EAP error, sqlite data garbled

[TelDragon]

A hosts server Centos7 Python3.12 sqlite 3.43 strongswan 5.9.11

 uname -a
Linux iZ2zea13jdgtrkqnws5x3lZ 3.10.0-1160.99.1.el7.x86_64 #1 SMP Wed Sep 13 14:19:20 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

python3 --version
Python 3.12.0

sqlite3 --version
3.43.0 2023-08-24 12:36:59 0f80b798b3f4b81a7bb4233c58294edd0f1156f36b6ecf5ab8e83631d468778c (64-bit)

logs: I found that the password for the transmitted account is????

Thu, 2023-10-26, 17:40:44 12[ENC] <Server1_EAP|29> splitting IKE message (1536 bytes) into 2 fragments
Thu, 2023-10-26, 17:40:44 12[ENC] <Server1_EAP|29> generating IKE_AUTH response 1 [ EF(1/2) ]
Thu, 2023-10-26, 17:40:44 12[ENC] <Server1_EAP|29> generating IKE_AUTH response 1 [ EF(2/2) ]
Thu, 2023-10-26, 17:40:44 12[NET] <Server1_EAP|29> sending packet: from 172.17.62.205[4500] to 60.1.3.115[2828] (1236 bytes)
Thu, 2023-10-26, 17:40:44 12[NET] <Server1_EAP|29> sending packet: from 172.17.62.205[4500] to 60.1.3.115[2828] (372 bytes)
Thu, 2023-10-26, 17:40:44 14[NET] <Server1_EAP|29> received packet: from 60.1.3.115[2828] to 172.17.62.205[4500] (144 bytes)
Thu, 2023-10-26, 17:40:44 14[ENC] <Server1_EAP|29> parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Thu, 2023-10-26, 17:40:44 14[IKE] <Server1_EAP|29> EAP-MS-CHAPv2 username: '????'
Thu, 2023-10-26, 17:40:44 14[IKE] <Server1_EAP|29> no EAP key found for hosts 'ipsec.xxx.com.cn' - '????'
Thu, 2023-10-26, 17:40:44 14[IKE] <Server1_EAP|29> EAP-MS-CHAPv2 verification failed, retry (1)
Thu, 2023-10-26, 17:40:46 14[ENC] <Server1_EAP|29> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Thu, 2023-10-26, 17:40:46 14[NET] <Server1_EAP|29> sending packet: from 172.17.62.205[4500] to 60.1.3.115[2828] (128 bytes)
Thu, 2023-10-26, 17:40:46 15[NET] <Server1_EAP|29> received packet: from 60.1.3.115[2828] to 172.17.62.205[4500] (80 bytes)
Thu, 2023-10-26, 17:40:46 15[ENC] <Server1_EAP|29> parsed INFORMATIONAL request 3 [ N(AUTH_FAILED) ]

A hosts Client Centos7 Python3.12 sqlite 3.43 strongswan 5.9.11

uname -a
Linux centos7-server 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

python3 --version
Python 3.12.0

sqlite3 --version
3.43.0 2023-08-24 12:36:59 0f80b798b3f4b81a7bb4233c58294edd0f1156f36b6ecf5ab8e83631d468778c (64-bit)

logs: ERROR_AUTHENTICATION_FAILURE: '(null)'

 <ipsec.xxx.com.cn|16> received packet: from 39.xxx.xxx.xx[4500] to 192.168.1.5[4500] (128 bytes)
Thu, 2023-10-26, 18:28:44 04[ENC] <ipsec.xxx.com.cn|16> parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Thu, 2023-10-26, 18:28:44 04[IKE] <ipsec.xxx.com.cn|16> EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'
Thu, 2023-10-26, 18:28:44 04[IKE] <ipsec.xxx.com.cn|16> EAP_MSCHAPV2 method failed
Thu, 2023-10-26, 18:28:44 04[ENC] <ipsec.xxx.com.cn|16> generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
Thu, 2023-10-26, 18:28:44 04[NET] <ipsec.xxx.com.cn|16> sending packet: from 192.168.1.5[4500] to 39.xxx.xxx.xx[4500] (80 bytes)
Thu, 2023-10-26, 18:28:44 04[CHD] <ipsec.xxx.com.cn|16> CHILD_SA ipsec.xxx.com.cn{15} state change: CREATED => DESTROYING
Thu, 2023-10-26, 18:28:44 04[KNL] <ipsec.xxx.com.cn|16> deleting SAD entry with SPI cb2647b8
Thu, 2023-10-26, 18:28:44 04[KNL] <ipsec.xxx.com.cn|16> deleted SAD entry with SPI cb2647b8
Thu, 2023-10-26, 18:28:44 04[IKE] <ipsec.xxx.com.cn|16> IKE_SA ipsec.xxx.com.cn[16] state change: CONNECTING => DESTROYING

The EAP account I created has two

user: yuanyl2
password: 1qaz2wsx

user: 000000
password: 000000000

query data base： It makes me feel very confused

sqlite3 db.sqlite3
sqlite> SELECT * FROM connections_secret;
2|EAP|�����eޜp2X�|8

either or

sqlite> SELECT * FROM connections_secret;
2|EAP|����fߝ|8

[TelDragon]

And if it is a Windows client, do not remember the account password. Manually enter the account password during each authentication. You also need to input twice!

Server logs during Windows client login：

Thu, 2023-10-26, 18:48:34 08[IKE] <Server1_EAP|36> peer supports MOBIKE
Thu, 2023-10-26, 18:48:34 08[IKE] <Server1_EAP|36> authentication of 'ipsec.xxx.com.cn' (myself) with RSA signature successful
Thu, 2023-10-26, 18:48:34 08[IKE] <Server1_EAP|36> sending end entity cert "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Thu, 2023-10-26, 18:48:34 08[ENC] <Server1_EAP|36> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Thu, 2023-10-26, 18:48:34 08[ENC] <Server1_EAP|36> splitting IKE message (1508 bytes) into 2 fragments
Thu, 2023-10-26, 18:48:34 08[ENC] <Server1_EAP|36> generating IKE_AUTH response 1 [ EF(1/2) ]
Thu, 2023-10-26, 18:48:34 08[ENC] <Server1_EAP|36> generating IKE_AUTH response 1 [ EF(2/2) ]
Thu, 2023-10-26, 18:48:34 08[NET] <Server1_EAP|36> sending packet: from 172.17.62.205[4500] to 60.1.3.115[1362] (1248 bytes)
Thu, 2023-10-26, 18:48:34 08[NET] <Server1_EAP|36> sending packet: from 172.17.62.205[4500] to 60.1.3.115[1362] (320 bytes)
Thu, 2023-10-26, 18:48:34 16[NET] <Server1_EAP|36> received packet: from 60.1.3.115[1362] to 172.17.62.205[4500] (124 bytes)
Thu, 2023-10-26, 18:48:34 16[ENC] <Server1_EAP|36> parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Thu, 2023-10-26, 18:48:34 16[IKE] <Server1_EAP|36> EAP-MS-CHAPv2 username: '%any'
Thu, 2023-10-26, 18:48:34 16[IKE] <Server1_EAP|36> no EAP key found for hosts '%any' - '%any'
Thu, 2023-10-26, 18:48:34 16[IKE] <Server1_EAP|36> EAP-MS-CHAPv2 verification failed, retry (1)
Thu, 2023-10-26, 18:48:36 16[ENC] <Server1_EAP|36> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Thu, 2023-10-26, 18:48:36 16[NET] <Server1_EAP|36> sending packet: from 172.17.62.205[4500] to 60.1.3.115[1362] (116 bytes)
Thu, 2023-10-26, 18:48:36 14[NET] <Server1_EAP|36> received packet: from 60.1.3.115[1362] to 172.17.62.205[4500] (124 bytes)
Thu, 2023-10-26, 18:48:36 14[IKE] <Server1_EAP|36> received retransmit of request with ID 2, retransmitting response
Thu, 2023-10-26, 18:48:36 14[NET] <Server1_EAP|36> sending packet: from 172.17.62.205[4500] to 60.1.3.115[1362] (116 bytes)
Thu, 2023-10-26, 18:48:38 12[CFG] vici client 840 connected
Thu, 2023-10-26, 18:48:38 06[CFG] vici client 840 registered for: list-sa
Thu, 2023-10-26, 18:48:38 07[CFG] vici client 840 requests: list-sas
Thu, 2023-10-26, 18:48:38 14[CFG] vici client 840 unregistered for: list-sa
Thu, 2023-10-26, 18:48:38 06[CFG] vici client 840 disconnected
Thu, 2023-10-26, 18:48:49 07[CFG] vici client 841 connected
Thu, 2023-10-26, 18:48:49 08[CFG] vici client 841 registered for: list-sa
Thu, 2023-10-26, 18:48:49 12[CFG] vici client 841 requests: list-sas
Thu, 2023-10-26, 18:48:49 09[CFG] vici client 841 unregistered for: list-sa
Thu, 2023-10-26, 18:48:49 08[CFG] vici client 841 disconnected
Thu, 2023-10-26, 18:48:49 16[NET] <Server1_EAP|36> received packet: from 60.1.3.115[1362] to 172.17.62.205[4500] (124 bytes)
Thu, 2023-10-26, 18:48:49 16[ENC] <Server1_EAP|36> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Thu, 2023-10-26, 18:48:49 16[IKE] <Server1_EAP|36> EAP-MS-CHAPv2 username: '000000'
Thu, 2023-10-26, 18:48:49 16[ENC] <Server1_EAP|36> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Thu, 2023-10-26, 18:48:49 16[NET] <Server1_EAP|36> sending packet: from 172.17.62.205[4500] to 60.1.3.115[1362] (132 bytes)
Thu, 2023-10-26, 18:48:49 14[NET] <Server1_EAP|36> received packet: from 60.1.3.115[1362] to 172.17.62.205[4500] (68 bytes)
Thu, 2023-10-26, 18:48:49 14[ENC] <Server1_EAP|36> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Thu, 2023-10-26, 18:48:49 14[IKE] <Server1_EAP|36> EAP method EAP_MSCHAPV2 succeeded, MSK established
Thu, 2023-10-26, 18:48:49 14[ENC] <Server1_EAP|36> generating IKE_AUTH response 4 [ EAP/SUCC ]
Thu, 2023-10-26, 18:48:49 14[NET] <Server1_EAP|36> sending packet: from 172.17.62.205[4500] to 60.1.3.115[1362] (68 bytes)
Thu, 2023-10-26, 18:48:49 12[NET] <Server1_EAP|36> received packet: from 60.1.3.115[1362] to 172.17.62.205[4500] (84 bytes)
Thu, 2023-10-26, 18:48:49 12[ENC] <Server1_EAP|36> parsed IKE_AUTH request 5 [ AUTH ]
Thu, 2023-10-26, 18:48:49 12[IKE] <Server1_EAP|36> authentication of '192.168.1.13' with EAP successful
Thu, 2023-10-26, 18:48:49 12[IKE] <Server1_EAP|36> authentication of 'ipsec.xxx.com.cn' (myself) with EAP
Thu, 2023-10-26, 18:48:49 12[IKE] <Server1_EAP|36> peer requested virtual IP %any
Thu, 2023-10-26, 18:48:49 12[CFG] <Server1_EAP|36> assigning new lease to '000000'
Thu, 2023-10-26, 18:48:49 12[IKE] <Server1_EAP|36> assigning virtual IP 51.51.51.2 to peer '000000'
Thu, 2023-10-26, 18:48:49 12[IKE] <Server1_EAP|36> peer requested virtual IP %any6
Thu, 2023-10-26, 18:48:49 12[IKE] <Server1_EAP|36> no virtual IP found for %any6 requested by '000000'
Thu, 2023-10-26, 18:48:49 12[IKE] <Server1_EAP|36> IKE_SA Server1_EAP[36] established between 172.17.62.205[ipsec.xxx.com.cn]...60.1.3.115[192.168.1.13]
Thu, 2023-10-26, 18:48:49 12[IKE] <Server1_EAP|36> IKE_SA Server1_EAP[36] state change: CONNECTING => ESTABLISHED
Thu, 2023-10-26, 18:48:49 12[IKE] <Server1_EAP|36> scheduling rekeying in 12983s
Thu, 2023-10-26, 18:48:49 12[IKE] <Server1_EAP|36> maximum IKE_SA lifetime 14423s
Thu, 2023-10-26, 18:48:49 12[CFG] <Server1_EAP|36> looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Thu, 2023-10-26, 18:48:49 12[CFG] <Server1_EAP|36> proposing traffic selectors for us:
Thu, 2023-10-26, 18:48:49 12[CFG] <Server1_EAP|36>  0.0.0.0/0
Thu, 2023-10-26, 18:48:49 12[CFG] <Server1_EAP|36> proposing traffic selectors for other:
Thu, 2023-10-26, 18:48:49 12[CFG] <Server1_EAP|36>  51.51.51.2/32

[tobiasbrunner]

And if it is a Windows client, do not remember the account password. Manually enter the account password during each authentication. You also need to input twice!

As I said before, Windows clients need an EAP-Identity exchange (in swanctl.conf that's eap_id = %any in the remote section).

Thu, 2023-10-26, 17:40:44 14[IKE] <Server1_EAP|29> EAP-MS-CHAPv2 username: '????'

This looks like it could be some weird encoding sent by the client (strongSwan prints a ? if an non-printable character is encountered).

[TelDragon]

And if it is a Windows client, do not remember the account password. Manually enter the account password during each authentication. You also need to input twice!

As I said before, Windows clients need an EAP-Identity exchange (in swanctl.conf that's in the section).eap_id = %any``remote

Thu, 2023-10-26, 17:40:44 14[IKE] <Server1_EAP|29> EAP-MS-CHAPv2 username: '????'

This looks like it could be some weird encoding sent by the client (strongSwan prints a if an non-printable character is encountered).?

Thank you for your reply.

The problem is that I can't find the direction now and don't know how to troubleshoot it. Why did it send????. Without sending the correct account password. And there is garbled code in the SQL database. The possible format is binary data.

[tobiasbrunner]

Why did it send????

As I said, it might be sending non-printable characters (e.g. Unicode), not actual ? characters. What kind of client is that?

And there is garbled code in the SQL database. The possible format is binary data.

Yes, the password is stored binary as it's encrypted with the configured DB_SECRET_KEY.

[TelDragon]

Why did it send????

As I said, it might be sending non-printable characters (e.g. Unicode), not actual characters. What kind of client is that??

And there is garbled code in the SQL database. The possible format is binary data.

Yes, the password is stored binary as it's encrypted with the configured .DB_SECRET_KEY

Your explanation is very clear. I understand, but why doesn't it use plaintext access code?

The error reflected now is an account password error. But the account passwords on my server and client are the same. But it still reported an error. I don't know how to troubleshoot... Asking for help

Just like the error message on the server

EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'

[tobiasbrunner]

I understand, but why doesn't it use plaintext access code?

What do you mean?

If you want to see the plaintext passwords that are loaded from the database via vici in the IKE daemon's log, you have to increase the log level for cfg to 4.

But the account passwords on my server and client are the same.

Please note that during EAP-MSCHAPv2 the passwords are required to get encoded as UTF-16LE, so depending on the characters used in the original passwords, their encoding and the MSCHAPv2 implementation that might cause issues.

[TelDragon]

I understand, but why doesn't it use plaintext access code?

What do you mean?

