[Openswan Users] IKEv2 + freeradius + LDAP

Aleksey Kravchenko gmkrab at gmail.com
Fri Dec 23 05:12:01 EST 2016


Good day! Can you help?
I want configure Strongswan IKEv2 with OpenLdap authentication. Is it real?
I configure freeradius + LDAP, try radtest with ldap user adam, test OK:

*radtest adam password1234 myip 10 password1234*

Sent Access-Request Id 142 from 0.0.0.0:46701 to myip:1812 length 74
User-Name = "adam"
User-Password = "password1234"
NAS-IP-Address = 127.0.1.1
NAS-Port = 10
Message-Authenticator = 0x00
Cleartext-Password = "password1234"
Received *Access-Accept* Id 142 from myip:1812 to 0.0.0.0:0 length 20

*Log from radius server: *
radius_1  | Fri Dec 23 08:54:02 2016 : Info: rlm_ldap (ldap): Opening
additional connection (38)
Log from ldap server:
585ce62a conn=1206 op=0 BIND dn="cn=admin,dc=***,dc=***" method=128
585ce62a conn=1206 op=0 BIND dn="cn=admin,dc=***,dc=***" mech=SIMPLE ssf=0
585ce62a conn=1206 op=0 RESULT tag=97 err=0 text=

585ce62a conn=1206 op=1 MOD dn="uid=adam,dc=***,dc=***"
585ce62a conn=1206 op=1 MOD attr=description

585ce62a conn=1206 op=1 RESULT tag=103 err=0 text=



Then I connect  android strongswan client with strongswan server and
received response from ldap:

radius log: radius_1  | Fri Dec 23 09:01:46 2016 : Info: rlm_ldap (ldap):
Opening additional connection (42)
ldap log:
585ce821 conn=1211 fd=17 ACCEPT from IP=*.*.*.*:46089
<http://78.46.192.19:46089/> (IP=0.0.0.0:389)
585ce821 conn=1211 op=0 BIND dn="cn=admin,dc=***,dc=***" method=128
585ce821 conn=1211 op=0 BIND dn="cn=dn="cn=admin,dc=***,dc=***" mech=SIMPLE
ssf=0
585ce821 conn=1211 op=0 RESULT tag=97 err=0 text=


*Strongswan client log:*

Dec 23 12:04:23 12[NET] sending packet: from 192.168.88.18[37418] to
*** [4500] (3612 bytes)
Dec 23 12:04:23 13[NET] received packet: from *** [4500] to
192.168.88.18[37418] (1196 bytes)
Dec 23 12:04:23 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 23 12:04:23 13[IKE] received end entity cert "C=CA, O=Example, CN=*.*"
Dec 23 12:04:23 13[CFG]   using certificate "C=CA, O=Example, CN=*.*"
Dec 23 12:04:23 13[CFG]   using trusted ca certificate "C=CA,
O=Example, CN=ExampleCA"
Dec 23 12:04:23 13[CFG]   reached self-signed root ca with a path length of 0
Dec 23 12:04:23 13[IKE] authentication of '*.*' with RSA signature successful
Dec 23 12:04:23 13[IKE] server requested EAP_IDENTITY (id 0x00), sending 'adam'
Dec 23 12:04:23 13[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Dec 23 12:04:23 13[NET] sending packet: from 192.168.88.18[37418] to
*.*.*.*[4500] (76 bytes)
Dec 23 12:04:23 14[NET] received packet: from *.*.*.*[4500] to
192.168.88.18[37418] (92 bytes)
Dec 23 12:04:23 14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]
Dec 23 12:04:23 14[IKE] server requested EAP_MD5 authentication (id 0x01)
Dec 23 12:04:23 14[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ]
Dec 23 12:04:23 14[NET] sending packet: from 192.168.88.18[37418] to
*.*.*.*[4500] (92 bytes)
Dec 23 12:04:24 15[NET] received packet: from *.*.*.* [4500] to
192.168.88.18[37418] (76 bytes)
Dec 23 12:04:24 15[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]
Dec 23 12:04:24 15[IKE] *received EAP_FAILURE, EAP authentication failed*
Dec 23 12:04:24 15[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
Dec 23 12:04:24 15[NET] sending packet: from 192.168.88.18[37418] to
*.*.*.* [4500] (76 bytes)



*SYSTEM INFORMATION:*

*uname -a*
Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64
GNU/Linux

*ipsec --version*

Linux strongSwan U5.2.1/K3.16.0-4-amd64

*ipsec listplugins | grep EAP*

    EAP_SERVER:ID
    EAP_CLIENT:ID
    EAP_SERVER:AKA
    EAP_CLIENT:AKA
    EAP_SERVER:MD5
    EAP_CLIENT:MD5
    EAP_SERVER:GTC
    EAP_CLIENT:GTC
    EAP_SERVER:MSCHAPV2
    EAP_CLIENT:MSCHAPV2
    EAP_SERVER:RAD
    EAP_SERVER:TLS
    EAP_CLIENT:TLS
    EAP_SERVER:TTLS
        EAP_SERVER:ID
    EAP_CLIENT:TTLS
        EAP_CLIENT:ID
    EAP_SERVER:TNC
        EAP_SERVER:TTLS
    EAP_CLIENT:TNC
        EAP_CLIENT:TTLS
    EAP_SERVER:PT
        EAP_SERVER:TTLS
    EAP_CLIENT:PT
        EAP_CLIENT:TTLS

*ipsec statusall*

Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64,
x86_64):
  uptime: 2 days, since Dec 20 19:40:27 2016
  malloc: sbrk 2555904, mmap 0, used 421888, free 2134016
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs
7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac
gcm attr kernel-netlink resolve
 socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls e
ap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip
error-notify certexpire led addrb
lock unity
Virtual IP pools (size/online/offline):
  10.9.0.0/24: 254/0/0
Listening IP addresses:
  *.*.*.*
  *.*.*.*
Connections:
      client:  %any...%any  IKEv2, dpddelay=30s
      client:   local:  [*.*] uses public key authentication
      client:    cert:  "C=CA, O=Example, CN=*.*"
      client:   remote: uses EAP_RADIUS authentication with EAP identity
'%any'
      client:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
  none


*Thank you!*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161223/0d717f2b/attachment.html>


More information about the Users mailing list