[Openswan Users] RES: Openswan using Radius server for authentication

Arnel B. Espanola aespanola at arts.ucla.edu
Mon Jun 2 12:25:19 EDT 2008 

Here are my configs. Take note that I'm actually using public IPs but I 
just changed them into private IPs. Thanks.

/Arnel

1.) /etc/ppp/chap-secrets (basically empty)

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses


2.) /etc/xl2tpd/xl2tpd.conf

[global]
port = 1701

[lns default]
ip range = 10.0.1.70-10.0.1.126
local ip = 10.10.1.65
require chap = yes
refuse pap = yes
require authentication = yes
;name = LinuxVPNserver
name = pppuser
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

3.) /etc/ipsec.conf
config setup
      interfaces=%defaultroute
      klipsdebug=none
      plutodebug=none
      overridemtu=1410
      nat_traversal=yes
      virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
      keyingtries=3
      compress=yes
      disablearrivalcheck=no
      authby=secret
      type=tunnel
      keyexchange=ike
      ikelifetime=240m
      keylife=60m
conn roadwarrior-net
      leftsubnet=192.168.0.0/16
      also=roadwarrior
conn roadwarrior-all
      leftsubnet=0.0.0.0/0
      also=roadwarrior
conn roadwarrior-l2tp
      leftprotoport=17/0
      rightprotoport=17/1701
      also=roadwarrior
# MAC OSX
conn roadwarrior-l2tp-macosx
      leftprotoport=17/1701
      rightprotoport=17/%any
      also=roadwarrior
conn roadwarrior-l2tp-updatedwin
      leftprotoport=17/1701
      rightprotoport=17/1701
      also=roadwarrior
conn roadwarrior
      pfs=no
      left=10.0.1.23
      leftnexthop=10.0.1.1
      right=%any
      rightsubnet=vhost:%no,%priv
      auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

4.) /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns  10.0.2.196
ms-dns  10.0.2.176
ms-wins 10.0.2.188
ms-wins 10.0.2.189
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
#silent
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
nologfd
plugin radius.so