If you want to see the plaintext passwords that are loaded from the database via vici in the IKE daemon's log, you have to increase the log level for cfg to 4.

But the account passwords on my server and client are the same.

Please note that during EAP-MSCHAPv2 the passwords are required to get encoded as UTF-16LE, so depending on the characters used in the original passwords, their encoding and the MSCHAPv2 implementation that might cause issues.

Hello, this is currently my log settings.

cat charon-logging.conf
charon {
    filelog {
        charon {
            # append = yes
            default = 4
            flush_line = yes
            ike_name = yes
            log_level = yes
            path = /var/log/charon.log
            # time_add_ms = no
            time_format = %a, %Y-%m-%d, %H:%M:%S
         }
         stderr {
           ike = 4
           cfg = 4
         }
    }
}

Listening for log messages

tail -f /var/log/charon.log | grep ????
Fri, 2023-10-27, 11:19:05 11[IKE1] <Server1_EAP|3> EAP-MS-CHAPv2 username: '????'
Fri, 2023-10-27, 11:19:05 11[IKE1] <Server1_EAP|3> no EAP key found for hosts 'ipsec.xxx.com.cn' - '????'
^C
[root@iZ2zea13jdgtrkqnws5x3lZ strongswan.d]# tail -f /var/log/charon.log | grep 00000
Fri, 2023-10-27, 11:19:27 13[MGR2] checkout IKEv2 SA by message with SPIs bea96f7445a637a8_i 0000000000000000_r
Fri, 2023-10-27, 11:19:27 14[MGR2] checkout IKEv2 SA by message with SPIs bea96f7445a637a8_i 0000000000000000_r
Fri, 2023-10-27, 11:19:27 10[ENC3] <Server1_EAP|5>    => 112 bytes @ 0x7f0100000990
Fri, 2023-10-27, 11:19:27 10[ENC3] <Server1_EAP|5> IV => 16 bytes @ 0x7f0100000990
Fri, 2023-10-27, 11:19:27 10[ENC3] <Server1_EAP|5> encrypted => 96 bytes @ 0x7f01000009a0
Fri, 2023-10-27, 11:19:27 10[ENC3] <Server1_EAP|5> ICV => 16 bytes @ 0x7f01000009f0
Fri, 2023-10-27, 11:19:27 10[ENC3] <Server1_EAP|5> assoc => 32 bytes @ 0x7f0100000dd0
Fri, 2023-10-27, 11:19:27 10[ENC3] <Server1_EAP|5> plain => 67 bytes @ 0x7f01000009a0
Fri, 2023-10-27, 11:19:27 10[ENC3] <Server1_EAP|5> padding => 13 bytes @ 0x7f01000009e3
Fri, 2023-10-27, 11:19:27 10[ENC3] <Server1_EAP|5> parsing payload from => 67 bytes @ 0x7f01000009a0
Fri, 2023-10-27, 11:19:27 10[ENC3] <Server1_EAP|5>    => 63 bytes @ 0x7f0100000900
Fri, 2023-10-27, 11:19:29 10[ENC3] <Server1_EAP|5>    => 53 bytes @ 0x7f0100000be0
Fri, 2023-10-27, 11:19:29 10[ENC3] <Server1_EAP|5> IV => 16 bytes @ 0x7f0100000990
Fri, 2023-10-27, 11:19:29 10[ENC3] <Server1_EAP|5> plain => 57 bytes @ 0x7f01000009a0
Fri, 2023-10-27, 11:19:29 10[ENC3] <Server1_EAP|5> padding => 7 bytes @ 0x7f01000009d9
Fri, 2023-10-27, 11:19:29 10[ENC3] <Server1_EAP|5> assoc => 32 bytes @ 0x7f0100000a40
Fri, 2023-10-27, 11:19:29 10[ENC3] <Server1_EAP|5> encrypted => 64 bytes @ 0x7f01000009a0
Fri, 2023-10-27, 11:19:29 10[ENC3] <Server1_EAP|5> ICV => 16 bytes @ 0x7f01000009e0
Fri, 2023-10-27, 11:19:29 10[ENC3] <Server1_EAP|5>    => 96 bytes @ 0x7f0100000990
^C

tail -f /var/log/charon.log | grep CFG
Fri, 2023-10-27, 11:24:35 15[CFG2] <6> looking for an IKEv2 config for 172.17.62.205...60.1.3.115
Fri, 2023-10-27, 11:24:35 15[CFG3] <6> ike config match: 28 (%any...%any IKEv2)
Fri, 2023-10-27, 11:24:35 15[CFG2] <6>   candidate: %any...%any, prio 28
Fri, 2023-10-27, 11:24:35 15[CFG2] <6> found matching ike config: %any...%any with prio 28
Fri, 2023-10-27, 11:24:35 15[CFG2] <6> selecting proposal:
Fri, 2023-10-27, 11:24:35 15[CFG2] <6>   proposal matches
Fri, 2023-10-27, 11:24:35 15[CFG2] <6> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Fri, 2023-10-27, 11:24:35 15[CFG2] <6> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_192/AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256/ECP_521, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Fri, 2023-10-27, 11:24:35 15[CFG1] <6> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Fri, 2023-10-27, 11:24:35 15[CFG2] <6> received supported signature hash algorithms: sha256 sha384 sha512 identity
Fri, 2023-10-27, 11:24:35 13[CFG2] <7> looking for an IKEv2 config for 172.17.62.205...60.1.3.115
Fri, 2023-10-27, 11:24:35 13[CFG3] <7> ike config match: 28 (%any...%any IKEv2)
Fri, 2023-10-27, 11:24:35 13[CFG2] <7>   candidate: %any...%any, prio 28
Fri, 2023-10-27, 11:24:35 13[CFG2] <7> found matching ike config: %any...%any with prio 28
Fri, 2023-10-27, 11:24:35 13[CFG2] <7> selecting proposal:
Fri, 2023-10-27, 11:24:35 13[CFG2] <7>   proposal matches
Fri, 2023-10-27, 11:24:35 13[CFG2] <7> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/MODP_2048/ECP_256/ECP_384/ECP_521/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/MODP_2048/ECP_256/ECP_384/ECP_521/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192
Fri, 2023-10-27, 11:24:35 13[CFG2] <7> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_192/AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256/ECP_521, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Fri, 2023-10-27, 11:24:35 13[CFG1] <7> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Fri, 2023-10-27, 11:24:35 13[CFG2] <7> received supported signature hash algorithms: sha256 sha384 sha512 identity
Fri, 2023-10-27, 11:24:35 13[CFG2] <7> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Fri, 2023-10-27, 11:24:35 08[CFG1] <7> looking for peer configs matching 172.17.62.205[ipsec.xxx.com.cn]...60.1.3.115[192.168.1.5]
Fri, 2023-10-27, 11:24:35 08[CFG3] <7> peer config "Server1_EAP", ike match: 28 (%any...%any IKEv2)
Fri, 2023-10-27, 11:24:35 08[CFG3] <7>   local id match: 20 (ID_FQDN: 69:70:73:65:63:2e:35:31:67:63:73:2e:63:6f:6d:2e:63:6e)
Fri, 2023-10-27, 11:24:35 08[CFG3] <7>   remote id match: 1 (ID_IPV4_ADDR: c0:a8:01:05)
Fri, 2023-10-27, 11:24:35 08[CFG2] <7>   candidate "Server1_EAP", match: 20/1/28 (me/other/ike)
Fri, 2023-10-27, 11:24:35 08[CFG1] <Server1_EAP|7> selected peer config 'Server1_EAP'

Is my approach wrong?

I still can't read the plaintext in the log. My account 000000 and password 000000

What you said about UTF-16LE, I understand, is used when passing messages between the server and the client. I'm sorry because I'm not a developer, I'm just a user. Not very familiar with this place.

[tobiasbrunner]

Is my approach wrong?

The plaintext password is logged when the config (or rather the secret) is loaded via vici. So you have to restart strongMan to see that. Also, if you want to see what the client actually sends as username, you could increase the log level for enc to 3, but that will cause a lot of output.

My account 000000 and password 000000

Hm, but is that what you configured on the client? Because it seems to send a username of 4 characters ('????') while those are 6 characters.

What you said about UTF-16LE, I understand, is used when passing messages between the server and the client.

Yes, that's something the client implementation has to do correctly when calculating the password hash.

[TelDragon]

Is my approach wrong?

The plaintext password is logged when the config (or rather the secret) is loaded via vici. So you have to restart strongMan to see that. Also, if you want to see what the client actually sends as username, you could increase the log level for enc to 3, but that will cause a lot of output.

My account 000000 and password 000000

Hm, but is that what you configured on the client? Because it seems to send a username of 4 characters () while those are 6 characters.'????'

When I restart the service again, I can indeed see my username.

But my core issue now is that the verification did not pass.

Fri, 2023-10-27, 15:52:45 00[DMN1] SIGTERM received, shutting down
Fri, 2023-10-27, 15:52:45 00[DMN1] Starting charon-systemd IKE daemon (strongSwan 5.9.11, Linux 3.10.0-1160.99.1.el7.x86_64, x86_64)
Fri, 2023-10-27, 15:52:45 00[CFG1] PKCS11 module '<name>' lacks library path
Fri, 2023-10-27, 15:52:45 00[LIB1] OpenSSL FIPS mode(0) - disabled 
Fri, 2023-10-27, 15:52:45 00[CFG1] install DNS servers in '/usr/local/strongswan/etc/resolv.conf'
Fri, 2023-10-27, 15:52:45 00[KNL1] received netlink error: Operation not supported (95)
Fri, 2023-10-27, 15:52:45 00[KNL1] failed to create XFRM interface 'xfrmi-test-1442'
Fri, 2023-10-27, 15:52:45 00[CFG1] attr-sql plugin: database URI not set
Fri, 2023-10-27, 15:52:45 00[CFG1] loading ca certificates from '/usr/local/strongswan/etc/ipsec.d/cacerts'
Fri, 2023-10-27, 15:52:45 00[CFG1] loading aa certificates from '/usr/local/strongswan/etc/ipsec.d/aacerts'
Fri, 2023-10-27, 15:52:45 00[CFG1] loading ocsp signer certificates from '/usr/local/strongswan/etc/ipsec.d/ocspcerts'
Fri, 2023-10-27, 15:52:45 00[CFG1] loading attribute certificates from '/usr/local/strongswan/etc/ipsec.d/acerts'
Fri, 2023-10-27, 15:52:45 00[CFG1] loading crls from '/usr/local/strongswan/etc/ipsec.d/crls'
Fri, 2023-10-27, 15:52:45 00[CFG1] loading secrets from '/usr/local/strongswan/etc/ipsec.secrets'
Fri, 2023-10-27, 15:52:45 00[CFG1] sql plugin: database URI not set
Fri, 2023-10-27, 15:52:45 00[CFG1] loaded 0 RADIUS server configurations
Fri, 2023-10-27, 15:52:45 00[LIB1] loaded plugins: charon-systemd pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl mysql sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Fri, 2023-10-27, 15:52:45 00[JOB1] spawning 16 worker threads
Fri, 2023-10-27, 15:52:45 15[CFG1] loaded certificate 'C=CH, O=51EPD, CN=ipsec.xxx.com.cn'
Fri, 2023-10-27, 15:52:45 07[CFG1] loaded certificate 'C=CH, O=51EPD, CN=51EPD IPSecRoot CA'
Fri, 2023-10-27, 15:52:45 12[CFG1] loaded ANY private key
Fri, 2023-10-27, 15:52:45 16[CFG1] loaded ANY private key
Fri, 2023-10-27, 15:52:45 10[CFG1] loaded EAP shared key for: 'yuanyl'
Fri, 2023-10-27, 15:52:45 13[CFG1] loaded EAP shared key for: 'yuanyl2'
Fri, 2023-10-27, 15:52:45 16[CFG1] loaded EAP shared key for: '000000'
Fri, 2023-10-27, 15:52:45 09[CFG1] loaded RSA private key
Fri, 2023-10-27, 15:52:45 13[CFG1] loaded certificate 'C=CH, O=51EPD, CN=ipsec.xxx.com.cn'
Fri, 2023-10-27, 15:52:45 16[CFG1] loaded certificate 'C=CH, O=51EPD, CN=51EPD IPSecRoot CA'
Fri, 2023-10-27, 15:52:45 16[CFG1] added vici pool Private_Network_1: 51.51.51.0, 254 entries
Fri, 2023-10-27, 15:52:45 11[CFG1] added vici connection: Server1_EAP
Fri, 2023-10-27, 15:52:45 11[CFG1] initiating 'Server1_EAP'
Fri, 2023-10-27, 15:52:45 11[IKE1] <Server1_EAP|1> unable to resolve %any, initiate aborted
Fri, 2023-10-27, 15:52:45 16[CFG1] loaded RSA private key
Fri, 2023-10-27, 15:52:46 07[CFG1] loaded certificate 'C=CH, O=51EPD, CN=ipsec.xxx.com.cn'
Fri, 2023-10-27, 15:52:46 11[CFG1] loaded certificate 'C=CH, O=51EPD, CN=51EPD IPSecRoot CA'
Fri, 2023-10-27, 15:56:17 15[NET1] <2> received packet: from 60.1.3.115[3574] to 172.17.62.205[500] (1016 bytes)
Fri, 2023-10-27, 15:56:17 15[ENC1] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Fri, 2023-10-27, 15:56:17 15[IKE0] <2> 60.1.3.115 is initiating an IKE_SA
Fri, 2023-10-27, 15:56:17 15[CFG1] <2> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Fri, 2023-10-27, 15:56:17 15[IKE1] <2> local host is behind NAT, sending keep alives
Fri, 2023-10-27, 15:56:17 15[IKE1] <2> remote host is behind NAT
Fri, 2023-10-27, 15:56:17 15[IKE1] <2> DH group ECP_256 unacceptable, requesting MODP_2048
Fri, 2023-10-27, 15:56:17 15[ENC1] <2> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Fri, 2023-10-27, 15:56:17 15[NET1] <2> sending packet: from 172.17.62.205[500] to 60.1.3.115[3574] (38 bytes)
Fri, 2023-10-27, 15:56:17 02[NET1] <3> received packet: from 60.1.3.115[3574] to 172.17.62.205[500] (1208 bytes)
Fri, 2023-10-27, 15:56:17 02[ENC1] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Fri, 2023-10-27, 15:56:17 02[IKE0] <3> 60.1.3.115 is initiating an IKE_SA
Fri, 2023-10-27, 15:56:17 02[CFG1] <3> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Fri, 2023-10-27, 15:56:17 02[IKE1] <3> local host is behind NAT, sending keep alives
Fri, 2023-10-27, 15:56:17 02[IKE1] <3> remote host is behind NAT
Fri, 2023-10-27, 15:56:17 02[ENC1] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Fri, 2023-10-27, 15:56:17 02[NET1] <3> sending packet: from 172.17.62.205[500] to 60.1.3.115[3574] (472 bytes)
Fri, 2023-10-27, 15:56:17 06[NET1] <3> received packet: from 60.1.3.115[3576] to 172.17.62.205[4500] (416 bytes)
Fri, 2023-10-27, 15:56:17 06[ENC1] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Fri, 2023-10-27, 15:56:17 06[IKE1] <3> received cert request for "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Fri, 2023-10-27, 15:56:17 06[CFG1] <3> looking for peer configs matching 172.17.62.205[ipsec.xxx.com.cn]...60.1.3.115[192.168.1.5]
Fri, 2023-10-27, 15:56:17 06[CFG1] <Server1_EAP|3> selected peer config 'Server1_EAP'
Fri, 2023-10-27, 15:56:17 06[IKE1] <Server1_EAP|3> initiating EAP_MSCHAPV2 method (id 0x43)
Fri, 2023-10-27, 15:56:17 06[IKE1] <Server1_EAP|3> peer supports MOBIKE
Fri, 2023-10-27, 15:56:17 06[IKE1] <Server1_EAP|3> authentication of 'ipsec.xxx.com.cn' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Fri, 2023-10-27, 15:56:17 06[IKE1] <Server1_EAP|3> sending end entity cert "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Fri, 2023-10-27, 15:56:17 06[ENC1] <Server1_EAP|3> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Fri, 2023-10-27, 15:56:17 06[ENC1] <Server1_EAP|3> splitting IKE message (1536 bytes) into 2 fragments
Fri, 2023-10-27, 15:56:17 06[ENC1] <Server1_EAP|3> generating IKE_AUTH response 1 [ EF(1/2) ]
Fri, 2023-10-27, 15:56:17 06[ENC1] <Server1_EAP|3> generating IKE_AUTH response 1 [ EF(2/2) ]
Fri, 2023-10-27, 15:56:17 06[NET1] <Server1_EAP|3> sending packet: from 172.17.62.205[4500] to 60.1.3.115[3576] (1236 bytes)
Fri, 2023-10-27, 15:56:17 06[NET1] <Server1_EAP|3> sending packet: from 172.17.62.205[4500] to 60.1.3.115[3576] (372 bytes)
Fri, 2023-10-27, 15:56:17 16[NET1] <Server1_EAP|3> received packet: from 60.1.3.115[3576] to 172.17.62.205[4500] (144 bytes)
Fri, 2023-10-27, 15:56:17 16[ENC1] <Server1_EAP|3> parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Fri, 2023-10-27, 15:56:17 16[IKE1] <Server1_EAP|3> EAP-MS-CHAPv2 username: '????'
Fri, 2023-10-27, 15:56:17 16[IKE1] <Server1_EAP|3> no EAP key found for hosts 'ipsec.xxx.com.cn' - '????'
Fri, 2023-10-27, 15:56:17 16[IKE1] <Server1_EAP|3> EAP-MS-CHAPv2 verification failed, retry (1)
Fri, 2023-10-27, 15:56:19 16[ENC1] <Server1_EAP|3> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Fri, 2023-10-27, 15:56:19 16[NET1] <Server1_EAP|3> sending packet: from 172.17.62.205[4500] to 60.1.3.115[3576] (128 bytes)
Fri, 2023-10-27, 15:56:19 09[NET1] <Server1_EAP|3> received packet: from 60.1.3.115[3576] to 172.17.62.205[4500] (80 bytes)
Fri, 2023-10-27, 15:56:19 09[ENC1] <Server1_EAP|3> parsed INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
Fri, 2023-10-27, 15:56:19 09[ENC1] <Server1_EAP|3> generating INFORMATIONAL response 3 [ ]
Fri, 2023-10-27, 15:56:19 09[NET1] <Server1_EAP|3> sending packet: from 172.17.62.205[4500] to 60.1.3.115[3576] (80 bytes)

