Opps, not quite. My real question is that some weird logs with user name "192.168.3.254" in Radius accounting DB, so I go to check Charon's log, found these logs.
-- Kris On Sat, Apr 6, 2013 at 11:30 PM, Andreas Steffen < [email protected]> wrote: > Hmm, are you sure the client in question is sending an EAP identity? > I just checked one of our example RADIUS scenarios > > http://www.strongswan.org/uml/testresults/ikev2/rw-eap-md5-id-radius/ > > and I see that the gateway nevertheless logs the EAP Identity: > > 16[IKE] initiating EAP_IDENTITY method (id 0x00) > 16[IKE] authentication of 'moon.strongswan.org' (myself) with RSA > signature successful > 16[IKE] sending end entity cert "C=CH, O=Linux strongSwan, > CN=moon.strongswan.org" > 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] > 16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] > (1436 bytes) > > 05[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500] > (76 bytes) > 05[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] > 05[IKE] received EAP identity 'carol' > 05[CFG] sending RADIUS Access-Request to server '10.1.0.10' > 05[CFG] received RADIUS Access-Challenge from server '10.1.0.10' > 05[IKE] initiating EAP_MD5 method (id 0x01) > 05[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ] > 05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] > (92 bytes) > > 04[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500] > (92 bytes) > 04[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MD5 ] > 04[CFG] sending RADIUS Access-Request to server '10.1.0.10' > 04[CFG] received RADIUS Access-Accept from server '10.1.0.10' > 04[IKE] RADIUS authentication of 'carol' successful > 04[IKE] EAP method EAP_MD5 succeeded, no MSK established > 04[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ] > 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] > (76 bytes) > > 03[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500] > (92 bytes) > 03[ENC] parsed IKE_AUTH request 4 [ AUTH ] > 03[IKE] authentication of '[email protected]' with EAP successful > 03[IKE] authentication of 'moon.strongswan.org' (myself) with EAP > 03[IKE] IKE_SA rw-eap[1] established between > 192.168.0.1[moon.strongswan.org]...192.168.0.100[[email protected]] > > Regards > > Andreas > > On 04/06/2013 05:07 PM, Kris wrote: > > Hi, Andreas > > > > Thanks for your explanation. Because there're some logs with username > > '192.168.3.254' in my Radius accounting DB, so I worry about it should > > be the correct username, or not, user's traffic accounting may be not > > accurate. > > > > -- > > Kris > > > > > > On Sat, Apr 6, 2013 at 10:43 PM, Andreas Steffen > > <[email protected] <mailto:[email protected]>> > > wrote: > > > > Hi Kris, > > > > 192.168.3.254 is just the outer IKEv2 client identity and is > > equivalent to the client IP address in the local LAN behind > > the NAT router. The inner EAP identity is not visible in the gateway > > log because it is handled by the RADIUS server. > > > > Don't worry! > > > > Andreas > > > > On 04/06/2013 04:08 PM, Kris wrote: > > > > > > I got weird log in Strongswan like: > > > > > > Apr 3 06:31:36 13[ENC] parsed IKE_AUTH request 6 [ AUTH ] > > > Apr 3 06:31:36 13[IKE] authentication of '192.168.3.254' with EAP > > > successful > > > Apr 3 06:31:36 13[IKE] authentication of 'xx.com <http://xx.com> > > <http://xx.com>' > > > (myself) with EAP > > > Apr 3 06:31:36 13[IKE] IKE_SA win7[16115] established between > > > 19.45.16.1[xx.com <http://xx.com> > > <http://xx.com>]...12.46.25.8[192.168.3.254] > > > > > > Apr 3 06:31:36 13[IKE] authentication of '192.168.3.254' with EAP > > > successful > > > > > > How could this possible? '192.168.3.254' isn't my Radius' user at > all, > > > how could it act like VPN username ? > > > > > > I'm runing 5.0.2dr4, is this a bug or my config mistake? > > > > > > conn win7 > > > keyexchange=ikev2 > > > left=%any > > > leftid=xx.com <http://xx.com> <http://xx.com> > > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> > > > leftauth=pubkey > > > leftcert=gw.cer > > > right=%any > > > rightsendcert=never > > > rightauth=eap-radius > > > eap_identity=%identity > > > rightsourceip=%ippool > > > ikelifetime=48h > > > lifetime=48h > > > rekeymargin=9m > > > rekey=no > > > reauth=no > > > dpddelay=30 > > > dpdtimeout=150 > > > dpdaction=clear > > > > > > -- > > > Kris > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
