[Swan] Problem with ike2/radius

Yevgeny Kosarzhevsky phaoost at gmail.com
Sun Nov 24 19:10:46 UTC 2019 

Hello,

I am trying to setup ikev2 connection with no luck.
I see in radius logs that authentication successfull and radius reply
contains a valid Framed-IP-Address however it seems I don't have
appropriate option to use it in ipsec.conf.

Can someone point me where do I get the issue and how to make
libreswan assign Framed-IP-Address to remote peer endpoint?

My config:

conn ikev2-cp
  left=1.1.1.1
  leftcert=1.1.1.1
  leftid=@1.1.1.1
  leftsendcert=always
  leftrsasigkey=%cert
  right=%any
  rightid=%fromcert
  rightca=%same
  rightrsasigkey=%cert
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=no
  encapsulation=yes
  mobike=no
  pfs=no
  ike-frag=yes
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
  pam-authorize=yes

Logs:

Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1:
processing IKE_SA_INIT request: SA,KE,Ni,N,N (message arrived 0
seconds ago)
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2:
constructed local IKE proposals for ikev2-cp (IKE SA responder
matching remote proposals):
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
5:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024
6:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1:
proposal 4:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024
chosen from remote proposals
1:IKE:ENCR=3DES;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024
2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024
3:IKE:ENCR=3DES;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024
4:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024[first-match]
5:IKE:ENCR=3DES;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024
6:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256
group=MODP1024}
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1:
processing encrypted IKE_AUTH request: SK (message arrived 0 seconds
ago)
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1:
processing decrypted IKE_AUTH request:
SK{IDi,CERT,CERTREQ,AUTH,N,CP,SA,TSi,TSr}
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: loading
root certificate cache
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1:
certificate verified OK: O=myorg,CN=mycli
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: IKEv2
mode peer ID is ID_DER_ASN1_DN: 'CN=mycli, O=myorg'
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1:
Authenticated using RSA
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: IKEv2:
[XAUTH]PAM method requested to authorize 'CN=mycli, O=myorg'
Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: Got user name
CN=mycli, O=myorg
Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: ignore
last_pass, force_prompt set
Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: Sending RADIUS
request code 1
Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 0x7f278eae02e0.
Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: Got RADIUS response code 2
Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: authentication succeeded
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: PAM:
#1: completed for user 'CN=mycli, O=myorg' with status SUCCESSS
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #2:
deleting other state #2 (STATE_UNDEFINED) aged 0.000s and NOT sending
notification
Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1:
responding to IKE_AUTH message (ID 1) from 2.2.2.2:4500 with encrypted
notification TS_UNACCEPTABLE
Nov 24 16:32:56 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1:
deleting incomplete state after 200.000 seconds
Nov 24 16:32:56 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1:
deleting state (STATE_PARENT_R2) aged 200.200s and sending
notification
Nov 24 16:32:56 myhost pluto[10826]: deleting connection "ikev2-cp"[1]
2.2.2.2 instance with peer 2.2.2.2 {isakmp=#0/ipsec=#0}


-- 
Regards,
Yevgeny

More information about the Swan mailing list