Client logs

Fri, 2023-10-27, 15:56:17 11[CFG1] <ipsec.xxx.com.cn|3>   using certificate "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Fri, 2023-10-27, 15:56:17 11[CFG1] <ipsec.xxx.com.cn|3>   using trusted ca certificate "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Fri, 2023-10-27, 15:56:17 11[CFG1] <ipsec.xxx.com.cn|3>   reached self-signed root ca with a path length of 0
Fri, 2023-10-27, 15:56:17 11[CFG1] <ipsec.xxx.com.cn|3> checking certificate status of "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Fri, 2023-10-27, 15:56:17 11[CFG1] <ipsec.xxx.com.cn|3> certificate status is not available
Fri, 2023-10-27, 15:56:17 11[IKE1] <ipsec.xxx.com.cn|3> authentication of 'ipsec.xxx.com.cn' with RSA_EMSA_PKCS1_SHA2_256 successful
Fri, 2023-10-27, 15:56:17 11[IKE1] <ipsec.xxx.com.cn|3> server requested EAP_MSCHAPV2 authentication (id 0x43)
Fri, 2023-10-27, 15:56:17 11[ENC1] <ipsec.xxx.com.cn|3> generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Fri, 2023-10-27, 15:56:17 11[NET1] <ipsec.xxx.com.cn|3> sending packet: from 192.168.1.5[4500] to 39.xxx.xxx.xx[4500] (144 bytes)
Fri, 2023-10-27, 15:56:19 09[NET1] <ipsec.xxx.com.cn|3> received packet: from 39.xxx.xxx.xx[4500] to 192.168.1.5[4500] (128 bytes)
Fri, 2023-10-27, 15:56:19 09[ENC1] <ipsec.xxx.com.cn|3> parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Fri, 2023-10-27, 15:56:19 09[IKE1] <ipsec.xxx.com.cn|3> EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'
Fri, 2023-10-27, 15:56:19 09[IKE1] <ipsec.xxx.com.cn|3> EAP_MSCHAPV2 method failed
Fri, 2023-10-27, 15:56:19 09[ENC1] <ipsec.xxx.com.cn|3> generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
Fri, 2023-10-27, 15:56:19 09[NET1] <ipsec.xxx.com.cn|3> sending packet: from 192.168.1.5[4500] to 39.xxx.xxx.xx[4500] (80 bytes)

[tobiasbrunner]

Fri, 2023-10-27, 15:52:45 10[CFG1] loaded EAP shared key for: 'yuanyl' Fri, 2023-10-27, 15:52:45 13[CFG1] loaded EAP shared key for: 'yuanyl2' Fri, 2023-10-27, 15:52:45 16[CFG1] loaded EAP shared key for: '000000'

Hm, with the log level for cfg increased to 4, this should actually log the passwords as well (right after these lines there should be a key: ... line with the hex-encoded password).

Client logs

Wait, you are using strongSwan as client? How did you configure the username/password there?

[TelDragon]

Hm, with the log level for cfg increased to 4, this should actually log the passwords as well (right after these lines there > should be a key: ... line with the hex-encoded password).

I did see it when I restarted.

Fri, 2023-10-27, 16:12:06 06[CFG2] vici client 7 requests: load-shared
Fri, 2023-10-27, 16:12:06 06[CFG1] loaded EAP shared key for: '000000'
Fri, 2023-10-27, 16:12:06 06[CFG4] key: 30:30:30:30:30:30:30:30:30
Fri, 2023-10-27, 16:12:06 09[CFG2] vici client 7 requests: load-key
Fri, 2023-10-27, 16:12:06 09[CFG1] loaded RSA private key
Fri, 2023-10-27, 16:12:06 13[CFG2] vici client 7 requests: load-cert

Client logs

Wait, you are using strongSwan as client? How did you configure the username/password there?

In strongMan,Switch to Client mode ,add a new connections

Your chosen authentication method.
Method IKEv2 EAP （Username/Password）

Name your connection so you can recognize it and set the server.
Name   ipsec.xxx.com.cn
Server   ipsec.xxx.com.cn

Username  000000
Password   000000000

Choose the ca certificate which authenticates the server.
CA/Server certificate   *********CA
Server identity   Use server value

This is how I created it

I can connect normally using the strongSwan app on my mobile terminal,

After entering the account password and password twice, the VPN that comes with Windows 10 can also connect normally.

[tobiasbrunner]

I can't reproduce this. What version of strongMan are you using? Does it include 179becd7eb2dc461725ec358e6e00d9cfc7d837b?

[TelDragon]

I can't reproduce this. What version of strongMan are you using? Does it include 179becd?

Sorry. Because your current repository seems to have not released version iterations.

I am not sure what version I am currently using I am using

Git clone https://github.com/strongswan/strongMan.git Method.

Its latest ID is 5fcf872, and the repository appears to contain 179becd

But I noticed that the permissions of this file are inconsistent with other files. Not sure if it will cause problems.

ls -ll
total 12
-rw-r--r-- 1 root root 1454 Oct 26 11:10 forms.py
-rwxr-xr-x 1 root root    0 Oct 26 11:10 __init__.py
drwxr-xr-x 3 root root   67 Oct 26 11:11 migrations
drwxr-xr-x 3 root root   62 Oct 26 11:11 models
drwxr-xr-x 2 root root  125 Oct 26 11:11 __pycache__
drwxr-xr-x 3 root root   25 Oct 26 11:10 static
-rw-r--r-- 1 root root  933 Oct 26 11:10 tables.py
drwxr-xr-x 3 root root   25 Oct 26 11:10 templates
-rwxr-xr-x 1 root root  276 Oct 26 11:10 urls.py
drwxr-xr-x 3 root root  113 Oct 26 11:11 views

cat forms.py 
from base64 import b64encode
from os import urandom
from django import forms

class EapSecretSearchForm(forms.Form):
    search_text = forms.CharField(max_length=200, required=False)

class AddOrEditForm(forms.Form):
    username = forms.RegexField(max_length=50, initial="", regex=r'^[0-9a-zA-Z_\-]+$')
    password = forms.CharField(max_length=50, widget=forms.PasswordInput, initial="")

    def __init__(self, *args, **kwargs):
        self.salt = b64encode(urandom(24)).decode('utf-8')
        super(AddOrEditForm, self).__init__(*args, **kwargs)

    def is_valid(self):
        valid = super(AddOrEditForm, self).is_valid()
        return valid

    @property
    def my_salt(self):
        return self.salt

    @property
    def my_salted_password(self):
        password = self.my_salt + self.cleaned_data["password"]
        return password

    @my_salted_password.setter
    def my_salted_password(self, value):
        password = value[32:]
        self.initial['password'] = password

    @property
    def my_username(self):
        return self.cleaned_data["username"]

    @my_username.setter
    def my_username(self, value):
        self.initial['username'] = value

    @property
    def my_password(self):
        password = self.cleaned_data["password"]
        if password == "":
            return None
        return password

    @my_password.setter
    def my_password(self, value):
        self.initial['password'] = value

[tobiasbrunner]

OK, as I said, with that code I can't reproduce the issue.

[TelDragon]

OK, as I said, with that code I can't reproduce the issue.

So I am using the latest code. Switching between different clients. Centos, Debian. We all have this problem and cannot connect. Which direction should I go to investigate?

Or do you want me to provide more auxiliary information?

[tobiasbrunner]

Compare the username and password that is actually loaded into the daemon on client and server (via log on both).

[TelDragon]

@tobiasbrunner

Compare the username and password that is actually loaded into the daemon on client and server (via log on both).

The following is a comparison of EAP using swanctl conf and strongMan methods.

Clearly told me the method of swictl conf, one account password verification is sufficient. Using strongMan requires an additional manual input of the account password.

A hosts server Centos7 Python3.12 sqlite 3.43 strongswan 5.9.11 strongMan 5fcf872

Client Windows 10 22H2 19045.3636 (I don't think it should be a bug in Windows here)

strongMan gui conf

Method                                                         IKEv2 EAP (Username/Password)
Name                                                            Server1_EAP
IKE Version                                                    2
Server Address                                              -
Remote Address                                            -
Pool Name                                                    Private_Network_1
Pool Addresses                                             51.51.51.0/24
Send Certificate Request                               True
Start Action                                                    start
Remote Authentication                                 eap-mschapv2
Server Certificate                                           C=CH, L=, ST=, O=51EPD, OU=, CN=ipsec.xxx.com.cn
Identity                                                          ipsec.xxx.com.cn
Identity Type                                                  subjectAltName
CA/Peer Certificate                                         -
CA Identity                                                      -
Local traffic selector                                       0.0.0.0/0
Remote traffic selector                                   -

eap_secrets

Username test
Password  testTEST.

