Hello All,
I'm testing strongSwan as a VPN gateway for a 3rd party VPN client. PSK and
certificate authentication works fine, but when testing EAP-TLS and I get this
error message on the strongSwan side, after the EAP authentication succeeds.
Jul 10 16:42:11 debian-vm1-alexis charon: 14[ENC] payload of type AUTH more
than 1 times (2) occurred in current message
Jul 10 16:42:11 debian-vm1-alexis charon: 14[IKE] message verification failed
See attachment for full logs.
Here is my strongSwan configuration:
# ipsec.conf - strongSwan IPsec configuration file
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-eap-tls
left=10.1.65.147
leftid=o...@test.org
leftsubnet=10.99.0.0/24
leftcert=ocmCert.pem
leftauth=pubkey
leftfirewall=yes
rightsourceip=172.22.0.0/24
rightauth=eap-radius
rightsendcert=never
right=%any
auto=add
eap_identity=%identity
Does any of you know what this is about?
what is strongSwan expecting at this point? Looking at the RFC [1] there should
be a message type AUTH (message 7).
I can enable more logging if needed.
Thanks.
Alexis.
[1] : https://tools.ietf.org/html/rfc7296#section-2.16
~# tail -f /var/log/daemon.log
Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[500]
Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] waiting for data on sockets
Jul 10 16:42:10 debian-vm1-alexis charon: 03[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[500] (460 bytes)
Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(NATD_D_IP) N(NATD_S_IP) V V V V ]
Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] received unknown vendor ID:
eb:4c:1b:78:8a:fd:4a:9c:b7:73:0a:68:d5:6d:08:8b
Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] received unknown vendor ID:
c6:1b:ac:a1:f1:a6:0c:c1:08:00:00:00:00:00:00:00
Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] received unknown vendor ID:
cb:e7:94:44:a0:87:0d:e4:22:4a:2c:15:1f:bf:e0:99
Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:c0:00:00:00
Jul 10 16:42:10 debian-vm1-alexis charon: 03[IKE] 10.1.65.126 is initiating an
IKE_SA
Jul 10 16:42:10 debian-vm1-alexis charon: 03[IKE] IKE_SA (unnamed)[20] state
change: CREATED => CONNECTING
Jul 10 16:42:10 debian-vm1-alexis charon: 03[IKE] remote host is behind NAT
Jul 10 16:42:10 debian-vm1-alexis charon: 03[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 10 16:42:10 debian-vm1-alexis charon: 03[NET] sending packet: from
10.1.65.147[500] to 10.1.65.126[49300] (376 bytes)
Jul 10 16:42:10 debian-vm1-alexis charon: 10[NET] sending packet: from
10.1.65.147[500] to 10.1.65.126[49300]
Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500]
Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] waiting for data on sockets
Jul 10 16:42:10 debian-vm1-alexis charon: 12[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500] (1264 bytes)
Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20002)
Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20006)
Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20007)
Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20003)
Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20004)
Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] unknown attribute type (20005)
Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] parsed IKE_AUTH request 1 [ V
IDi CERT N(INIT_CONTACT) N(HTTP_CERT_LOOK) CERTREQ CPRQ(ADDR MASK DNS NBNS
(20002) VER U_BANNER U_SAVEPWD U_DEFDOM (20006) (20007) U_SPLITDNS U_SPLITINC
U_NATTPORT U_LOCALLAN U_PFS U_FWTYPE U_BKPSRV (20003) (20004) U_DDNSHOST
(20005) U_DDNSHOST) SA No TSi TSr V N(MOBIKE_SUP) ]
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] received end entity cert
"C=CA, O=Test, CN=Client"
Jul 10 16:42:10 debian-vm1-alexis charon: 12[CFG] looking for peer configs
matching 10.1.65.147[%any]...10.1.65.126[172.22.0.101]
Jul 10 16:42:10 debian-vm1-alexis charon: 12[CFG] selected peer config
'rw-eap-tls'
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] initiating EAP_IDENTITY
method (id 0x00)
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing
INTERNAL_IP4_ADDRESS attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing
INTERNAL_IP4_NETMASK attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing INTERNAL_IP4_DNS
attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing INTERNAL_IP4_NBNS
attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing (20002) attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing
APPLICATION_VERSION attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing UNITY_BANNER
attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing UNITY_SAVE_PASSWD
attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing UNITY_DEF_DOMAIN
attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing (20006) attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing (20007) attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing
UNITY_SPLITDNS_NAME attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing
UNITY_SPLIT_INCLUDE attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing UNITY_NATT_PORT
attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing UNITY_LOCAL_LAN
attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing UNITY_PFS attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing UNITY_FW_TYPE
attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing
UNITY_BACKUP_SERVERS attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing (20003) attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing (20004) attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing
UNITY_DDNS_HOSTNAME attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing (20005) attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] processing
UNITY_DDNS_HOSTNAME attribute
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] peer supports MOBIKE
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] authentication of
'o...@test.org' (myself) with RSA signature successful
Jul 10 16:42:10 debian-vm1-alexis charon: 12[IKE] sending end entity cert
"C=CA, O=Test, CN=oCM"
Jul 10 16:42:10 debian-vm1-alexis charon: 12[ENC] generating IKE_AUTH response
1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 10 16:42:10 debian-vm1-alexis charon: 12[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300] (1200 bytes)
Jul 10 16:42:10 debian-vm1-alexis charon: 10[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300]
Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500]
Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] waiting for data on sockets
Jul 10 16:42:10 debian-vm1-alexis charon: 11[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500] (112 bytes)
Jul 10 16:42:10 debian-vm1-alexis charon: 11[ENC] parsed IKE_AUTH request 2 [
EAP/RES/ID ]
Jul 10 16:42:10 debian-vm1-alexis charon: 11[IKE] received EAP identity
'cli...@test.org'
Jul 10 16:42:10 debian-vm1-alexis charon: 11[CFG] sending RADIUS Access-Request
to server '10.1.65.50'
Jul 10 16:42:10 debian-vm1-alexis charon: 11[CFG] received RADIUS
Access-Challenge from server '10.1.65.50'
Jul 10 16:42:10 debian-vm1-alexis charon: 11[IKE] initiating EAP_TLS method (id
0x01)
Jul 10 16:42:10 debian-vm1-alexis charon: 11[ENC] generating IKE_AUTH response
2 [ EAP/REQ/TLS ]
Jul 10 16:42:10 debian-vm1-alexis charon: 11[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300] (80 bytes)
Jul 10 16:42:10 debian-vm1-alexis charon: 10[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300]
Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500]
Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] waiting for data on sockets
Jul 10 16:42:10 debian-vm1-alexis charon: 13[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500] (144 bytes)
Jul 10 16:42:10 debian-vm1-alexis charon: 13[ENC] parsed IKE_AUTH request 3 [
EAP/RES/TLS ]
Jul 10 16:42:10 debian-vm1-alexis charon: 13[CFG] sending RADIUS Access-Request
to server '10.1.65.50'
Jul 10 16:42:10 debian-vm1-alexis charon: 13[CFG] received RADIUS
Access-Challenge from server '10.1.65.50'
Jul 10 16:42:10 debian-vm1-alexis charon: 13[ENC] generating IKE_AUTH response
3 [ EAP/REQ/TLS ]
Jul 10 16:42:10 debian-vm1-alexis charon: 13[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300] (1104 bytes)
Jul 10 16:42:10 debian-vm1-alexis charon: 10[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300]
Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500]
Jul 10 16:42:10 debian-vm1-alexis charon: 09[NET] waiting for data on sockets
Jul 10 16:42:10 debian-vm1-alexis charon: 05[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500] (80 bytes)
Jul 10 16:42:10 debian-vm1-alexis charon: 05[ENC] parsed IKE_AUTH request 4 [
EAP/RES/TLS ]
Jul 10 16:42:10 debian-vm1-alexis charon: 05[CFG] sending RADIUS Access-Request
to server '10.1.65.50'
Jul 10 16:42:10 debian-vm1-alexis charon: 05[CFG] received RADIUS
Access-Challenge from server '10.1.65.50'
Jul 10 16:42:10 debian-vm1-alexis charon: 05[ENC] generating IKE_AUTH response
4 [ EAP/REQ/TLS ]
Jul 10 16:42:10 debian-vm1-alexis charon: 05[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300] (880 bytes)
Jul 10 16:42:10 debian-vm1-alexis charon: 10[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300]
Jul 10 16:42:11 debian-vm1-alexis charon: 09[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500]
Jul 10 16:42:11 debian-vm1-alexis charon: 09[NET] waiting for data on sockets
