Configure Linux Mint vpn client to use radius for authentication.

mmangiante · Sep 19, 2018, 1:43 PM

Hello,

I setup an IPsec Remote Access Mobile VPN with ike2 following the documents:

Configuring an IPsec Remote Access Mobile VPN using IKEv2 with EAP-MSCHAPv2
IKEv2 with EAP-RADIUS

The setup is successfull because I can connect one of Windows 10 device in vpn; I tried to connect a Linux Mint 18 client without success.
I followed in the first link the "Ubuntu-based Client Setup" guide but have no working connection: I supposed that the problem was the value in the "Authentication" field so I give an:

sudo apt-get install strongswan-plugin-eap-radius

but found that in the Network Manager the options doesn't changed from "eap" to for example "eap-radius".

The question is: how to say to Network Manager vpn configuration dialog to use radius for the authentication? Is this the problem?
I copy here the log:

Sep 18 17:46:18 nb-mint NetworkManager[818]: <info> [1537285578.6859] audit: op="connection-activate" uuid="58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c" name="VPN_IPSEC" pid=10483 uid=1000 result="success"
Sep 18 17:46:18 nb-mint NetworkManager[818]: <info> [1537285578.6937] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: Saw the service appear; activating connection
Sep 18 17:46:19 nb-mint NetworkManager[818]: <info> [1537285579.0746] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: VPN connection: (ConnectInteractive) reply received
Sep 18 17:46:19 nb-mint charon-nm: 05[CFG] received initiate for NetworkManager connection VPN_IPSEC
Sep 18 17:46:19 nb-mint charon-nm: 05[CFG] using gateway certificate, identity 'C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114'
Sep 18 17:46:19 nb-mint charon-nm: 05[IKE] initiating IKE_SA VPN_IPSEC[5] to 93.145.101.114
Sep 18 17:46:19 nb-mint charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Sep 18 17:46:19 nb-mint charon-nm: 05[NET] sending packet: from 192.168.43.166[52269] to 93.145.101.114[500] (852 bytes)
Sep 18 17:46:19 nb-mint NetworkManager[818]: <info> [1537285579.1216] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: VPN plugin: state changed: starting (3)
Sep 18 17:46:19 nb-mint charon-nm: 15[NET] received packet: from 93.145.101.114[500] to 192.168.43.166[52269] (38 bytes)
Sep 18 17:46:19 nb-mint charon-nm: 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 18 17:46:19 nb-mint charon-nm: 15[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
Sep 18 17:46:19 nb-mint charon-nm: 15[IKE] initiating IKE_SA VPN_IPSEC[5] to 93.145.101.114
Sep 18 17:46:19 nb-mint charon-nm: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Sep 18 17:46:19 nb-mint charon-nm: 15[NET] sending packet: from 192.168.43.166[52269] to 93.145.101.114[500] (724 bytes)
Sep 18 17:46:19 nb-mint charon-nm: 07[NET] received packet: from 93.145.101.114[500] to 192.168.43.166[52269] (353 bytes)
Sep 18 17:46:19 nb-mint charon-nm: 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Sep 18 17:46:19 nb-mint charon-nm: 07[IKE] local host is behind NAT, sending keep alives
Sep 18 17:46:19 nb-mint charon-nm: 07[IKE] received 1 cert requests for an unknown ca
Sep 18 17:46:19 nb-mint charon-nm: 07[IKE] establishing CHILD_SA VPN_IPSEC
Sep 18 17:46:19 nb-mint charon-nm: 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Sep 18 17:46:19 nb-mint charon-nm: 07[NET] sending packet: from 192.168.43.166[4500] to 93.145.101.114[4500] (448 bytes)
Sep 18 17:46:19 nb-mint charon-nm: 08[NET] received packet: from 93.145.101.114[4500] to 192.168.43.166[4500] (1760 bytes)
Sep 18 17:46:19 nb-mint charon-nm: 08[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 18 17:46:19 nb-mint charon-nm: 08[IKE] received end entity cert "C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114"
Sep 18 17:46:19 nb-mint charon-nm: 08[CFG] no issuer certificate found for "C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114"
Sep 18 17:46:19 nb-mint charon-nm: 08[CFG] using trusted certificate "C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114"
Sep 18 17:46:19 nb-mint charon-nm: 08[IKE] authentication of 'C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114' with RSA_EMSA_PKCS1_SHA256 successful
Sep 18 17:46:19 nb-mint charon-nm: 08[IKE] server requested EAP_IDENTITY (id 0x00), sending 'IMN\mmangiante'
Sep 18 17:46:19 nb-mint charon-nm: 08[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 18 17:46:19 nb-mint charon-nm: 08[NET] sending packet: from 192.168.43.166[4500] to 93.145.101.114[4500] (96 bytes)
Sep 18 17:46:19 nb-mint charon-nm: 10[NET] received packet: from 93.145.101.114[4500] to 192.168.43.166[4500] (112 bytes)
Sep 18 17:46:19 nb-mint charon-nm: 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Sep 18 17:46:19 nb-mint charon-nm: 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
Sep 18 17:46:19 nb-mint charon-nm: 10[IKE] EAP method not supported, sending EAP_NAK
Sep 18 17:46:19 nb-mint charon-nm: 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/NAK ]
Sep 18 17:46:19 nb-mint charon-nm: 10[NET] sending packet: from 192.168.43.166[4500] to 93.145.101.114[4500] (80 bytes)
Sep 18 17:46:19 nb-mint charon-nm: 09[NET] received packet: from 93.145.101.114[4500] to 192.168.43.166[4500] (80 bytes)
Sep 18 17:46:19 nb-mint charon-nm: 09[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]
Sep 18 17:46:19 nb-mint charon-nm: 09[IKE] received EAP_FAILURE, EAP authentication failed
Sep 18 17:46:19 nb-mint charon-nm: 09[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
Sep 18 17:46:19 nb-mint charon-nm: 09[NET] sending packet: from 192.168.43.166[4500] to 93.145.101.114[4500] (80 bytes)
Sep 18 17:46:19 nb-mint NetworkManager[818]: <warn> [1537285579.6265] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: VPN plugin: failed: connect-failed (1)
Sep 18 17:46:19 nb-mint NetworkManager[818]: <info> [1537285579.6268] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: VPN plugin: state changed: stopped (6)
Sep 18 17:46:19 nb-mint NetworkManager[818]: <info> [1537285579.6288] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: VPN plugin: state change reason: unknown (0)

--
Thanks,

Marco

mmangiante · Sep 20, 2018, 3:54 PM

Finally I have resolved with the installation of various packages:

network-manager-strongswan (I have to download and install the 1.4 version because the stock package, 1.3, has a bug)
strongswan-plugin-eap-mschapv2
strongswan-plugin-eap-radius
strongswan-starter
libcharon-standard-plugins
libcharon-extra-plugins
libstrongswan-standard-plugins
libstrongswan-extra-plugins

Remember to restart the client before try the connection.

Marco