Pools

Pool name Private_Network_1
Addresses* 51.51.51.0/24

charon.log: You must manually re-enter the account password each time you log in

Wed, 2023-11-01, 18:29:42 00[DMN1] Starting charon-systemd IKE daemon (strongSwan 5.9.11, Linux 3.10.0-1160.99.1.el7.x86_64, x86_64)
Wed, 2023-11-01, 18:29:42 00[CFG1] PKCS11 module '<name>' lacks library path
Wed, 2023-11-01, 18:29:42 00[LIB1] OpenSSL FIPS mode(0) - disabled 
Wed, 2023-11-01, 18:29:42 00[CFG1] install DNS servers in '/usr/local/strongswan/etc/resolv.conf'
Wed, 2023-11-01, 18:29:42 00[KNL1] received netlink error: Operation not supported (95)
Wed, 2023-11-01, 18:29:42 00[KNL1] failed to create XFRM interface 'xfrmi-test-3806'
Wed, 2023-11-01, 18:29:42 00[CFG1] attr-sql plugin: database URI not set
Wed, 2023-11-01, 18:29:42 00[CFG1] loading ca certificates from '/usr/local/strongswan/etc/ipsec.d/cacerts'
Wed, 2023-11-01, 18:29:42 00[CFG1] loading aa certificates from '/usr/local/strongswan/etc/ipsec.d/aacerts'
Wed, 2023-11-01, 18:29:42 00[CFG1] loading ocsp signer certificates from '/usr/local/strongswan/etc/ipsec.d/ocspcerts'
Wed, 2023-11-01, 18:29:42 00[CFG1] loading attribute certificates from '/usr/local/strongswan/etc/ipsec.d/acerts'
Wed, 2023-11-01, 18:29:42 00[CFG1] loading crls from '/usr/local/strongswan/etc/ipsec.d/crls'
Wed, 2023-11-01, 18:29:42 00[CFG1] loading secrets from '/usr/local/strongswan/etc/ipsec.secrets'
Wed, 2023-11-01, 18:29:42 00[CFG1] sql plugin: database URI not set
Wed, 2023-11-01, 18:29:42 00[CFG1] loaded 0 RADIUS server configurations
Wed, 2023-11-01, 18:29:42 00[LIB1] loaded plugins: charon-systemd pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl mysql sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Wed, 2023-11-01, 18:29:42 00[JOB1] spawning 16 worker threads
Wed, 2023-11-01, 18:29:42 16[CFG1] loaded certificate 'C=CH, O=51EPD, CN=ipsec.xxx.com.cn'
Wed, 2023-11-01, 18:29:42 08[CFG1] loaded certificate 'C=CH, O=51EPD, CN=51EPD IPSecRoot CA'
Wed, 2023-11-01, 18:29:42 12[CFG1] loaded ANY private key
Wed, 2023-11-01, 18:29:42 16[CFG1] loaded ANY private key
Wed, 2023-11-01, 18:29:43 10[CFG1] loaded EAP shared key for: 'test'
Wed, 2023-11-01, 18:29:43 14[CFG1] loaded RSA private key
Wed, 2023-11-01, 18:29:43 07[CFG1] loaded certificate 'C=CH, O=51EPD, CN=ipsec.xxx.com.cn'
Wed, 2023-11-01, 18:29:43 10[CFG1] loaded certificate 'C=CH, O=51EPD, CN=51EPD IPSecRoot CA'
Wed, 2023-11-01, 18:29:43 10[CFG1] added vici pool Private_Network_1: 51.51.51.0, 254 entries
Wed, 2023-11-01, 18:29:43 05[CFG1] added vici connection: Server1_EAP
Wed, 2023-11-01, 18:29:43 05[CFG1] initiating 'Server1_EAP'
Wed, 2023-11-01, 18:29:43 05[IKE1] <Server1_EAP|1> unable to resolve %any, initiate aborted
Wed, 2023-11-01, 18:29:43 10[CFG1] loaded RSA private key
Wed, 2023-11-01, 18:29:43 14[CFG1] loaded certificate 'C=CH, O=51EPD, CN=ipsec.xxx.com.cn'
Wed, 2023-11-01, 18:29:43 06[CFG1] loaded certificate 'C=CH, O=51EPD, CN=51EPD IPSecRoot CA'
Wed, 2023-11-01, 18:31:53 15[NET1] <2> received packet: from 101.24.95.166[1916] to 172.17.62.205[500] (624 bytes)
Wed, 2023-11-01, 18:31:53 15[ENC1] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Wed, 2023-11-01, 18:31:53 15[IKE1] <2> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Wed, 2023-11-01, 18:31:53 15[IKE1] <2> received MS-Negotiation Discovery Capable vendor ID
Wed, 2023-11-01, 18:31:53 15[IKE1] <2> received Vid-Initial-Contact vendor ID
Wed, 2023-11-01, 18:31:53 15[ENC1] <2> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Wed, 2023-11-01, 18:31:53 15[IKE0] <2> 101.24.95.166 is initiating an IKE_SA
Wed, 2023-11-01, 18:31:53 15[CFG1] <2> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Wed, 2023-11-01, 18:31:53 15[IKE1] <2> local host is behind NAT, sending keep alives
Wed, 2023-11-01, 18:31:53 15[IKE1] <2> remote host is behind NAT
Wed, 2023-11-01, 18:31:53 15[ENC1] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Wed, 2023-11-01, 18:31:53 15[NET1] <2> sending packet: from 172.17.62.205[500] to 101.24.95.166[1916] (324 bytes)
Wed, 2023-11-01, 18:31:53 05[NET1] <2> received packet: from 101.24.95.166[1918] to 172.17.62.205[4500] (568 bytes)
Wed, 2023-11-01, 18:31:53 05[ENC1] <2> parsed IKE_AUTH request 1 [ EF(1/2) ]
Wed, 2023-11-01, 18:31:53 05[ENC1] <2> received fragment #1 of 2, waiting for complete IKE message
Wed, 2023-11-01, 18:31:53 11[NET1] <2> received packet: from 101.24.95.166[1918] to 172.17.62.205[4500] (408 bytes)
Wed, 2023-11-01, 18:31:53 11[ENC1] <2> parsed IKE_AUTH request 1 [ EF(2/2) ]
Wed, 2023-11-01, 18:31:53 11[ENC1] <2> received fragment #2 of 2, reassembled fragmented IKE message (908 bytes)
Wed, 2023-11-01, 18:31:53 11[ENC1] <2> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Wed, 2023-11-01, 18:31:53 11[IKE1] <2> received cert request for "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Wed, 2023-11-01, 18:31:53 11[IKE1] <2> received 28 cert requests for an unknown ca
Wed, 2023-11-01, 18:31:53 11[CFG1] <2> looking for peer configs matching 172.17.62.205[%any]...101.24.95.166[192.168.1.13]
Wed, 2023-11-01, 18:31:53 11[CFG1] <Server1_EAP|2> selected peer config 'Server1_EAP'
Wed, 2023-11-01, 18:31:53 11[IKE1] <Server1_EAP|2> initiating EAP_MSCHAPV2 method (id 0x96)
Wed, 2023-11-01, 18:31:53 11[IKE1] <Server1_EAP|2> peer supports MOBIKE
Wed, 2023-11-01, 18:31:53 11[IKE1] <Server1_EAP|2> authentication of 'ipsec.xxx.com.cn' (myself) with RSA signature successful
Wed, 2023-11-01, 18:31:53 11[IKE1] <Server1_EAP|2> sending end entity cert "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Wed, 2023-11-01, 18:31:53 11[ENC1] <Server1_EAP|2> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Wed, 2023-11-01, 18:31:53 11[ENC1] <Server1_EAP|2> splitting IKE message (1508 bytes) into 2 fragments
Wed, 2023-11-01, 18:31:53 11[ENC1] <Server1_EAP|2> generating IKE_AUTH response 1 [ EF(1/2) ]
Wed, 2023-11-01, 18:31:53 11[ENC1] <Server1_EAP|2> generating IKE_AUTH response 1 [ EF(2/2) ]
Wed, 2023-11-01, 18:31:53 11[NET1] <Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1918] (1248 bytes)
Wed, 2023-11-01, 18:31:53 11[NET1] <Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1918] (320 bytes)
Wed, 2023-11-01, 18:31:54 10[NET1] <Server1_EAP|2> received packet: from 101.24.95.166[1918] to 172.17.62.205[4500] (124 bytes)
Wed, 2023-11-01, 18:31:54 10[ENC1] <Server1_EAP|2> parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Wed, 2023-11-01, 18:31:54 10[IKE1] <Server1_EAP|2> EAP-MS-CHAPv2 username: '%any'
Wed, 2023-11-01, 18:31:54 10[IKE1] <Server1_EAP|2> no EAP key found for hosts '%any' - '%any'
Wed, 2023-11-01, 18:31:54 10[IKE1] <Server1_EAP|2> EAP-MS-CHAPv2 verification failed, retry (1)
Wed, 2023-11-01, 18:31:55 14[MGR1] ignoring request with ID 2, already processing
Wed, 2023-11-01, 18:31:56 10[ENC1] <Server1_EAP|2> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Wed, 2023-11-01, 18:31:56 10[NET1] <Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1918] (116 bytes)
Wed, 2023-11-01, 18:31:56 13[NET1] <Server1_EAP|2> received packet: from 101.24.95.166[1918] to 172.17.62.205[4500] (124 bytes)
Wed, 2023-11-01, 18:31:56 13[IKE1] <Server1_EAP|2> received retransmit of request with ID 2, retransmitting response
Wed, 2023-11-01, 18:31:56 13[NET1] <Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1918] (116 bytes)
Wed, 2023-11-01, 18:32:03 15[NET1] <Server1_EAP|2> received packet: from 101.24.95.166[1918] to 172.17.62.205[4500] (124 bytes)
Wed, 2023-11-01, 18:32:03 15[ENC1] <Server1_EAP|2> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Wed, 2023-11-01, 18:32:03 15[IKE1] <Server1_EAP|2> EAP-MS-CHAPv2 username: 'test'
Wed, 2023-11-01, 18:32:03 15[ENC1] <Server1_EAP|2> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Wed, 2023-11-01, 18:32:03 15[NET1] <Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1918] (132 bytes)
Wed, 2023-11-01, 18:32:03 07[NET1] <Server1_EAP|2> received packet: from 101.24.95.166[1918] to 172.17.62.205[4500] (68 bytes)
Wed, 2023-11-01, 18:32:03 07[ENC1] <Server1_EAP|2> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Wed, 2023-11-01, 18:32:03 07[IKE1] <Server1_EAP|2> EAP method EAP_MSCHAPV2 succeeded, MSK established
Wed, 2023-11-01, 18:32:03 07[ENC1] <Server1_EAP|2> generating IKE_AUTH response 4 [ EAP/SUCC ]
Wed, 2023-11-01, 18:32:03 07[NET1] <Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1918] (68 bytes)
Wed, 2023-11-01, 18:32:03 05[NET1] <Server1_EAP|2> received packet: from 101.24.95.166[1918] to 172.17.62.205[4500] (84 bytes)
Wed, 2023-11-01, 18:32:03 05[ENC1] <Server1_EAP|2> parsed IKE_AUTH request 5 [ AUTH ]
Wed, 2023-11-01, 18:32:03 05[IKE1] <Server1_EAP|2> authentication of '192.168.1.13' with EAP successful
Wed, 2023-11-01, 18:32:03 05[IKE1] <Server1_EAP|2> authentication of 'ipsec.xxx.com.cn' (myself) with EAP
Wed, 2023-11-01, 18:32:03 05[IKE1] <Server1_EAP|2> peer requested virtual IP %any
Wed, 2023-11-01, 18:32:03 05[CFG1] <Server1_EAP|2> assigning new lease to 'test'
Wed, 2023-11-01, 18:32:03 05[IKE1] <Server1_EAP|2> assigning virtual IP 51.51.51.1 to peer 'test'
Wed, 2023-11-01, 18:32:03 05[IKE1] <Server1_EAP|2> peer requested virtual IP %any6
Wed, 2023-11-01, 18:32:03 05[IKE1] <Server1_EAP|2> no virtual IP found for %any6 requested by 'test'
Wed, 2023-11-01, 18:32:03 05[IKE0] <Server1_EAP|2> IKE_SA Server1_EAP[2] established between 172.17.62.205[ipsec.xxx.com.cn]...101.24.95.166[192.168.1.13]
Wed, 2023-11-01, 18:32:03 05[IKE1] <Server1_EAP|2> scheduling rekeying in 13426s
Wed, 2023-11-01, 18:32:03 05[IKE1] <Server1_EAP|2> maximum IKE_SA lifetime 14866s
Wed, 2023-11-01, 18:32:03 05[CFG1] <Server1_EAP|2> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Wed, 2023-11-01, 18:32:03 05[IKE0] <Server1_EAP|2> CHILD_SA Server1_EAP{1} established with SPIs c3b7e368_i 35d1d008_o and TS 0.0.0.0/0 === 51.51.51.1/32
Wed, 2023-11-01, 18:32:03 05[ENC1] <Server1_EAP|2> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Wed, 2023-11-01, 18:32:03 05[NET1] <Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1918] (228 bytes)
Wed, 2023-11-01, 18:32:07 10[NET1] <Server1_EAP|2> received packet: from 101.24.95.166[1918] to 172.17.62.205[4500] (68 bytes)
Wed, 2023-11-01, 18:32:07 10[ENC1] <Server1_EAP|2> parsed INFORMATIONAL request 6 [ D ]
Wed, 2023-11-01, 18:32:07 10[IKE1] <Server1_EAP|2> received DELETE for ESP CHILD_SA with SPI 35d1d008
Wed, 2023-11-01, 18:32:07 10[IKE0] <Server1_EAP|2> closing CHILD_SA Server1_EAP{1} with SPIs c3b7e368_i (3661 bytes) 35d1d008_o (0 bytes) and TS 0.0.0.0/0 === 51.51.51.1/32
Wed, 2023-11-01, 18:32:07 10[IKE1] <Server1_EAP|2> sending DELETE for ESP CHILD_SA with SPI c3b7e368
Wed, 2023-11-01, 18:32:07 10[IKE1] <Server1_EAP|2> CHILD_SA closed
Wed, 2023-11-01, 18:32:07 10[ENC1] <Server1_EAP|2> generating INFORMATIONAL response 6 [ D ]
Wed, 2023-11-01, 18:32:07 10[NET1] <Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1918] (68 bytes)
Wed, 2023-11-01, 18:32:07 13[NET1] <Server1_EAP|2> received packet: from 101.24.95.166[1918] to 172.17.62.205[4500] (68 bytes)
Wed, 2023-11-01, 18:32:07 13[ENC1] <Server1_EAP|2> parsed INFORMATIONAL request 7 [ D ]
Wed, 2023-11-01, 18:32:07 13[IKE1] <Server1_EAP|2> received DELETE for IKE_SA Server1_EAP[2]
Wed, 2023-11-01, 18:32:07 13[IKE0] <Server1_EAP|2> deleting IKE_SA Server1_EAP[2] between 172.17.62.205[ipsec.xxx.com.cn]...101.24.95.166[192.168.1.13]
Wed, 2023-11-01, 18:32:07 13[IKE0] <Server1_EAP|2> IKE_SA deleted
Wed, 2023-11-01, 18:32:07 13[ENC1] <Server1_EAP|2> generating INFORMATIONAL response 7 [ ]
Wed, 2023-11-01, 18:32:07 13[NET1] <Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1918] (60 bytes)
Wed, 2023-11-01, 18:32:07 13[CFG1] <Server1_EAP|2> lease 51.51.51.1 by 'test' went offline

swanctl conf

connections {
    swanctl_Server1_EAP {
        version = 2
        proposals = 3des-aes128-aes192-aes256-sha1-sha256-sha384-modp1024,aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
        unique = never
        pools = id1
        send_certreq = yes
        send_cert = always
        local {
            auth = pubkey
            certs = IPSecServerCert.pem
            id = ipsec.xxx.com.cn
        }
        remote {
            auth = eap-mschapv2
            eap_id = %any
        }
        children {
            swanctl_Server1_EAP {
                local_ts  = 0.0.0.0/0
                updown = /usr/local/strongswan/libexec/ipsec/_updown iptables
                esp_proposals = aes256-sha1-sha256-sha384-modp2048,aes256-aes128-3des-des-null-sha1,aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
            }
        }
    }
}

pools {
    id1 {
        addrs = 51.51.51.0/24
    }
}

secrets {
   id1 {
      id = test
      secret = testTEST.
   }
}

charon.log: Simply use the password you remember when creating, without the need to re-enter the account password