Gbenga wrote:
> Hi Arnel,
> 
> Can you post your relevant configuration files (you can mask sensitive data if you want). Your issue will get a quicker resolution if people can see your files. I think you will need to post your [1.] /etc/ppp/chaps-secrets. [2.] /etc/xl2tpd/xl2tpd.conf  [3.] ipsec conn section for roadwarrior [4.] /etc/ppp/options.xl2tpd
> 
> I suspect that you have misconfigured something in your ppp/chap/xl2tpd files.
> 
> Rgds,
> Gbenga
> 
> 
> 
> IPSec with the VPN server but fails to reach the radius server for 
> authentication.
> 
> 
> May 30 15:31:34 vpn pppd[11331]: Plugin radius.so loaded.
> May 30 15:31:34 vpn pppd[11331]: RADIUS plugin initialized.
> May 30 15:31:34 vpn pppd[11331]: pppd 2.4.4 started by root, uid 0
> May 30 15:31:34 vpn pppd[11331]: Using interface ppp0
> May 30 15:31:34 vpn pppd[11331]: Connect: ppp0 <--> /dev/pts/1
> May 30 15:31:36 vpn pppd[11331]: rc_send_server: bind: 10.0.1.101: 
> Permission denied
> May 30 15:31:36 vpn pppd[11331]: Peer arnel failed CHAP authentication
> May 30 15:31:36 vpn pppd[11331]: Connection terminated.
> May 30 15:31:36 vpn xl2tpd[11201]: control_finish: Connection closed to 
> 10.0.1.146, serial 0 ()
> May 30 15:31:36 vpn xl2tpd[11201]: control_finish: Connection closed to 
> 10.0.1.146, port 1701 (), Local: 4446, Remote: 8
> 
> Note:
> 10.0.1.100 - vpn server
> 10.0.1.101 - radius server
> 10.0.1.146 - client
> 
> Arnel
> 
> Gbenga wrote:
>> Hi Arnel,
>> I have not access my openswan mail for a while.
>> You are nearly done. What has happened, I guess, is that you have not set up your chap authentication well. I have included truncated part of my relevant files.
>> You will need to configure the following files:
>> 1.]    /etc/ppp/options.l2pd [whatever you call it]
>> 2.]    /etc/xl2tpd/xl2tpd.conf [to use relevant ip addresses and options]
>> 3.]    /etc/ppp/chap [ there is no need to for this since you are usind radius]
>> 4.]    /etc/radiusclient/radiusclient.conf: [the stuff below is what I have in mine.]
>> auth_order      radius,local
>> login_tries     4
>> login_timeout   60
>> nologin /etc/nologin
>> issue   /etc/radiusclient/issue
>>
>> authserver      10.10.1.XX:1812
>> acctserver      10.10.1.XX:1813
>> servers         /etc/radiusclient/servers
>> dictionary      /etc/radiusclient/dictionary
>> login_radius    /usr/sbin/login.radius
>> seqfile         /var/run/radius.seq
>> mapfile         /etc/radiusclient/port-id-map
>> default_realm
>> radius_timeout  10
>> radius_retries  3
>> login_local     /bin/login
>>
>> 5.]    /etc/radiusclient/servers: [the stuff below is from my file.]
>> #Server Name or Client/Server pair              Key
>> #----------------                               ---------------
>> 10.10.1.XX   [radius server]                                  *****
>> 10.10.1.X     [vpn vpn server]                                *****
>> 6.]    /etc/ppp/option.l2tpd: [relevant optios]
>> ipcp-accept-local
>> ipcp-accept-remote
>> ms-dns 10.11.0.90
>> noccp
>> auth
>> crtscts
>> idle 1800
>> mtu 1200
>> mru 1200
>> nodefaultroute
>> debug
>> lock
>> proxyarp
>> connect-delay 5000
>> plugin radius.so
>>
>> 7.]    /etc/xl2tpd/xl2tpd.conf: [relevant portion]
>>
>> [lns default]
>> ip range = 10.10.3.128 - 10.10.3.254
>> local ip = 10.10.3.100
>> require chap = yes
>> refuse pap = yes
>> require authentication = yes
>> ppp debug = yes
>> ; some name from ppp users
>> name = pppuser
>> pppoptfile = /etc/ppp/options.l2tpd
>> length bit = yes
>> require chap = yes
>> refuse pap = yes
>> require authentication = no
>> ppp debug = yes
>> pppoptfile = /etc/ppp/options.l2tpd.client
>> length bit = yes
>>
>> 8.]     /usr/local/etc/raddb/users [relevant portion]
>>         pppuser       Auth-Type := Local, User-Password == "your password"
>>                               Service-Type = Framed-User,
>>                               Framed-Protocol = PPP
>> 9.]    /usr/local/etc/raddb/clients.conf
>>          client 10.10.1.57 {
>>                                 secret          = secret
>>                                 shortname       = vpn_server
>>                                 nastype         = other
>> }
>>
>> I hope this help you. You can also read up on L2TP/VPN at http://www.jacco2.dds.nl/networking/win2000xp-openswan.html. 
>> Rgds,
>> Gbenga
>>
>> Thanks. It fixes the dictionary errors but another error comes up. See 
>> the log.
>>
>>
>>
>> May 28 09:54:09 vpn pppd[24108]: Plugin radius.so loaded.
>> May 28 09:54:09 vpn pppd[24108]: RADIUS plugin initialized.
>> May 28 09:54:09 vpn pppd[24108]: Plugin radattr.so loaded.
>> May 28 09:54:09 vpn pppd[24108]: RADATTR plugin initialized.
>> May 28 09:54:09 vpn pppd[24108]: pppd 2.4.4 started by root, uid 0
>>
>>
>>
>>       __________________________________________________________
>> Sent from Yahoo! Mail.
>> A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html
> 
> 
> 
>       __________________________________________________________
> Sent from Yahoo! Mail.
> A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html

More information about the Users mailing list