Jul 10 16:42:11 debian-vm1-alexis charon: 02[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500] (1376 bytes)
Jul 10 16:42:11 debian-vm1-alexis charon: 02[ENC] parsed IKE_AUTH request 5 [
EAP/RES/TLS ]
Jul 10 16:42:11 debian-vm1-alexis charon: 02[CFG] sending RADIUS Access-Request
to server '10.1.65.50'
Jul 10 16:42:11 debian-vm1-alexis charon: 02[CFG] received RADIUS
Access-Challenge from server '10.1.65.50'
Jul 10 16:42:11 debian-vm1-alexis charon: 02[ENC] generating IKE_AUTH response
5 [ EAP/REQ/TLS ]
Jul 10 16:42:11 debian-vm1-alexis charon: 02[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300] (80 bytes)
Jul 10 16:42:11 debian-vm1-alexis charon: 10[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300]
Jul 10 16:42:11 debian-vm1-alexis charon: 09[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500]
Jul 10 16:42:11 debian-vm1-alexis charon: 09[NET] waiting for data on sockets
Jul 10 16:42:11 debian-vm1-alexis charon: 16[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500] (224 bytes)
Jul 10 16:42:11 debian-vm1-alexis charon: 16[ENC] parsed IKE_AUTH request 6 [
EAP/RES/TLS ]
Jul 10 16:42:11 debian-vm1-alexis charon: 16[CFG] sending RADIUS Access-Request
to server '10.1.65.50'
Jul 10 16:42:11 debian-vm1-alexis charon: 16[CFG] received RADIUS
Access-Challenge from server '10.1.65.50'
Jul 10 16:42:11 debian-vm1-alexis charon: 16[ENC] generating IKE_AUTH response
6 [ EAP/REQ/TLS ]
Jul 10 16:42:11 debian-vm1-alexis charon: 16[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300] (144 bytes)
Jul 10 16:42:11 debian-vm1-alexis charon: 10[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300]
Jul 10 16:42:11 debian-vm1-alexis charon: 09[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500]
Jul 10 16:42:11 debian-vm1-alexis charon: 09[NET] waiting for data on sockets
Jul 10 16:42:11 debian-vm1-alexis charon: 15[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500] (80 bytes)
Jul 10 16:42:11 debian-vm1-alexis charon: 15[ENC] parsed IKE_AUTH request 7 [
EAP/RES/TLS ]
Jul 10 16:42:11 debian-vm1-alexis charon: 15[CFG] sending RADIUS Access-Request
to server '10.1.65.50'
Jul 10 16:42:11 debian-vm1-alexis charon: 15[CFG] received RADIUS Access-Accept
from server '10.1.65.50'
Jul 10 16:42:11 debian-vm1-alexis charon: 15[IKE] RADIUS authentication of
'cli...@test.org' successful
Jul 10 16:42:11 debian-vm1-alexis charon: 15[IKE] EAP method EAP_TLS succeeded,
MSK established
Jul 10 16:42:11 debian-vm1-alexis charon: 15[ENC] generating IKE_AUTH response
7 [ EAP/SUCC ]
Jul 10 16:42:11 debian-vm1-alexis charon: 15[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300] (80 bytes)
Jul 10 16:42:11 debian-vm1-alexis charon: 10[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300]
Jul 10 16:42:11 debian-vm1-alexis charon: 09[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500]
Jul 10 16:42:11 debian-vm1-alexis charon: 09[NET] waiting for data on sockets
Jul 10 16:42:11 debian-vm1-alexis charon: 14[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500] (384 bytes)
Jul 10 16:42:11 debian-vm1-alexis charon: 14[ENC] payload of type AUTH more
than 1 times (2) occurred in current message
Jul 10 16:42:11 debian-vm1-alexis charon: 14[IKE] message verification failed
Jul 10 16:42:11 debian-vm1-alexis charon: 14[ENC] generating IKE_AUTH response
8 [ N(INVAL_SYN) ]
Jul 10 16:42:11 debian-vm1-alexis charon: 14[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300] (80 bytes)
Jul 10 16:42:11 debian-vm1-alexis charon: 14[IKE] IKE_AUTH request with message
ID 8 processing failed
Jul 10 16:42:11 debian-vm1-alexis charon: 10[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300]
Jul 10 16:42:11 debian-vm1-alexis charon: 09[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500]
Jul 10 16:42:11 debian-vm1-alexis charon: 09[NET] waiting for data on sockets
Jul 10 16:42:11 debian-vm1-alexis charon: 01[NET] received packet: from
10.1.65.126[49300] to 10.1.65.147[4500] (80 bytes)
Jul 10 16:42:11 debian-vm1-alexis charon: 01[ENC] parsed INFORMATIONAL request
9 [ D ]
Jul 10 16:42:11 debian-vm1-alexis charon: 01[IKE] AUTH payload missing
Jul 10 16:42:11 debian-vm1-alexis charon: 01[ENC] generating INFORMATIONAL
response 9 [ N(AUTH_FAILED) ]
Jul 10 16:42:11 debian-vm1-alexis charon: 01[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300] (80 bytes)
Jul 10 16:42:11 debian-vm1-alexis charon: 01[IKE] IKE_SA rw-eap-tls[20] state
change: CONNECTING => DESTROYING
Jul 10 16:42:11 debian-vm1-alexis charon: 10[NET] sending packet: from
10.1.65.147[4500] to 10.1.65.126[49300]
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