Wed, 2023-11-01, 18:43:23 00[DMN1] Starting charon-systemd IKE daemon (strongSwan 5.9.11, Linux 3.10.0-1160.99.1.el7.x86_64, x86_64)
Wed, 2023-11-01, 18:43:23 00[CFG1] PKCS11 module '<name>' lacks library path
Wed, 2023-11-01, 18:43:23 00[LIB1] OpenSSL FIPS mode(0) - disabled 
Wed, 2023-11-01, 18:43:23 00[CFG1] install DNS servers in '/usr/local/strongswan/etc/resolv.conf'
Wed, 2023-11-01, 18:43:23 00[KNL1] received netlink error: Operation not supported (95)
Wed, 2023-11-01, 18:43:23 00[KNL1] failed to create XFRM interface 'xfrmi-test-4996'
Wed, 2023-11-01, 18:43:23 00[CFG1] attr-sql plugin: database URI not set
Wed, 2023-11-01, 18:43:23 00[CFG1] loading ca certificates from '/usr/local/strongswan/etc/ipsec.d/cacerts'
Wed, 2023-11-01, 18:43:23 00[CFG1] loading aa certificates from '/usr/local/strongswan/etc/ipsec.d/aacerts'
Wed, 2023-11-01, 18:43:23 00[CFG1] loading ocsp signer certificates from '/usr/local/strongswan/etc/ipsec.d/ocspcerts'
Wed, 2023-11-01, 18:43:23 00[CFG1] loading attribute certificates from '/usr/local/strongswan/etc/ipsec.d/acerts'
Wed, 2023-11-01, 18:43:23 00[CFG1] loading crls from '/usr/local/strongswan/etc/ipsec.d/crls'
Wed, 2023-11-01, 18:43:23 00[CFG1] loading secrets from '/usr/local/strongswan/etc/ipsec.secrets'
Wed, 2023-11-01, 18:43:23 00[CFG1] sql plugin: database URI not set
Wed, 2023-11-01, 18:43:23 00[CFG1] loaded 0 RADIUS server configurations
Wed, 2023-11-01, 18:43:23 00[LIB1] loaded plugins: charon-systemd pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl mysql sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Wed, 2023-11-01, 18:43:23 00[JOB1] spawning 16 worker threads
Wed, 2023-11-01, 18:43:23 15[CFG1] loaded certificate 'C=CH, O=51EPD, CN=ipsec.xxx.com.cn'
Wed, 2023-11-01, 18:43:23 08[CFG1] loaded certificate 'C=CH, O=51EPD, CN=51EPD IPSecRoot CA'
Wed, 2023-11-01, 18:43:23 12[CFG1] loaded ANY private key
Wed, 2023-11-01, 18:43:23 16[CFG1] loaded ANY private key
Wed, 2023-11-01, 18:43:23 15[CFG1] added vici pool id1: 51.51.51.0, 254 entries
Wed, 2023-11-01, 18:43:23 12[CFG1] added vici connection: swanctl_Server1_EAP
Wed, 2023-11-01, 18:43:24 08[CFG1] loaded EAP shared key for: 'test'
Wed, 2023-11-01, 18:43:24 12[CFG1] loaded RSA private key
Wed, 2023-11-01, 18:43:24 15[CFG1] loaded certificate 'C=CH, O=51EPD, CN=ipsec.xxx.com.cn'
Wed, 2023-11-01, 18:43:24 08[CFG1] loaded certificate 'C=CH, O=51EPD, CN=51EPD IPSecRoot CA'
Wed, 2023-11-01, 18:43:24 08[CFG1] added vici pool Private_Network_1: 51.51.51.0, 254 entries
Wed, 2023-11-01, 18:44:04 09[NET1] <1> received packet: from 101.24.95.166[4194] to 172.17.62.205[500] (624 bytes)
Wed, 2023-11-01, 18:44:04 09[ENC1] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Wed, 2023-11-01, 18:44:04 09[IKE1] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Wed, 2023-11-01, 18:44:04 09[IKE1] <1> received MS-Negotiation Discovery Capable vendor ID
Wed, 2023-11-01, 18:44:04 09[IKE1] <1> received Vid-Initial-Contact vendor ID
Wed, 2023-11-01, 18:44:04 09[ENC1] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Wed, 2023-11-01, 18:44:04 09[IKE0] <1> 101.24.95.166 is initiating an IKE_SA
Wed, 2023-11-01, 18:44:04 09[CFG1] <1> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Wed, 2023-11-01, 18:44:04 09[IKE1] <1> local host is behind NAT, sending keep alives
Wed, 2023-11-01, 18:44:04 09[IKE1] <1> remote host is behind NAT
Wed, 2023-11-01, 18:44:04 09[IKE1] <1> sending cert request for "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Wed, 2023-11-01, 18:44:04 09[ENC1] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Wed, 2023-11-01, 18:44:04 09[NET1] <1> sending packet: from 172.17.62.205[500] to 101.24.95.166[4194] (349 bytes)
Wed, 2023-11-01, 18:44:05 10[NET1] <1> received packet: from 101.24.95.166[4195] to 172.17.62.205[4500] (568 bytes)
Wed, 2023-11-01, 18:44:05 10[ENC1] <1> parsed IKE_AUTH request 1 [ EF(1/2) ]
Wed, 2023-11-01, 18:44:05 10[ENC1] <1> received fragment #1 of 2, waiting for complete IKE message
Wed, 2023-11-01, 18:44:05 14[NET1] <1> received packet: from 101.24.95.166[4195] to 172.17.62.205[4500] (408 bytes)
Wed, 2023-11-01, 18:44:05 14[ENC1] <1> parsed IKE_AUTH request 1 [ EF(2/2) ]
Wed, 2023-11-01, 18:44:05 14[ENC1] <1> received fragment #2 of 2, reassembled fragmented IKE message (908 bytes)
Wed, 2023-11-01, 18:44:05 14[ENC1] <1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Wed, 2023-11-01, 18:44:05 14[IKE1] <1> received cert request for "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Wed, 2023-11-01, 18:44:05 14[IKE1] <1> received 28 cert requests for an unknown ca
Wed, 2023-11-01, 18:44:05 14[CFG1] <1> looking for peer configs matching 172.17.62.205[%any]...101.24.95.166[192.168.1.13]
Wed, 2023-11-01, 18:44:05 14[CFG1] <swanctl_Server1_EAP|1> selected peer config 'swanctl_Server1_EAP'
Wed, 2023-11-01, 18:44:05 14[IKE1] <swanctl_Server1_EAP|1> initiating EAP_IDENTITY method (id 0x00)
Wed, 2023-11-01, 18:44:05 14[IKE1] <swanctl_Server1_EAP|1> peer supports MOBIKE
Wed, 2023-11-01, 18:44:05 14[IKE1] <swanctl_Server1_EAP|1> authentication of 'ipsec.xxx.com.cn' (myself) with RSA signature successful
Wed, 2023-11-01, 18:44:05 14[IKE1] <swanctl_Server1_EAP|1> sending end entity cert "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Wed, 2023-11-01, 18:44:05 14[ENC1] <swanctl_Server1_EAP|1> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Wed, 2023-11-01, 18:44:05 14[ENC1] <swanctl_Server1_EAP|1> splitting IKE message (1476 bytes) into 2 fragments
Wed, 2023-11-01, 18:44:05 14[ENC1] <swanctl_Server1_EAP|1> generating IKE_AUTH response 1 [ EF(1/2) ]
Wed, 2023-11-01, 18:44:05 14[ENC1] <swanctl_Server1_EAP|1> generating IKE_AUTH response 1 [ EF(2/2) ]
Wed, 2023-11-01, 18:44:05 14[NET1] <swanctl_Server1_EAP|1> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4195] (1248 bytes)
Wed, 2023-11-01, 18:44:05 14[NET1] <swanctl_Server1_EAP|1> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4195] (288 bytes)
Wed, 2023-11-01, 18:44:05 13[NET1] <swanctl_Server1_EAP|1> received packet: from 101.24.95.166[4195] to 172.17.62.205[4500] (68 bytes)
Wed, 2023-11-01, 18:44:05 13[ENC1] <swanctl_Server1_EAP|1> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Wed, 2023-11-01, 18:44:05 13[IKE1] <swanctl_Server1_EAP|1> received EAP identity 'test'
Wed, 2023-11-01, 18:44:05 13[IKE1] <swanctl_Server1_EAP|1> initiating EAP_MSCHAPV2 method (id 0x0F)
Wed, 2023-11-01, 18:44:05 13[ENC1] <swanctl_Server1_EAP|1> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Wed, 2023-11-01, 18:44:05 13[NET1] <swanctl_Server1_EAP|1> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4195] (100 bytes)
Wed, 2023-11-01, 18:44:05 12[NET1] <swanctl_Server1_EAP|1> received packet: from 101.24.95.166[4195] to 172.17.62.205[4500] (124 bytes)
Wed, 2023-11-01, 18:44:05 12[ENC1] <swanctl_Server1_EAP|1> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Wed, 2023-11-01, 18:44:05 12[ENC1] <swanctl_Server1_EAP|1> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Wed, 2023-11-01, 18:44:05 12[NET1] <swanctl_Server1_EAP|1> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4195] (132 bytes)
Wed, 2023-11-01, 18:44:05 11[NET1] <swanctl_Server1_EAP|1> received packet: from 101.24.95.166[4195] to 172.17.62.205[4500] (68 bytes)
Wed, 2023-11-01, 18:44:05 11[ENC1] <swanctl_Server1_EAP|1> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Wed, 2023-11-01, 18:44:05 11[IKE1] <swanctl_Server1_EAP|1> EAP method EAP_MSCHAPV2 succeeded, MSK established
Wed, 2023-11-01, 18:44:05 11[ENC1] <swanctl_Server1_EAP|1> generating IKE_AUTH response 4 [ EAP/SUCC ]
Wed, 2023-11-01, 18:44:05 11[NET1] <swanctl_Server1_EAP|1> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4195] (68 bytes)
Wed, 2023-11-01, 18:44:05 15[NET1] <swanctl_Server1_EAP|1> received packet: from 101.24.95.166[4195] to 172.17.62.205[4500] (84 bytes)
Wed, 2023-11-01, 18:44:05 15[ENC1] <swanctl_Server1_EAP|1> parsed IKE_AUTH request 5 [ AUTH ]
Wed, 2023-11-01, 18:44:05 15[IKE1] <swanctl_Server1_EAP|1> authentication of '192.168.1.13' with EAP successful
Wed, 2023-11-01, 18:44:05 15[IKE1] <swanctl_Server1_EAP|1> authentication of 'ipsec.xxx.com.cn' (myself) with EAP
Wed, 2023-11-01, 18:44:05 15[IKE1] <swanctl_Server1_EAP|1> peer requested virtual IP %any
Wed, 2023-11-01, 18:44:05 15[CFG1] <swanctl_Server1_EAP|1> assigning new lease to 'test'
Wed, 2023-11-01, 18:44:05 15[IKE1] <swanctl_Server1_EAP|1> assigning virtual IP 51.51.51.1 to peer 'test'
Wed, 2023-11-01, 18:44:05 15[IKE1] <swanctl_Server1_EAP|1> peer requested virtual IP %any6
Wed, 2023-11-01, 18:44:05 15[IKE1] <swanctl_Server1_EAP|1> no virtual IP found for %any6 requested by 'test'
Wed, 2023-11-01, 18:44:05 15[IKE0] <swanctl_Server1_EAP|1> IKE_SA swanctl_Server1_EAP[1] established between 172.17.62.205[ipsec.xxx.com.cn]...101.24.95.166[192.168.1.13]
Wed, 2023-11-01, 18:44:05 15[IKE1] <swanctl_Server1_EAP|1> scheduling rekeying in 13823s
Wed, 2023-11-01, 18:44:05 15[IKE1] <swanctl_Server1_EAP|1> maximum IKE_SA lifetime 15263s
Wed, 2023-11-01, 18:44:05 15[CFG1] <swanctl_Server1_EAP|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Wed, 2023-11-01, 18:44:05 15[IKE0] <swanctl_Server1_EAP|1> CHILD_SA swanctl_Server1_EAP{1} established with SPIs c2545b7c_i 71b42820_o and TS 0.0.0.0/0 === 51.51.51.1/32
Wed, 2023-11-01, 18:44:05 15[ENC1] <swanctl_Server1_EAP|1> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Wed, 2023-11-01, 18:44:05 15[NET1] <swanctl_Server1_EAP|1> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4195] (228 bytes)
Wed, 2023-11-01, 18:44:13 06[NET1] <swanctl_Server1_EAP|1> received packet: from 101.24.95.166[4195] to 172.17.62.205[4500] (68 bytes)
Wed, 2023-11-01, 18:44:13 06[ENC1] <swanctl_Server1_EAP|1> parsed INFORMATIONAL request 6 [ D ]
Wed, 2023-11-01, 18:44:13 06[IKE1] <swanctl_Server1_EAP|1> received DELETE for ESP CHILD_SA with SPI 71b42820
Wed, 2023-11-01, 18:44:13 06[IKE0] <swanctl_Server1_EAP|1> closing CHILD_SA swanctl_Server1_EAP{1} with SPIs c2545b7c_i (4686 bytes) 71b42820_o (0 bytes) and TS 0.0.0.0/0 === 51.51.51.1/32
Wed, 2023-11-01, 18:44:13 06[IKE1] <swanctl_Server1_EAP|1> sending DELETE for ESP CHILD_SA with SPI c2545b7c
Wed, 2023-11-01, 18:44:13 06[IKE1] <swanctl_Server1_EAP|1> CHILD_SA closed
Wed, 2023-11-01, 18:44:13 06[ENC1] <swanctl_Server1_EAP|1> generating INFORMATIONAL response 6 [ D ]
Wed, 2023-11-01, 18:44:13 06[NET1] <swanctl_Server1_EAP|1> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4195] (68 bytes)
Wed, 2023-11-01, 18:44:13 07[NET1] <swanctl_Server1_EAP|1> received packet: from 101.24.95.166[4195] to 172.17.62.205[4500] (68 bytes)
Wed, 2023-11-01, 18:44:13 07[ENC1] <swanctl_Server1_EAP|1> parsed INFORMATIONAL request 7 [ D ]
Wed, 2023-11-01, 18:44:13 07[IKE1] <swanctl_Server1_EAP|1> received DELETE for IKE_SA swanctl_Server1_EAP[1]
Wed, 2023-11-01, 18:44:13 07[IKE0] <swanctl_Server1_EAP|1> deleting IKE_SA swanctl_Server1_EAP[1] between 172.17.62.205[ipsec.xxx.com.cn]...101.24.95.166[192.168.1.13]
Wed, 2023-11-01, 18:44:13 07[IKE0] <swanctl_Server1_EAP|1> IKE_SA deleted
Wed, 2023-11-01, 18:44:13 07[ENC1] <swanctl_Server1_EAP|1> generating INFORMATIONAL response 7 [ ]
Wed, 2023-11-01, 18:44:13 07[NET1] <swanctl_Server1_EAP|1> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4195] (60 bytes)
Wed, 2023-11-01, 18:44:13 07[CFG1] <swanctl_Server1_EAP|1> lease 51.51.51.1 by 'test' went offline

StrongMan client mode：

The connected server is swanctl conf mode

Your chosen authentication method.
Method                                                   IKEv2 EAP (Username/Password)

Name your connection so you can recognize it and set the server.
Name                                                      ipsec.xxx.com.cn
Server                                                      ipsec.xxx.com.cn

Username                                                test
Password                                                  testTEST.

Choose the ca certificate which authenticates the server.

CA/Server certificate Choose automatically

Upload new certificate
Server identity Use server value

<html>
<body>
<!--StartFragment-->

ipsec.xxx.com.cn | ipsec.xxx.com.cn | IKEv2 EAP (Username/Password) | OnOff
-- | -- | -- | --
Local selectors: Remote selectors: In: Packets totaling  Bytes Out: Packets totaling  Bytes  Traffic | Local selectors: |   | Remote selectors: |   | In: | Packets totaling  Bytes | Out: | Packets totaling  Bytes
Local selectors: |  
Remote selectors: |  
In: | Packets totaling  Bytes
Out: | Packets totaling  Bytes

<!--EndFragment-->
</body>
</html>

charon.log: It can be directly connected.

