Addresses* 10.1.0.0/16
Attribute dns
Attribute values 114.114.114.114
The client is Windows 10 and has filled in the correct EAP username and password, But still ask me to input the verification account name and password again.
Server logs
charon-systemd: added vici connection: Server1_EAP
Oct 24 10:00:51 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: initiating 'Server1_EAP'
Oct 24 10:00:51 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: unable to resolve %any, initiate aborted
Oct 24 10:00:51 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: loaded RSA private key
Oct 24 10:00:51 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: loaded certificate 'C=CH, O=51EPD, CN=ipsec.xxx.com.cn'
Oct 24 10:00:51 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: loaded certificate 'C=CH, O=51EPD, CN=51EPD IPSecRoot CA'
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received packet: from 60.1.3.115[4309] to 172.17.62.205[500] (1104 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received MS NT5 ISAKMPOAKLEY v9 vendor ID
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received MS-Negotiation Discovery Capable vendor ID
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received Vid-Initial-Contact vendor ID
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: 60.1.3.115 is initiating an IKE_SA
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: local host is behind NAT, sending keep alives
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: remote host is behind NAT
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending packet: from 172.17.62.205[500] to 60.1.3.115[4309] (324 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received packet: from 60.1.3.115[4310] to 172.17.62.205[4500] (568 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: parsed IKE_AUTH request 1 [ EF(1/2) ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received fragment #1 of 2, waiting for complete IKE message
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received packet: from 60.1.3.115[4310] to 172.17.62.205[4500] (520 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: parsed IKE_AUTH request 1 [ EF(2/2) ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received fragment #2 of 2, reassembled fragmented IKE message (1020 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received cert request for "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received 28 cert requests for an unknown ca
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: looking for peer configs matching 172.17.62.205[%any]...60.1.3.115[192.168.1.29]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: selected peer config 'Server1_EAP'
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: initiating EAP_MSCHAPV2 method (id 0x03)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: peer supports MOBIKE
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: authentication of 'ipsec.xxx.com.cn' (myself) with RSA signature successful
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending end entity cert "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: splitting IKE message (1508 bytes) into 2 fragments
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending packet: from 172.17.62.205[4500] to 60.1.3.115[4310] (1248 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending packet: from 172.17.62.205[4500] to 60.1.3.115[4310] (320 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received packet: from 60.1.3.115[4310] to 172.17.62.205[4500] (124 bytes)
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: EAP-MS-CHAPv2 username: '%any'
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: no EAP key found for hosts '%any' - '%any'
Oct 24 10:00:57 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: EAP-MS-CHAPv2 verification failed, retry (1)
Oct 24 10:00:58 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: ignoring request with ID 2, already processing
Oct 24 10:00:59 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Oct 24 10:00:59 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending packet: from 172.17.62.205[4500] to 60.1.3.115[4310] (116 bytes)
Oct 24 10:00:59 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received packet: from 60.1.3.115[4310] to 172.17.62.205[4500] (124 bytes)
Oct 24 10:00:59 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: received retransmit of request with ID 2, retransmitting response
Oct 24 10:00:59 iZ2zea13jdgtrkqnws5x3lZ charon-systemd: sending packet: from 172.17.62.205[4500] to 60.1.3.115[4310] (116 bytes)
After my repeated testing, this may be due to a bug in a certain version of Windows 10. Even if you remember the account password you entered. It still requires input again to connect
Sorry..
Windows needs an EAP-Identity exchange. That in turn requires the _eapidentity plugin loaded by the IKE daemon but also a configuration that sets eap_id
(vici/swanctl) to %any
. The latter doesn't seem to be the case for the configs loaded by strongMan.
I have configured the EAP user list in the GUI. (http://ipsec.xxx.com.cn:1515/eap_secrets/) And the required password digits are compounded, and the server's cli log indicates that it has been successfully loaded
This is the current GUI configuration of my server
Python Version
When the client connects, the IKE authentication certificate is displayed as unacceptable