[Openswan Users] IKEv2 + freeradius + LDAP
Aleksey Kravchenko
gmkrab at gmail.com
Fri Dec 23 05:12:01 EST 2016
Good day! Can you help?
I want configure Strongswan IKEv2 with OpenLdap authentication. Is it real?
I configure freeradius + LDAP, try radtest with ldap user adam, test OK:
*radtest adam password1234 myip 10 password1234*
Sent Access-Request Id 142 from 0.0.0.0:46701 to myip:1812 length 74
User-Name = "adam"
User-Password = "password1234"
NAS-IP-Address = 127.0.1.1
NAS-Port = 10
Message-Authenticator = 0x00
Cleartext-Password = "password1234"
Received *Access-Accept* Id 142 from myip:1812 to 0.0.0.0:0 length 20
*Log from radius server: *
radius_1 | Fri Dec 23 08:54:02 2016 : Info: rlm_ldap (ldap): Opening
additional connection (38)
Log from ldap server:
585ce62a conn=1206 op=0 BIND dn="cn=admin,dc=***,dc=***" method=128
585ce62a conn=1206 op=0 BIND dn="cn=admin,dc=***,dc=***" mech=SIMPLE ssf=0
585ce62a conn=1206 op=0 RESULT tag=97 err=0 text=
585ce62a conn=1206 op=1 MOD dn="uid=adam,dc=***,dc=***"
585ce62a conn=1206 op=1 MOD attr=description
585ce62a conn=1206 op=1 RESULT tag=103 err=0 text=
Then I connect android strongswan client with strongswan server and
received response from ldap:
radius log: radius_1 | Fri Dec 23 09:01:46 2016 : Info: rlm_ldap (ldap):
Opening additional connection (42)
ldap log:
585ce821 conn=1211 fd=17 ACCEPT from IP=*.*.*.*:46089
<http://78.46.192.19:46089/> (IP=0.0.0.0:389)
585ce821 conn=1211 op=0 BIND dn="cn=admin,dc=***,dc=***" method=128
585ce821 conn=1211 op=0 BIND dn="cn=dn="cn=admin,dc=***,dc=***" mech=SIMPLE
ssf=0
585ce821 conn=1211 op=0 RESULT tag=97 err=0 text=
*Strongswan client log:*
Dec 23 12:04:23 12[NET] sending packet: from 192.168.88.18[37418] to
*** [4500] (3612 bytes)
Dec 23 12:04:23 13[NET] received packet: from *** [4500] to
192.168.88.18[37418] (1196 bytes)
Dec 23 12:04:23 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 23 12:04:23 13[IKE] received end entity cert "C=CA, O=Example, CN=*.*"
Dec 23 12:04:23 13[CFG] using certificate "C=CA, O=Example, CN=*.*"
Dec 23 12:04:23 13[CFG] using trusted ca certificate "C=CA,
O=Example, CN=ExampleCA"
Dec 23 12:04:23 13[CFG] reached self-signed root ca with a path length of 0
Dec 23 12:04:23 13[IKE] authentication of '*.*' with RSA signature successful
Dec 23 12:04:23 13[IKE] server requested EAP_IDENTITY (id 0x00), sending 'adam'
Dec 23 12:04:23 13[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Dec 23 12:04:23 13[NET] sending packet: from 192.168.88.18[37418] to
*.*.*.*[4500] (76 bytes)
Dec 23 12:04:23 14[NET] received packet: from *.*.*.*[4500] to
192.168.88.18[37418] (92 bytes)
Dec 23 12:04:23 14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]
Dec 23 12:04:23 14[IKE] server requested EAP_MD5 authentication (id 0x01)
Dec 23 12:04:23 14[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ]
Dec 23 12:04:23 14[NET] sending packet: from 192.168.88.18[37418] to
*.*.*.*[4500] (92 bytes)
Dec 23 12:04:24 15[NET] received packet: from *.*.*.* [4500] to
192.168.88.18[37418] (76 bytes)
Dec 23 12:04:24 15[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]
Dec 23 12:04:24 15[IKE] *received EAP_FAILURE, EAP authentication failed*
Dec 23 12:04:24 15[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
Dec 23 12:04:24 15[NET] sending packet: from 192.168.88.18[37418] to
*.*.*.* [4500] (76 bytes)
*SYSTEM INFORMATION:*
*uname -a*
Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64
GNU/Linux
*ipsec --version*
Linux strongSwan U5.2.1/K3.16.0-4-amd64
*ipsec listplugins | grep EAP*
EAP_SERVER:ID
EAP_CLIENT:ID
EAP_SERVER:AKA
EAP_CLIENT:AKA
EAP_SERVER:MD5
EAP_CLIENT:MD5
EAP_SERVER:GTC
EAP_CLIENT:GTC
EAP_SERVER:MSCHAPV2
EAP_CLIENT:MSCHAPV2
EAP_SERVER:RAD
EAP_SERVER:TLS
EAP_CLIENT:TLS
EAP_SERVER:TTLS
EAP_SERVER:ID
EAP_CLIENT:TTLS
EAP_CLIENT:ID
EAP_SERVER:TNC
EAP_SERVER:TTLS
EAP_CLIENT:TNC
EAP_CLIENT:TTLS
EAP_SERVER:PT
EAP_SERVER:TTLS
EAP_CLIENT:PT
EAP_CLIENT:TTLS
*ipsec statusall*
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64,
x86_64):
uptime: 2 days, since Dec 20 19:40:27 2016
malloc: sbrk 2555904, mmap 0, used 421888, free 2134016
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs
7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac
gcm attr kernel-netlink resolve
socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls e
ap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip
error-notify certexpire led addrb
lock unity
Virtual IP pools (size/online/offline):
10.9.0.0/24: 254/0/0
Listening IP addresses:
*.*.*.*
*.*.*.*
Connections:
client: %any...%any IKEv2, dpddelay=30s
client: local: [*.*] uses public key authentication
client: cert: "C=CA, O=Example, CN=*.*"
client: remote: uses EAP_RADIUS authentication with EAP identity
'%any'
client: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
none
*Thank you!*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161223/0d717f2b/attachment.html>
More information about the Users
mailing list