Wed, 2023-11-01, 19:10:41 14[NET1] <2> received packet: from 101.24.95.166[4929] to 172.17.62.205[500] (1016 bytes)
Wed, 2023-11-01, 19:10:41 14[ENC1] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Wed, 2023-11-01, 19:10:41 14[IKE0] <2> 101.24.95.166 is initiating an IKE_SA
Wed, 2023-11-01, 19:10:41 14[CFG1] <2> selected proposal: IKE:AES_GCM_16_192/PRF_HMAC_SHA2_256/ECP_256
Wed, 2023-11-01, 19:10:41 14[IKE1] <2> local host is behind NAT, sending keep alives
Wed, 2023-11-01, 19:10:41 14[IKE1] <2> remote host is behind NAT
Wed, 2023-11-01, 19:10:41 14[IKE1] <2> sending cert request for "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Wed, 2023-11-01, 19:10:41 14[ENC1] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Wed, 2023-11-01, 19:10:41 14[NET1] <2> sending packet: from 172.17.62.205[500] to 101.24.95.166[4929] (297 bytes)
Wed, 2023-11-01, 19:10:41 05[NET1] <2> received packet: from 101.24.95.166[4930] to 172.17.62.205[4500] (396 bytes)
Wed, 2023-11-01, 19:10:41 05[ENC1] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Wed, 2023-11-01, 19:10:41 05[IKE1] <2> received cert request for "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Wed, 2023-11-01, 19:10:41 05[CFG1] <2> looking for peer configs matching 172.17.62.205[ipsec.xxx.com.cn]...101.24.95.166[192.168.1.5]
Wed, 2023-11-01, 19:10:41 05[CFG1] <swanctl_Server1_EAP|2> selected peer config 'swanctl_Server1_EAP'
Wed, 2023-11-01, 19:10:41 05[IKE1] <swanctl_Server1_EAP|2> initiating EAP_IDENTITY method (id 0x00)
Wed, 2023-11-01, 19:10:41 05[IKE1] <swanctl_Server1_EAP|2> peer supports MOBIKE
Wed, 2023-11-01, 19:10:41 05[IKE1] <swanctl_Server1_EAP|2> authentication of 'ipsec.xxx.com.cn' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Wed, 2023-11-01, 19:10:41 05[IKE1] <swanctl_Server1_EAP|2> sending end entity cert "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Wed, 2023-11-01, 19:10:41 05[ENC1] <swanctl_Server1_EAP|2> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Wed, 2023-11-01, 19:10:41 05[ENC1] <swanctl_Server1_EAP|2> splitting IKE message (1492 bytes) into 2 fragments
Wed, 2023-11-01, 19:10:41 05[ENC1] <swanctl_Server1_EAP|2> generating IKE_AUTH response 1 [ EF(1/2) ]
Wed, 2023-11-01, 19:10:41 05[ENC1] <swanctl_Server1_EAP|2> generating IKE_AUTH response 1 [ EF(2/2) ]
Wed, 2023-11-01, 19:10:41 05[NET1] <swanctl_Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4930] (1248 bytes)
Wed, 2023-11-01, 19:10:41 05[NET1] <swanctl_Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4930] (309 bytes)
Wed, 2023-11-01, 19:10:41 13[NET1] <swanctl_Server1_EAP|2> received packet: from 101.24.95.166[4930] to 172.17.62.205[4500] (70 bytes)
Wed, 2023-11-01, 19:10:41 13[ENC1] <swanctl_Server1_EAP|2> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Wed, 2023-11-01, 19:10:41 13[IKE1] <swanctl_Server1_EAP|2> received EAP identity 'test'
Wed, 2023-11-01, 19:10:41 13[IKE1] <swanctl_Server1_EAP|2> initiating EAP_MSCHAPV2 method (id 0x55)
Wed, 2023-11-01, 19:10:41 13[ENC1] <swanctl_Server1_EAP|2> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Wed, 2023-11-01, 19:10:41 13[NET1] <swanctl_Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4930] (97 bytes)
Wed, 2023-11-01, 19:10:41 16[NET1] <swanctl_Server1_EAP|2> received packet: from 101.24.95.166[4930] to 172.17.62.205[4500] (124 bytes)
Wed, 2023-11-01, 19:10:41 16[ENC1] <swanctl_Server1_EAP|2> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Wed, 2023-11-01, 19:10:41 16[ENC1] <swanctl_Server1_EAP|2> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Wed, 2023-11-01, 19:10:41 16[NET1] <swanctl_Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4930] (134 bytes)
Wed, 2023-11-01, 19:10:41 15[NET1] <swanctl_Server1_EAP|2> received packet: from 101.24.95.166[4930] to 172.17.62.205[4500] (67 bytes)
Wed, 2023-11-01, 19:10:41 15[ENC1] <swanctl_Server1_EAP|2> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Wed, 2023-11-01, 19:10:41 15[IKE1] <swanctl_Server1_EAP|2> EAP method EAP_MSCHAPV2 succeeded, MSK established
Wed, 2023-11-01, 19:10:41 15[ENC1] <swanctl_Server1_EAP|2> generating IKE_AUTH response 4 [ EAP/SUCC ]
Wed, 2023-11-01, 19:10:41 15[NET1] <swanctl_Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4930] (65 bytes)
Wed, 2023-11-01, 19:10:41 08[NET1] <swanctl_Server1_EAP|2> received packet: from 101.24.95.166[4930] to 172.17.62.205[4500] (97 bytes)
Wed, 2023-11-01, 19:10:41 08[ENC1] <swanctl_Server1_EAP|2> parsed IKE_AUTH request 5 [ AUTH ]
Wed, 2023-11-01, 19:10:41 08[IKE1] <swanctl_Server1_EAP|2> authentication of '192.168.1.5' with EAP successful
Wed, 2023-11-01, 19:10:41 08[IKE1] <swanctl_Server1_EAP|2> authentication of 'ipsec.xxx.com.cn' (myself) with EAP
Wed, 2023-11-01, 19:10:41 08[IKE1] <swanctl_Server1_EAP|2> peer requested virtual IP %any
Wed, 2023-11-01, 19:10:41 08[CFG1] <swanctl_Server1_EAP|2> reassigning offline lease to 'test'
Wed, 2023-11-01, 19:10:41 08[IKE1] <swanctl_Server1_EAP|2> assigning virtual IP 51.51.51.1 to peer 'test'
Wed, 2023-11-01, 19:10:41 08[IKE1] <swanctl_Server1_EAP|2> peer requested virtual IP %any6
Wed, 2023-11-01, 19:10:41 08[IKE1] <swanctl_Server1_EAP|2> no virtual IP found for %any6 requested by 'test'
Wed, 2023-11-01, 19:10:41 08[IKE0] <swanctl_Server1_EAP|2> IKE_SA swanctl_Server1_EAP[2] established between 172.17.62.205[ipsec.xxx.com.cn]...101.24.95.166[192.168.1.5]
Wed, 2023-11-01, 19:10:41 08[IKE1] <swanctl_Server1_EAP|2> scheduling rekeying in 13190s
Wed, 2023-11-01, 19:10:41 08[IKE1] <swanctl_Server1_EAP|2> maximum IKE_SA lifetime 14630s
Wed, 2023-11-01, 19:10:41 08[CFG1] <swanctl_Server1_EAP|2> selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
Wed, 2023-11-01, 19:10:41 08[IKE0] <swanctl_Server1_EAP|2> CHILD_SA swanctl_Server1_EAP{2} established with SPIs c7195eb6_i c894a91c_o and TS 0.0.0.0/0 === 51.51.51.1/32
Wed, 2023-11-01, 19:10:41 08[ENC1] <swanctl_Server1_EAP|2> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Wed, 2023-11-01, 19:10:41 08[NET1] <swanctl_Server1_EAP|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4930] (229 bytes)

Based on my previous and current testing results, I personally speculate that the problem should be in the strongMan server mode, but I am not sure where the error occurred.

[tobiasbrunner]

What error are you referring to? I don't see authentication errors in any of these logs.

[TelDragon]

What error are you referring to? I don't see authentication errors in any of these logs.

Dear author.

Just log in for the above test. The final result is.

When using the swanctl conf static configuration file method on the server side.

Client, whether in Windows 10, strongswan mobile app, or strongsMan client mode. You can successfully log in all at once, without any login errors, and there will be no need to manually enter the EAP account password for the second time.

If using strongsMan Server Mode on the server side.

Windows clients must enter a second EAP account password. The strongswan mobile app is currently not affected. The strongsMan client is unable to log in properly.

This is the result that I mainly describe.

From here, I feel that it may be due to my ignorance or something else. Something went wrong with the strongsMan Server.

[tobiasbrunner]

I already explained multiple times before that the reason for the double password prompt is the missing EAP-Identity exchange when using strongMan on the server (it doesn't set eap_id = %any in the remote auth section).

The strongsMan client is unable to log in properly.

What do you mean by that? I don't see that in the logs above.

[TelDragon]

I already explained multiple times before that the reason for the double password prompt is the missing EAP-Identity exchange when using strongMan on the server (it doesn't set in the remote auth section).eap_id = %any

The strongsMan client is unable to log in properly.

What do you mean by that? I don't see that in the logs above.

Dear author.

So where should I add EAP Identity in the strongsMan Server GUI? Or if the GUI page does not have this function, which table or field can the database be operated on. Or is it that currently strongsMan Server does not support this feature???

strongsMan client GUI error ：

SA can't be initiated! Command failed: b"establishing CHILD_SA 'ipsec.xxx.com.cn' failed"

server log :

Thu, 2023-11-02, 17:28:09 13[NET1] <11> received packet: from 101.24.95.166[4703] to 172.17.62.205[500] (1016 bytes)
Thu, 2023-11-02, 17:28:09 13[ENC1] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Thu, 2023-11-02, 17:28:09 13[IKE0] <11> 101.24.95.166 is initiating an IKE_SA
Thu, 2023-11-02, 17:28:09 13[CFG1] <11> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Thu, 2023-11-02, 17:28:09 13[IKE1] <11> local host is behind NAT, sending keep alives
Thu, 2023-11-02, 17:28:09 13[IKE1] <11> remote host is behind NAT
Thu, 2023-11-02, 17:28:09 13[IKE1] <11> DH group ECP_256 unacceptable, requesting MODP_2048
Thu, 2023-11-02, 17:28:09 13[ENC1] <11> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Thu, 2023-11-02, 17:28:09 13[NET1] <11> sending packet: from 172.17.62.205[500] to 101.24.95.166[4703] (38 bytes)
Thu, 2023-11-02, 17:28:09 15[NET1] <12> received packet: from 101.24.95.166[4703] to 172.17.62.205[500] (1208 bytes)
Thu, 2023-11-02, 17:28:09 15[ENC1] <12> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Thu, 2023-11-02, 17:28:09 15[IKE0] <12> 101.24.95.166 is initiating an IKE_SA
Thu, 2023-11-02, 17:28:09 15[CFG1] <12> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Thu, 2023-11-02, 17:28:09 15[IKE1] <12> local host is behind NAT, sending keep alives
Thu, 2023-11-02, 17:28:09 15[IKE1] <12> remote host is behind NAT
Thu, 2023-11-02, 17:28:09 15[ENC1] <12> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Thu, 2023-11-02, 17:28:09 15[NET1] <12> sending packet: from 172.17.62.205[500] to 101.24.95.166[4703] (472 bytes)
Thu, 2023-11-02, 17:28:09 07[NET1] <12> received packet: from 101.24.95.166[4706] to 172.17.62.205[4500] (416 bytes)
Thu, 2023-11-02, 17:28:09 07[ENC1] <12> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Thu, 2023-11-02, 17:28:09 07[IKE1] <12> received cert request for "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Thu, 2023-11-02, 17:28:09 07[CFG1] <12> looking for peer configs matching 172.17.62.205[ipsec.xxx.com.cn]...101.24.95.166[192.168.1.5]
Thu, 2023-11-02, 17:28:09 07[CFG1] <Server_EAP_1|12> selected peer config 'Server_EAP_1'
Thu, 2023-11-02, 17:28:09 07[IKE1] <Server_EAP_1|12> initiating EAP_MSCHAPV2 method (id 0xAB)
Thu, 2023-11-02, 17:28:09 07[IKE1] <Server_EAP_1|12> peer supports MOBIKE
Thu, 2023-11-02, 17:28:09 07[IKE1] <Server_EAP_1|12> authentication of 'ipsec.xxx.com.cn' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Thu, 2023-11-02, 17:28:09 07[IKE1] <Server_EAP_1|12> sending end entity cert "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Thu, 2023-11-02, 17:28:09 07[ENC1] <Server_EAP_1|12> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Thu, 2023-11-02, 17:28:09 07[ENC1] <Server_EAP_1|12> splitting IKE message (1536 bytes) into 2 fragments
Thu, 2023-11-02, 17:28:09 07[ENC1] <Server_EAP_1|12> generating IKE_AUTH response 1 [ EF(1/2) ]
Thu, 2023-11-02, 17:28:09 07[ENC1] <Server_EAP_1|12> generating IKE_AUTH response 1 [ EF(2/2) ]
Thu, 2023-11-02, 17:28:09 07[NET1] <Server_EAP_1|12> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4706] (1236 bytes)
Thu, 2023-11-02, 17:28:09 07[NET1] <Server_EAP_1|12> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4706] (372 bytes)
Thu, 2023-11-02, 17:28:09 06[NET1] <Server_EAP_1|12> received packet: from 101.24.95.166[4706] to 172.17.62.205[4500] (144 bytes)
Thu, 2023-11-02, 17:28:09 06[ENC1] <Server_EAP_1|12> parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Thu, 2023-11-02, 17:28:09 06[IKE1] <Server_EAP_1|12> EAP-MS-CHAPv2 username: '????'
Thu, 2023-11-02, 17:28:09 06[IKE1] <Server_EAP_1|12> no EAP key found for hosts 'ipsec.xxx.com.cn' - '????'
Thu, 2023-11-02, 17:28:09 06[IKE1] <Server_EAP_1|12> EAP-MS-CHAPv2 verification failed, retry (1)
Thu, 2023-11-02, 17:28:11 06[ENC1] <Server_EAP_1|12> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Thu, 2023-11-02, 17:28:11 06[NET1] <Server_EAP_1|12> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4706] (128 bytes)
Thu, 2023-11-02, 17:28:11 10[NET1] <Server_EAP_1|12> received packet: from 101.24.95.166[4706] to 172.17.62.205[4500] (80 bytes)
Thu, 2023-11-02, 17:28:11 10[ENC1] <Server_EAP_1|12> parsed INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
Thu, 2023-11-02, 17:28:11 10[ENC1] <Server_EAP_1|12> generating INFORMATIONAL response 3 [ ]
Thu, 2023-11-02, 17:28:11 10[NET1] <Server_EAP_1|12> sending packet: from 172.17.62.205[4500] to 101.24.95.166[4706] (80 bytes)
Thu, 2023-11-02, 17:28:31 08[IKE1] <Server_EAP_1|12> sending keep alive to 101.24.95.166[4706]
Thu, 2023-11-02, 17:28:39 05[JOB1] <Server_EAP_1|12> deleting half open IKE_SA with 101.24.95.166 after timeout

