"peer requested EAP, config inacceptable" with IKEv2 and EAP-RADIUS

jsvg

I've setup ipsec according to the RADIUS-EAP guide on the wiki, but I keep getting this error: "charon: 05[IKE] <bypasslan|3>peer requested EAP, config inacceptable".

Our freeradius server is setup to accept PEAP-MSCHAPv2 requests, which successfully authenticates our wireless network users just fine. Do we need to enable a different protocol on the freeradius server?</bypasslan|3>

jsvg

Logs:

Log entries

Dec 16 11:51:20	charon: 16[NET] <bypasslan|1> sending packet: from  216.x.x.x[4500] to  215.x.x.x[61443] (68 bytes)
Dec 16 11:51:20	charon: 16[ENC] <bypasslan|1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> peer supports MOBIKE
Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 16 11:51:20	charon: 16[CFG] <bypasslan|1> no alternative config found
Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> peer requested EAP, config inacceptable
Dec 16 11:51:20	charon: 16[CFG] <bypasslan|1> selected peer config 'bypasslan'
Dec 16 11:51:20	charon: 16[CFG] <1> looking for peer configs matching  216.x.x.x[ 216.x.x.x]... 215.x.x.x[192.168.125.2]
Dec 16 11:51:20	charon: 16[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Dec 16 11:51:20	charon: 16[NET] <1> received packet: from  215.x.x.x[61443] to  216.x.x.x[4500] (316 bytes)
Dec 16 11:51:20	charon: 16[NET] <1> sending packet: from  216.x.x.x[500] to  215.x.x.x[30930] (353 bytes)
Dec 16 11:51:20	charon: 16[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Dec 16 11:51:20	charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-ec-ca, E=info@xxx.com"
Dec 16 11:51:20	charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-eap-ec-ca, E=info@xxx.com"
Dec 16 11:51:20	charon: 16[IKE] <1> remote host is behind NAT
Dec 16 11:51:20	charon: 16[IKE] <1>  215.x.x.x is initiating an IKE_SA
Dec 16 11:51:20	charon: 16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1>

Any help much appreciated!

jsvg

Anybody? :( The problem seems to be that it's constantly selecting the "bypass" configuration. I don't know what rules to put in "Outbound Nat", would that possibly be the problem?

jimp

That means something about the inbound request did not match your mobile P1 settings so it fell through to the LAN bypass.

jsvg

Thanks. What has to match exactly?

jimp

Whatever parameters are set on P1 (identifiers, encryption, hash, etc)

You can increase the logging a bit as shown here: https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29

jsvg

Got it thanks. I upped the logging on the "IKE Configuration" to RAW but it's still not telling me what's not matching…

pdwalker

Did you ever get a resolution to this problem?

gbitglenn

@j@svg:

Logs:

Log entries

Dec 16 11:51:20	charon: 16[NET] <bypasslan|1> sending packet: from  216.x.x.x[4500] to  215.x.x.x[61443] (68 bytes)
Dec 16 11:51:20	charon: 16[ENC] <bypasslan|1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> peer supports MOBIKE
Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 16 11:51:20	charon: 16[CFG] <bypasslan|1> no alternative config found
Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> peer requested EAP, config inacceptable
Dec 16 11:51:20	charon: 16[CFG] <bypasslan|1> selected peer config 'bypasslan'
Dec 16 11:51:20	charon: 16[CFG] <1> looking for peer configs matching  216.x.x.x[ 216.x.x.x]... 215.x.x.x[192.168.125.2]
Dec 16 11:51:20	charon: 16[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Dec 16 11:51:20	charon: 16[NET] <1> received packet: from  215.x.x.x[61443] to  216.x.x.x[4500] (316 bytes)
Dec 16 11:51:20	charon: 16[NET] <1> sending packet: from  216.x.x.x[500] to  215.x.x.x[30930] (353 bytes)
Dec 16 11:51:20	charon: 16[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Dec 16 11:51:20	charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-ec-ca, E=info@xxx.com"
Dec 16 11:51:20	charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-eap-ec-ca, E=info@xxx.com"
Dec 16 11:51:20	charon: 16[IKE] <1> remote host is behind NAT
Dec 16 11:51:20	charon: 16[IKE] <1>  215.x.x.x is initiating an IKE_SA
Dec 16 11:51:20	charon: 16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1>

Any help much appreciated!

I've encountered this before in my testing although I can't remember specifically what I did for this particular condition.

Take a look at the Phase 1 and Phase 2 settings in this doc: https://forum.pfsense.org/index.php?topic=127457.0