"peer requested EAP, config inacceptable" with IKEv2 and EAP-RADIUS
-
I've setup ipsec according to the RADIUS-EAP guide on the wiki, but I keep getting this error: "charon: 05[IKE] <bypasslan|3>peer requested EAP, config inacceptable".
Our freeradius server is setup to accept PEAP-MSCHAPv2 requests, which successfully authenticates our wireless network users just fine. Do we need to enable a different protocol on the freeradius server?</bypasslan|3>
-
Logs:
Log entries
Dec 16 11:51:20 charon: 16[NET] <bypasslan|1> sending packet: from 216.x.x.x[4500] to 215.x.x.x[61443] (68 bytes) Dec 16 11:51:20 charon: 16[ENC] <bypasslan|1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Dec 16 11:51:20 charon: 16[IKE] <bypasslan|1> peer supports MOBIKE Dec 16 11:51:20 charon: 16[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Dec 16 11:51:20 charon: 16[CFG] <bypasslan|1> no alternative config found Dec 16 11:51:20 charon: 16[IKE] <bypasslan|1> peer requested EAP, config inacceptable Dec 16 11:51:20 charon: 16[CFG] <bypasslan|1> selected peer config 'bypasslan' Dec 16 11:51:20 charon: 16[CFG] <1> looking for peer configs matching 216.x.x.x[ 216.x.x.x]... 215.x.x.x[192.168.125.2] Dec 16 11:51:20 charon: 16[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Dec 16 11:51:20 charon: 16[NET] <1> received packet: from 215.x.x.x[61443] to 216.x.x.x[4500] (316 bytes) Dec 16 11:51:20 charon: 16[NET] <1> sending packet: from 216.x.x.x[500] to 215.x.x.x[30930] (353 bytes) Dec 16 11:51:20 charon: 16[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Dec 16 11:51:20 charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-ec-ca, E=info@xxx.com" Dec 16 11:51:20 charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-eap-ec-ca, E=info@xxx.com" Dec 16 11:51:20 charon: 16[IKE] <1> remote host is behind NAT Dec 16 11:51:20 charon: 16[IKE] <1> 215.x.x.x is initiating an IKE_SA Dec 16 11:51:20 charon: 16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1>
Any help much appreciated!
-
Anybody? :( The problem seems to be that it's constantly selecting the "bypass" configuration. I don't know what rules to put in "Outbound Nat", would that possibly be the problem?
-
That means something about the inbound request did not match your mobile P1 settings so it fell through to the LAN bypass.
-
Thanks. What has to match exactly?
-
Whatever parameters are set on P1 (identifiers, encryption, hash, etc)
You can increase the logging a bit as shown here: https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29
-
Got it thanks. I upped the logging on the "IKE Configuration" to RAW but it's still not telling me what's not matching…
-
Did you ever get a resolution to this problem?
-
@j@svg:
Logs:
Log entries
Dec 16 11:51:20 charon: 16[NET] <bypasslan|1> sending packet: from 216.x.x.x[4500] to 215.x.x.x[61443] (68 bytes) Dec 16 11:51:20 charon: 16[ENC] <bypasslan|1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Dec 16 11:51:20 charon: 16[IKE] <bypasslan|1> peer supports MOBIKE Dec 16 11:51:20 charon: 16[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Dec 16 11:51:20 charon: 16[CFG] <bypasslan|1> no alternative config found Dec 16 11:51:20 charon: 16[IKE] <bypasslan|1> peer requested EAP, config inacceptable Dec 16 11:51:20 charon: 16[CFG] <bypasslan|1> selected peer config 'bypasslan' Dec 16 11:51:20 charon: 16[CFG] <1> looking for peer configs matching 216.x.x.x[ 216.x.x.x]... 215.x.x.x[192.168.125.2] Dec 16 11:51:20 charon: 16[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Dec 16 11:51:20 charon: 16[NET] <1> received packet: from 215.x.x.x[61443] to 216.x.x.x[4500] (316 bytes) Dec 16 11:51:20 charon: 16[NET] <1> sending packet: from 216.x.x.x[500] to 215.x.x.x[30930] (353 bytes) Dec 16 11:51:20 charon: 16[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Dec 16 11:51:20 charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-ec-ca, E=info@xxx.com" Dec 16 11:51:20 charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-eap-ec-ca, E=info@xxx.com" Dec 16 11:51:20 charon: 16[IKE] <1> remote host is behind NAT Dec 16 11:51:20 charon: 16[IKE] <1> 215.x.x.x is initiating an IKE_SA Dec 16 11:51:20 charon: 16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1>
Any help much appreciated!
I've encountered this before in my testing although I can't remember specifically what I did for this particular condition.
Take a look at the Phase 1 and Phase 2 settings in this doc: https://forum.pfsense.org/index.php?topic=127457.0