strongsMan client log ：

hu, 2023-11-02, 17:27:45 00[CFG1] loading aa certificates from '/usr/local/strongswan/etc/ipsec.d/aacerts'
Thu, 2023-11-02, 17:27:45 00[CFG1] loading ocsp signer certificates from '/usr/local/strongswan/etc/ipsec.d/ocspcerts'
Thu, 2023-11-02, 17:27:45 00[CFG1] loading attribute certificates from '/usr/local/strongswan/etc/ipsec.d/acerts'
Thu, 2023-11-02, 17:27:45 00[CFG1] loading crls from '/usr/local/strongswan/etc/ipsec.d/crls'
Thu, 2023-11-02, 17:27:45 00[CFG1] loading secrets from '/usr/local/strongswan/etc/ipsec.secrets'
Thu, 2023-11-02, 17:27:45 00[CFG1] sql plugin: database URI not set
Thu, 2023-11-02, 17:27:45 00[CFG1] loaded 0 RADIUS server configurations
Thu, 2023-11-02, 17:27:45 00[LIB1] loaded plugins: charon-systemd pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl mysql sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Thu, 2023-11-02, 17:27:45 00[JOB1] spawning 16 worker threads
Thu, 2023-11-02, 17:27:45 08[CFG1] loaded certificate 'C=CH, O=51EPD, CN=51EPD IPSecRoot CA'
Thu, 2023-11-02, 17:28:09 06[CFG1] added vici connection: ipsec.xxx.com.cn
Thu, 2023-11-02, 17:28:09 14[CFG1] loaded EAP shared key with id 'test' for: '%any'
Thu, 2023-11-02, 17:28:09 05[CFG1] vici initiate CHILD_SA 'ipsec.xxx.com.cn'
Thu, 2023-11-02, 17:28:09 06[IKE0] <ipsec.xxx.com.cn|1> initiating IKE_SA ipsec.xxx.com.cn[1] to 39.xxx.xxx.xx
Thu, 2023-11-02, 17:28:09 06[ENC1] <ipsec.xxx.com.cn|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Thu, 2023-11-02, 17:28:09 06[NET1] <ipsec.xxx.com.cn|1> sending packet: from 192.168.1.5[500] to 39.xxx.xxx.xx[500] (1016 bytes)
Thu, 2023-11-02, 17:28:09 04[NET1] <ipsec.xxx.com.cn|1> received packet: from 39.xxx.xxx.xx[500] to 192.168.1.5[500] (38 bytes)
Thu, 2023-11-02, 17:28:09 04[ENC1] <ipsec.xxx.com.cn|1> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Thu, 2023-11-02, 17:28:09 04[IKE1] <ipsec.xxx.com.cn|1> peer didn't accept DH group ECP_256, it requested MODP_2048
Thu, 2023-11-02, 17:28:09 04[IKE0] <ipsec.xxx.com.cn|1> initiating IKE_SA ipsec.xxx.com.cn[1] to 39.xxx.xxx.xx
Thu, 2023-11-02, 17:28:09 04[ENC1] <ipsec.xxx.com.cn|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Thu, 2023-11-02, 17:28:09 04[NET1] <ipsec.xxx.com.cn|1> sending packet: from 192.168.1.5[500] to 39.xxx.xxx.xx[500] (1208 bytes)
Thu, 2023-11-02, 17:28:09 07[NET1] <ipsec.xxx.com.cn|1> received packet: from 39.xxx.xxx.xx[500] to 192.168.1.5[500] (472 bytes)
Thu, 2023-11-02, 17:28:09 07[ENC1] <ipsec.xxx.com.cn|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Thu, 2023-11-02, 17:28:09 07[CFG1] <ipsec.xxx.com.cn|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Thu, 2023-11-02, 17:28:09 07[IKE1] <ipsec.xxx.com.cn|1> local host is behind NAT, sending keep alives
Thu, 2023-11-02, 17:28:09 07[IKE1] <ipsec.xxx.com.cn|1> remote host is behind NAT
Thu, 2023-11-02, 17:28:09 07[IKE1] <ipsec.xxx.com.cn|1> sending cert request for "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Thu, 2023-11-02, 17:28:09 07[CFG1] <ipsec.xxx.com.cn|1> no IDi configured, fall back on IP address
Thu, 2023-11-02, 17:28:09 07[IKE0] <ipsec.xxx.com.cn|1> establishing CHILD_SA ipsec.xxx.com.cn{1}
Thu, 2023-11-02, 17:28:09 07[ENC1] <ipsec.xxx.com.cn|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Thu, 2023-11-02, 17:28:09 07[NET1] <ipsec.xxx.com.cn|1> sending packet: from 192.168.1.5[4500] to 39.xxx.xxx.xx[4500] (416 bytes)
Thu, 2023-11-02, 17:28:09 08[NET1] <ipsec.xxx.com.cn|1> received packet: from 39.xxx.xxx.xx[4500] to 192.168.1.5[4500] (1236 bytes)
Thu, 2023-11-02, 17:28:09 08[ENC1] <ipsec.xxx.com.cn|1> parsed IKE_AUTH response 1 [ EF(1/2) ]
Thu, 2023-11-02, 17:28:09 08[ENC1] <ipsec.xxx.com.cn|1> received fragment #1 of 2, waiting for complete IKE message
Thu, 2023-11-02, 17:28:09 13[NET1] <ipsec.xxx.com.cn|1> received packet: from 39.xxx.xxx.xx[4500] to 192.168.1.5[4500] (372 bytes)
Thu, 2023-11-02, 17:28:09 13[ENC1] <ipsec.xxx.com.cn|1> parsed IKE_AUTH response 1 [ EF(2/2) ]
Thu, 2023-11-02, 17:28:09 13[ENC1] <ipsec.xxx.com.cn|1> received fragment #2 of 2, reassembled fragmented IKE message (1536 bytes)
Thu, 2023-11-02, 17:28:09 13[ENC1] <ipsec.xxx.com.cn|1> parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Thu, 2023-11-02, 17:28:09 13[IKE1] <ipsec.xxx.com.cn|1> received end entity cert "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Thu, 2023-11-02, 17:28:09 13[CFG1] <ipsec.xxx.com.cn|1>   using certificate "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Thu, 2023-11-02, 17:28:09 13[CFG1] <ipsec.xxx.com.cn|1>   using trusted ca certificate "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Thu, 2023-11-02, 17:28:09 13[CFG1] <ipsec.xxx.com.cn|1>   reached self-signed root ca with a path length of 0
Thu, 2023-11-02, 17:28:09 13[CFG1] <ipsec.xxx.com.cn|1> checking certificate status of "C=CH, O=51EPD, CN=ipsec.xxx.com.cn"
Thu, 2023-11-02, 17:28:09 13[CFG1] <ipsec.xxx.com.cn|1> certificate status is not available
Thu, 2023-11-02, 17:28:09 13[IKE1] <ipsec.xxx.com.cn|1> authentication of 'ipsec.xxx.com.cn' with RSA_EMSA_PKCS1_SHA2_256 successful
Thu, 2023-11-02, 17:28:09 13[IKE1] <ipsec.xxx.com.cn|1> server requested EAP_MSCHAPV2 authentication (id 0xAB)
Thu, 2023-11-02, 17:28:09 13[ENC1] <ipsec.xxx.com.cn|1> generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Thu, 2023-11-02, 17:28:09 13[NET1] <ipsec.xxx.com.cn|1> sending packet: from 192.168.1.5[4500] to 39.xxx.xxx.xx[4500] (144 bytes)
Thu, 2023-11-02, 17:28:11 13[NET1] <ipsec.xxx.com.cn|1> received packet: from 39.xxx.xxx.xx[4500] to 192.168.1.5[4500] (128 bytes)
Thu, 2023-11-02, 17:28:11 13[ENC1] <ipsec.xxx.com.cn|1> parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Thu, 2023-11-02, 17:28:11 13[IKE1] <ipsec.xxx.com.cn|1> EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'
Thu, 2023-11-02, 17:28:11 13[IKE1] <ipsec.xxx.com.cn|1> EAP_MSCHAPV2 method failed
Thu, 2023-11-02, 17:28:11 13[ENC1] <ipsec.xxx.com.cn|1> generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
Thu, 2023-11-02, 17:28:11 13[NET1] <ipsec.xxx.com.cn|1> sending packet: from 192.168.1.5[4500] to 39.xxx.xxx.xx[4500] (80 bytes)

[tobiasbrunner]

Or is it that currently strongsMan Server does not support this feature???

Yes, as I said before, it's a limitation of strongMan. It would require code changes.

[TelDragon]

Or is it that currently strongsMan Server does not support this feature???

Yes, as I said before, it's a limitation of strongMan. It would require code changes.

Okay, thank you. I already know.

So have you added this EAP Identity exchange function in the future. What about the plan to add proposals functionality to the GUI page? I am very looking forward to

Or could you give me some guidance on how to add this feature to your Python code. Add Remote EAP by adding Remote authentication_ ID because I cannot see the comment message in your project code. When it's convenient, I'll check with other Python developers to see if they can pr

strongsMan client log ：

What do you think of the error reported by the strongMan client?

[tobiasbrunner]

I currently don't have any resources to work on this.

What do you think of the error reported by the strongMan client?

I told you before, without a log of both peers that shows what secret is actually loaded into the daemon it's difficult to tell (again, you have to increase the log level of cfg to 4 to see that).

[TelDragon]

I currently don't have any resources to work on this.

What do you think of the error reported by the strongMan client?

I told you before, without a log of both peers that shows what secret is actually loaded into the daemon it's difficult to tell (again, you have to increase the log level of cfg to 4 to see that).

Sorry. After turning on the log level of 4, it becomes very large.

Displayed my key

Thu, 2023-11-02, 22:01:56 16[CFG1] loaded EAP shared key for: 'test'
Thu, 2023-11-02, 22:01:56 16[CFG4] key: 74:65:73:74:54:45:53:54:2e
....
Thu, 2023-11-02, 22:01:56 12[CFG1] loaded EAP shared key for: 'test2'
Thu, 2023-11-02, 22:01:56 12[CFG4] key: 74:65:73:74:54:45:53:54:2e

strongMan Server log file

https://raw.githubusercontent.com/TelDragon/Dragon/master/Server_charon.log

strongMan Client log :

Displayed my key

Thu, 2023-11-02, 22:02:43 10[CFG2]    eap_id = test
Thu, 2023-11-02, 22:02:43 10[CFG2]    class = EAP
Thu, 2023-11-02, 22:02:43 10[CFG2]   remote:
Thu, 2023-11-02, 22:02:43 10[CFG2]    id = ipsec.xxxxx.com.cn
Thu, 2023-11-02, 22:02:43 10[CFG2]    class = public key
...
Thu, 2023-11-02, 22:02:43 02[JOB2] watcher is observing 8 fds
Thu, 2023-11-02, 22:02:43 13[CFG1] loaded EAP shared key with id 'test' for: '%any'
Thu, 2023-11-02, 22:02:43 13[CFG4] key: 74:65:73:74:54:45:53:54:2e
Thu, 2023-11-02, 22:02:43 13[JOB3] removed fd 24[r] from watcher
Thu, 2023-11-02, 22:02:43 02[JOB2] watcher got notification, rebuilding

strongMan Client log file https://raw.githubusercontent.com/TelDragon/Dragon/master/Client_charon.log

Very sorry, due to the large size of the log, the maximum character limit of 65535 has been exceeded. So I chose to upload the file to my library and access it as a hyperlink.

[tobiasbrunner]

Oh, I see what the problem is. strongMan does not configure an IKE identity, only an EAP-Identity (unlike the Android client which also configures the username as IKE identity). So the IKE identity defaults to the IP address (you actually see that in the log). And because the server does not request an EAP-Identity, that IKE identity is also used during the EAP-MSCHAPv2 exchange (this also only works because the secret on the client is not associated with a specific username/identity). In the server log, that's the ???? you see as username (four byte IPv4 address, none of which are printable characters). Looks like the students who developed this never actually tested strongMan vs. strongMan using EAP with username/password.

By the way, this might work as a quick fix to enable an EAP-Identity exchange on the server:

diff --git a/strongMan/apps/server_connections/models/authentication.py b/strongMan/apps/server_connections/models/authentication.py
index df982c9563d9..618edbb841be 100644
--- a/strongMan/apps/server_connections/models/authentication.py
+++ b/strongMan/apps/server_connections/models/authentication.py
@@ -101,6 +101,8 @@ class EapAuthentication(Authentication):
         ident = self.identity.subclass()
         if not isinstance(ident, DnIdentity):
             values['id'] = ident.value()
+        if self.remote is not None:
+            values['eap_id'] = '%any'
         return auth

     def has_private_key(self):

[TelDragon]

Oh, I see what the problem is. strongMan does not configure an IKE identity, only an EAP-Identity (unlike the Android client which also configures the username as IKE identity). So the IKE identity defaults to the IP address (you actually see that in the log). And because the server does not request an EAP-Identity, that IKE identity is also used during the EAP-MSCHAPv2 exchange (this also only works because the secret on the client is not associated with a specific username/identity). In the server log, that's the you see as username (four byte IPv4 address, none of which are printable characters). Looks like the students who developed this never actually tested strongMan vs. strongMan using EAP with username/password.????

By the way, this might work as a quick fix to enable an EAP-Identity exchange on the server:

diff --git a/strongMan/apps/server_connections/models/authentication.py b/strongMan/apps/server_connections/models/authentication.py
index df982c9563d9..618edbb841be 100644
--- a/strongMan/apps/server_connections/models/authentication.py
+++ b/strongMan/apps/server_connections/models/authentication.py
@@ -101,6 +101,8 @@ class EapAuthentication(Authentication):
         ident = self.identity.subclass()
         if not isinstance(ident, DnIdentity):
             values['id'] = ident.value()
+        if self.remote is not None:
+            values['eap_id'] = '%any'
         return auth

     def has_private_key(self):

That's right! When I saw the strongMan Server mod GUI again, the Remote ID displayed was 192.168.1.5, not my test. When the mobile client authentication is successful, the Remote ID displays the correct test

So make the changes as you said. Can I understand it this way. After repairing according to your instructions, for EAP_ Id=% any Windwos client will also apply?

Based on the change code you provided. After changing the code, I tried to connect but still couldn't connect properly.

 def dict(self):
        auth = super(EapAuthentication, self).dict()
        values = auth[self.name]
        values['certs'] = [self.identity.subclass().certificate.der_container]
        ident = self.identity.subclass()
        if not isinstance(ident, DnIdentity):
            values['id'] = ident.value()
        if self.remote is not None:
            values['eap_id'] = '%any'
        return auth

Server CLI

systemctl restart strongswan
systemctl restart strongMan

[tobiasbrunner]

Hm, looking at the code that handles the authentication config for server connections in strongMan/apps/server_connections/forms/SubForms.py, this is quite a mess.

For instance, in EapForm::create_connection() a local EapAuthentication object is added with auth actually set to pubkey. While the form to select the server certificate (in Ike2EapForm) the is not ServerCertificateForm but RemoteCertificateForm whose create_connection() actually creates a remote CaCertificateAuthentication with auth set to the selected EAP method instead of pubkey. So this is then kinda reversed and only by chance works for the most part but really doesn't make sense in the first place (also, EapForm::update_connection() later references remote authentications of type EapAuthentication to update the local identity, which won't work as there is never such an object).

This basically means that eap_id has currently to be set in the dict function of the CaCertificateAuthentication class. Something like this should work:

diff --git a/strongMan/apps/server_connections/models/authentication.py b/strongMan/apps/server_connections/models/authentication.py
index df982c9563d9..4680ff14be35 100644
--- a/strongMan/apps/server_connections/models/authentication.py
+++ b/strongMan/apps/server_connections/models/authentication.py
@@ -68,6 +68,8 @@ class CaCertificateAuthentication(Authentication):
                 parameters['certs'] = [self.ca_cert.der_container]
         if self.ca_identity != '':
             parameters['id'] = self.ca_identity
+        if self.remote is not None and self.auth != 'pubkey':
+            parameters['eap_id'] = '%any'
         return auth

But note that this is a hack and that these authentication objects should probably be fixed (not sure if that can be done without loss of data).

[TelDragon]

Hm, looking at the code that handles the authentication config for server connections in strongMan/apps/server_connections/forms/SubForms.py, this is quite a mess.

For instance, in EapForm::create_connection() a local EapAuthentication object is added with auth actually set to pubkey. While the form to select the server certificate (in Ike2EapForm) the is not ServerCertificateForm but RemoteCertificateForm whose create_connection() actually creates a remote CaCertificateAuthentication with auth set to the selected EAP method instead of pubkey. So this is then kinda reversed and only by chance works for the most part but really doesn't make sense in the first place (also, EapForm::update_connection() later references remote authentications of type EapAuthentication to update the local identity, which won't work as there is never such an object).

This basically means that eap_id has currently to be set in the dict function of the CaCertificateAuthentication class. Something like this should work:

diff --git a/strongMan/apps/server_connections/models/authentication.py b/strongMan/apps/server_connections/models/authentication.py
index df982c9563d9..4680ff14be35 100644
--- a/strongMan/apps/server_connections/models/authentication.py
+++ b/strongMan/apps/server_connections/models/authentication.py
@@ -68,6 +68,8 @@ class CaCertificateAuthentication(Authentication):
                 parameters['certs'] = [self.ca_cert.der_container]
         if self.ca_identity != '':
             parameters['id'] = self.ca_identity
+        if self.remote is not None and self.auth != 'pubkey':
+            parameters['eap_id'] = '%any'
         return auth

But note that this is a hack and that these authentication objects should probably be fixed (not sure if that can be done without loss of data).

Currently very beautiful!! Both the Windows client and the strongMan client were successfully authenticated at once!

Windows client connection

023-11-03, 01:20:55 10[IKE1] <Server_EAP_1|2> peer supports MOBIKE
Fri, 2023-11-03, 01:20:55 10[IKE1] <Server_EAP_1|2> authentication of 'ipsec.xxxxx.com.cn' (myself) with RSA signature successful
Fri, 2023-11-03, 01:20:55 10[IKE1] <Server_EAP_1|2> sending end entity cert "C=CH, O=51EPD, CN=ipsec.xxxxx.com.cn"
Fri, 2023-11-03, 01:20:55 10[ENC1] <Server_EAP_1|2> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Fri, 2023-11-03, 01:20:55 10[ENC1] <Server_EAP_1|2> splitting IKE message (1476 bytes) into 2 fragments
Fri, 2023-11-03, 01:20:55 10[ENC1] <Server_EAP_1|2> generating IKE_AUTH response 1 [ EF(1/2) ]
Fri, 2023-11-03, 01:20:55 10[ENC1] <Server_EAP_1|2> generating IKE_AUTH response 1 [ EF(2/2) ]
Fri, 2023-11-03, 01:20:55 10[NET1] <Server_EAP_1|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1842] (1248 bytes)
Fri, 2023-11-03, 01:20:55 10[NET1] <Server_EAP_1|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1842] (288 bytes)
Fri, 2023-11-03, 01:20:55 14[NET1] <Server_EAP_1|2> received packet: from 101.24.95.166[1842] to 172.17.62.205[4500] (68 bytes)
Fri, 2023-11-03, 01:20:55 14[ENC1] <Server_EAP_1|2> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Fri, 2023-11-03, 01:20:55 14[IKE1] <Server_EAP_1|2> received EAP identity 'test'
Fri, 2023-11-03, 01:20:55 14[IKE1] <Server_EAP_1|2> initiating EAP_MSCHAPV2 method (id 0x2D)
Fri, 2023-11-03, 01:20:55 14[ENC1] <Server_EAP_1|2> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Fri, 2023-11-03, 01:20:55 14[NET1] <Server_EAP_1|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1842] (100 bytes)
Fri, 2023-11-03, 01:20:55 05[NET1] <Server_EAP_1|2> received packet: from 101.24.95.166[1842] to 172.17.62.205[4500] (124 bytes)
Fri, 2023-11-03, 01:20:55 05[ENC1] <Server_EAP_1|2> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Fri, 2023-11-03, 01:20:55 05[ENC1] <Server_EAP_1|2> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Fri, 2023-11-03, 01:20:55 05[NET1] <Server_EAP_1|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1842] (132 bytes)
Fri, 2023-11-03, 01:20:56 13[NET1] <Server_EAP_1|2> received packet: from 101.24.95.166[1842] to 172.17.62.205[4500] (68 bytes)
Fri, 2023-11-03, 01:20:56 13[ENC1] <Server_EAP_1|2> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Fri, 2023-11-03, 01:20:56 13[IKE1] <Server_EAP_1|2> EAP method EAP_MSCHAPV2 succeeded, MSK established
Fri, 2023-11-03, 01:20:56 13[ENC1] <Server_EAP_1|2> generating IKE_AUTH response 4 [ EAP/SUCC ]
Fri, 2023-11-03, 01:20:56 13[NET1] <Server_EAP_1|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1842] (68 bytes)
Fri, 2023-11-03, 01:20:56 16[NET1] <Server_EAP_1|2> received packet: from 101.24.95.166[1842] to 172.17.62.205[4500] (84 bytes)
Fri, 2023-11-03, 01:20:56 16[ENC1] <Server_EAP_1|2> parsed IKE_AUTH request 5 [ AUTH ]
Fri, 2023-11-03, 01:20:56 16[IKE1] <Server_EAP_1|2> authentication of '192.168.1.13' with EAP successful
Fri, 2023-11-03, 01:20:56 16[IKE1] <Server_EAP_1|2> authentication of 'ipsec.xxxxx.com.cn' (myself) with EAP
Fri, 2023-11-03, 01:20:56 16[IKE1] <Server_EAP_1|2> peer requested virtual IP %any
Fri, 2023-11-03, 01:20:56 16[CFG1] <Server_EAP_1|2> assigning new lease to 'test'
Fri, 2023-11-03, 01:20:56 16[IKE1] <Server_EAP_1|2> assigning virtual IP 51.51.51.1 to peer 'test'
Fri, 2023-11-03, 01:20:56 16[IKE1] <Server_EAP_1|2> peer requested virtual IP %any6
Fri, 2023-11-03, 01:20:56 16[IKE1] <Server_EAP_1|2> no virtual IP found for %any6 requested by 'test'
Fri, 2023-11-03, 01:20:56 16[IKE0] <Server_EAP_1|2> IKE_SA Server_EAP_1[2] established between 172.17.62.205[ipsec.xxxxx.com.cn]...101.24.95.166[192.168.1.13]
Fri, 2023-11-03, 01:20:56 16[IKE1] <Server_EAP_1|2> scheduling rekeying in 13770s
Fri, 2023-11-03, 01:20:56 16[IKE1] <Server_EAP_1|2> maximum IKE_SA lifetime 15210s
Fri, 2023-11-03, 01:20:56 16[CFG1] <Server_EAP_1|2> selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Fri, 2023-11-03, 01:20:56 16[IKE0] <Server_EAP_1|2> CHILD_SA Server_EAP_1{1} established with SPIs c902212c_i 691ea0a4_o and TS 0.0.0.0/0 === 51.51.51.1/32
Fri, 2023-11-03, 01:20:56 16[ENC1] <Server_EAP_1|2> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Fri, 2023-11-03, 01:20:56 16[NET1] <Server_EAP_1|2> sending packet: from 172.17.62.205[4500] to 101.24.95.166[1842] (220 bytes)

StrongMan Client Connection

Fri, 2023-11-03, 01:22:01 05[NET1] <3> received packet: from 101.24.95.166[1841] to 172.17.62.205[500] (1080 bytes)
Fri, 2023-11-03, 01:22:01 05[ENC1] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Fri, 2023-11-03, 01:22:01 05[IKE0] <3> 101.24.95.166 is initiating an IKE_SA
Fri, 2023-11-03, 01:22:01 05[CFG1] <3> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Fri, 2023-11-03, 01:22:01 05[IKE1] <3> local host is behind NAT, sending keep alives
Fri, 2023-11-03, 01:22:01 05[IKE1] <3> remote host is behind NAT
Fri, 2023-11-03, 01:22:01 05[IKE1] <3> DH group ECP_256 unacceptable, requesting MODP_2048
Fri, 2023-11-03, 01:22:01 05[ENC1] <3> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Fri, 2023-11-03, 01:22:01 05[NET1] <3> sending packet: from 172.17.62.205[500] to 101.24.95.166[1841] (38 bytes)
Fri, 2023-11-03, 01:22:02 07[NET1] <4> received packet: from 101.24.95.166[1841] to 172.17.62.205[500] (1272 bytes)
Fri, 2023-11-03, 01:22:02 07[ENC1] <4> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Fri, 2023-11-03, 01:22:02 07[IKE0] <4> 101.24.95.166 is initiating an IKE_SA
Fri, 2023-11-03, 01:22:02 07[CFG1] <4> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Fri, 2023-11-03, 01:22:02 07[IKE1] <4> local host is behind NAT, sending keep alives
Fri, 2023-11-03, 01:22:02 07[IKE1] <4> remote host is behind NAT
Fri, 2023-11-03, 01:22:02 07[ENC1] <4> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Fri, 2023-11-03, 01:22:02 07[NET1] <4> sending packet: from 172.17.62.205[500] to 101.24.95.166[1841] (472 bytes)
Fri, 2023-11-03, 01:22:02 10[NET1] <4> received packet: from 101.24.95.166[2470] to 172.17.62.205[4500] (432 bytes)
Fri, 2023-11-03, 01:22:02 10[ENC1] <4> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Fri, 2023-11-03, 01:22:02 10[IKE1] <4> received cert request for "C=CH, O=51EPD, CN=51EPD IPSecRoot CA"
Fri, 2023-11-03, 01:22:02 10[CFG1] <4> looking for peer configs matching 172.17.62.205[ipsec.xxxxx.com.cn]...101.24.95.166[192.168.1.55]
Fri, 2023-11-03, 01:22:02 10[CFG1] <Server_EAP_1|4> selected peer config 'Server_EAP_1'
Fri, 2023-11-03, 01:22:02 10[IKE1] <Server_EAP_1|4> initiating EAP_IDENTITY method (id 0x00)
Fri, 2023-11-03, 01:22:02 10[IKE1] <Server_EAP_1|4> peer supports MOBIKE
Fri, 2023-11-03, 01:22:02 10[IKE1] <Server_EAP_1|4> authentication of 'ipsec.xxxxx.com.cn' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Fri, 2023-11-03, 01:22:02 10[IKE1] <Server_EAP_1|4> sending end entity cert "C=CH, O=51EPD, CN=ipsec.xxxxx.com.cn"
Fri, 2023-11-03, 01:22:02 10[ENC1] <Server_EAP_1|4> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Fri, 2023-11-03, 01:22:02 10[ENC1] <Server_EAP_1|4> splitting IKE message (1504 bytes) into 2 fragments
Fri, 2023-11-03, 01:22:02 10[ENC1] <Server_EAP_1|4> generating IKE_AUTH response 1 [ EF(1/2) ]
Fri, 2023-11-03, 01:22:02 10[ENC1] <Server_EAP_1|4> generating IKE_AUTH response 1 [ EF(2/2) ]
Fri, 2023-11-03, 01:22:02 10[NET1] <Server_EAP_1|4> sending packet: from 172.17.62.205[4500] to 101.24.95.166[2470] (1236 bytes)
Fri, 2023-11-03, 01:22:02 10[NET1] <Server_EAP_1|4> sending packet: from 172.17.62.205[4500] to 101.24.95.166[2470] (340 bytes)
Fri, 2023-11-03, 01:22:02 06[NET1] <Server_EAP_1|4> received packet: from 101.24.95.166[2470] to 172.17.62.205[4500] (80 bytes)
Fri, 2023-11-03, 01:22:02 06[ENC1] <Server_EAP_1|4> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Fri, 2023-11-03, 01:22:02 06[IKE1] <Server_EAP_1|4> received EAP identity 'test'
Fri, 2023-11-03, 01:22:02 06[IKE1] <Server_EAP_1|4> initiating EAP_MSCHAPV2 method (id 0xB0)
Fri, 2023-11-03, 01:22:02 06[ENC1] <Server_EAP_1|4> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Fri, 2023-11-03, 01:22:02 06[NET1] <Server_EAP_1|4> sending packet: from 172.17.62.205[4500] to 101.24.95.166[2470] (112 bytes)
Fri, 2023-11-03, 01:22:02 14[NET1] <Server_EAP_1|4> received packet: from 101.24.95.166[2470] to 172.17.62.205[4500] (144 bytes)
Fri, 2023-11-03, 01:22:02 14[ENC1] <Server_EAP_1|4> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Fri, 2023-11-03, 01:22:02 14[ENC1] <Server_EAP_1|4> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Fri, 2023-11-03, 01:22:02 14[NET1] <Server_EAP_1|4> sending packet: from 172.17.62.205[4500] to 101.24.95.166[2470] (144 bytes)
Fri, 2023-11-03, 01:22:02 16[NET1] <Server_EAP_1|4> received packet: from 101.24.95.166[2470] to 172.17.62.205[4500] (80 bytes)
Fri, 2023-11-03, 01:22:02 16[ENC1] <Server_EAP_1|4> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Fri, 2023-11-03, 01:22:02 16[IKE1] <Server_EAP_1|4> EAP method EAP_MSCHAPV2 succeeded, MSK established
Fri, 2023-11-03, 01:22:02 16[ENC1] <Server_EAP_1|4> generating IKE_AUTH response 4 [ EAP/SUCC ]
Fri, 2023-11-03, 01:22:02 16[NET1] <Server_EAP_1|4> sending packet: from 172.17.62.205[4500] to 101.24.95.166[2470] (80 bytes)
Fri, 2023-11-03, 01:22:02 09[NET1] <Server_EAP_1|4> received packet: from 101.24.95.166[2470] to 172.17.62.205[4500] (112 bytes)
Fri, 2023-11-03, 01:22:02 09[ENC1] <Server_EAP_1|4> parsed IKE_AUTH request 5 [ AUTH ]
Fri, 2023-11-03, 01:22:02 09[IKE1] <Server_EAP_1|4> authentication of '192.168.1.55' with EAP successful
Fri, 2023-11-03, 01:22:02 09[IKE1] <Server_EAP_1|4> authentication of 'ipsec.xxxxx.com.cn' (myself) with EAP
Fri, 2023-11-03, 01:22:02 09[IKE1] <Server_EAP_1|4> peer requested virtual IP %any
Fri, 2023-11-03, 01:22:02 09[CFG1] <Server_EAP_1|4> reassigning offline lease to 'test'
Fri, 2023-11-03, 01:22:02 09[IKE1] <Server_EAP_1|4> assigning virtual IP 51.51.51.1 to peer 'test'
Fri, 2023-11-03, 01:22:02 09[IKE1] <Server_EAP_1|4> peer requested virtual IP %any6
Fri, 2023-11-03, 01:22:02 09[IKE1] <Server_EAP_1|4> no virtual IP found for %any6 requested by 'test'
Fri, 2023-11-03, 01:22:02 09[IKE0] <Server_EAP_1|4> IKE_SA Server_EAP_1[4] established between 172.17.62.205[ipsec.xxxxx.com.cn]...101.24.95.166[192.168.1.55]
Fri, 2023-11-03, 01:22:02 09[IKE1] <Server_EAP_1|4> scheduling rekeying in 13325s
Fri, 2023-11-03, 01:22:02 09[IKE1] <Server_EAP_1|4> maximum IKE_SA lifetime 14765s
Fri, 2023-11-03, 01:22:02 09[CFG1] <Server_EAP_1|4> selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
Fri, 2023-11-03, 01:22:02 09[IKE0] <Server_EAP_1|4> CHILD_SA Server_EAP_1{2} established with SPIs c157e987_i c9dcb46f_o and TS 0.0.0.0/0 === 51.51.51.1/32
Fri, 2023-11-03, 01:22:02 09[ENC1] <Server_EAP_1|4> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Fri, 2023-11-03, 01:22:02 09[NET1] <Server_EAP_1|4> sending packet: from 172.17.62.205[4500] to 101.24.95.166[2470] (240 bytes)