Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configure Linux Mint vpn client to use radius for authentication.

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mmangiante
      last edited by

      Hello,

      I setup an IPsec Remote Access Mobile VPN with ike2 following the documents:

      Configuring an IPsec Remote Access Mobile VPN using IKEv2 with EAP-MSCHAPv2
      IKEv2 with EAP-RADIUS

      The setup is successfull because I can connect one of Windows 10 device in vpn; I tried to connect a Linux Mint 18 client without success.
      I followed in the first link the "Ubuntu-based Client Setup" guide but have no working connection: I supposed that the problem was the value in the "Authentication" field so I give an:

      sudo apt-get install strongswan-plugin-eap-radius

      but found that in the Network Manager the options doesn't changed from "eap" to for example "eap-radius".

      The question is: how to say to Network Manager vpn configuration dialog to use radius for the authentication? Is this the problem?
      I copy here the log:

      Sep 18 17:46:18 nb-mint NetworkManager[818]: <info> [1537285578.6859] audit: op="connection-activate" uuid="58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c" name="VPN_IPSEC" pid=10483 uid=1000 result="success"
      Sep 18 17:46:18 nb-mint NetworkManager[818]: <info> [1537285578.6937] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: Saw the service appear; activating connection
      Sep 18 17:46:19 nb-mint NetworkManager[818]: <info> [1537285579.0746] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: VPN connection: (ConnectInteractive) reply received
      Sep 18 17:46:19 nb-mint charon-nm: 05[CFG] received initiate for NetworkManager connection VPN_IPSEC
      Sep 18 17:46:19 nb-mint charon-nm: 05[CFG] using gateway certificate, identity 'C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114'
      Sep 18 17:46:19 nb-mint charon-nm: 05[IKE] initiating IKE_SA VPN_IPSEC[5] to 93.145.101.114
      Sep 18 17:46:19 nb-mint charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
      Sep 18 17:46:19 nb-mint charon-nm: 05[NET] sending packet: from 192.168.43.166[52269] to 93.145.101.114[500] (852 bytes)
      Sep 18 17:46:19 nb-mint NetworkManager[818]: <info> [1537285579.1216] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: VPN plugin: state changed: starting (3)
      Sep 18 17:46:19 nb-mint charon-nm: 15[NET] received packet: from 93.145.101.114[500] to 192.168.43.166[52269] (38 bytes)
      Sep 18 17:46:19 nb-mint charon-nm: 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
      Sep 18 17:46:19 nb-mint charon-nm: 15[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
      Sep 18 17:46:19 nb-mint charon-nm: 15[IKE] initiating IKE_SA VPN_IPSEC[5] to 93.145.101.114
      Sep 18 17:46:19 nb-mint charon-nm: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
      Sep 18 17:46:19 nb-mint charon-nm: 15[NET] sending packet: from 192.168.43.166[52269] to 93.145.101.114[500] (724 bytes)
      Sep 18 17:46:19 nb-mint charon-nm: 07[NET] received packet: from 93.145.101.114[500] to 192.168.43.166[52269] (353 bytes)
      Sep 18 17:46:19 nb-mint charon-nm: 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
      Sep 18 17:46:19 nb-mint charon-nm: 07[IKE] local host is behind NAT, sending keep alives
      Sep 18 17:46:19 nb-mint charon-nm: 07[IKE] received 1 cert requests for an unknown ca
      Sep 18 17:46:19 nb-mint charon-nm: 07[IKE] establishing CHILD_SA VPN_IPSEC
      Sep 18 17:46:19 nb-mint charon-nm: 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
      Sep 18 17:46:19 nb-mint charon-nm: 07[NET] sending packet: from 192.168.43.166[4500] to 93.145.101.114[4500] (448 bytes)
      Sep 18 17:46:19 nb-mint charon-nm: 08[NET] received packet: from 93.145.101.114[4500] to 192.168.43.166[4500] (1760 bytes)
      Sep 18 17:46:19 nb-mint charon-nm: 08[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
      Sep 18 17:46:19 nb-mint charon-nm: 08[IKE] received end entity cert "C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114"
      Sep 18 17:46:19 nb-mint charon-nm: 08[CFG] no issuer certificate found for "C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114"
      Sep 18 17:46:19 nb-mint charon-nm: 08[CFG] using trusted certificate "C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114"
      Sep 18 17:46:19 nb-mint charon-nm: 08[IKE] authentication of 'C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114' with RSA_EMSA_PKCS1_SHA256 successful
      Sep 18 17:46:19 nb-mint charon-nm: 08[IKE] server requested EAP_IDENTITY (id 0x00), sending 'IMN\mmangiante'
      Sep 18 17:46:19 nb-mint charon-nm: 08[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
      Sep 18 17:46:19 nb-mint charon-nm: 08[NET] sending packet: from 192.168.43.166[4500] to 93.145.101.114[4500] (96 bytes)
      Sep 18 17:46:19 nb-mint charon-nm: 10[NET] received packet: from 93.145.101.114[4500] to 192.168.43.166[4500] (112 bytes)
      Sep 18 17:46:19 nb-mint charon-nm: 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
      Sep 18 17:46:19 nb-mint charon-nm: 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01)
      Sep 18 17:46:19 nb-mint charon-nm: 10[IKE] EAP method not supported, sending EAP_NAK
      Sep 18 17:46:19 nb-mint charon-nm: 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/NAK ]
      Sep 18 17:46:19 nb-mint charon-nm: 10[NET] sending packet: from 192.168.43.166[4500] to 93.145.101.114[4500] (80 bytes)
      Sep 18 17:46:19 nb-mint charon-nm: 09[NET] received packet: from 93.145.101.114[4500] to 192.168.43.166[4500] (80 bytes)
      Sep 18 17:46:19 nb-mint charon-nm: 09[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]
      Sep 18 17:46:19 nb-mint charon-nm: 09[IKE] received EAP_FAILURE, EAP authentication failed
      Sep 18 17:46:19 nb-mint charon-nm: 09[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
      Sep 18 17:46:19 nb-mint charon-nm: 09[NET] sending packet: from 192.168.43.166[4500] to 93.145.101.114[4500] (80 bytes)
      Sep 18 17:46:19 nb-mint NetworkManager[818]: <warn> [1537285579.6265] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: VPN plugin: failed: connect-failed (1)
      Sep 18 17:46:19 nb-mint NetworkManager[818]: <info> [1537285579.6268] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: VPN plugin: state changed: stopped (6)
      Sep 18 17:46:19 nb-mint NetworkManager[818]: <info> [1537285579.6288] vpn-connection[0x167d7e0,58b3e93e-f882-43da-8fd1-c5a3bcfcdd7c,"VPN_IPSEC",0]: VPN plugin: state change reason: unknown (0)

      --
      Thanks,

      Marco

      M 1 Reply Last reply Reply Quote 0
      • M
        mmangiante @mmangiante
        last edited by

        Finally I have resolved with the installation of various packages:

        network-manager-strongswan (I have to download and install the 1.4 version because the stock package, 1.3, has a bug)
strongswan-plugin-eap-mschapv2
strongswan-plugin-eap-radius
strongswan-starter
libcharon-standard-plugins
libcharon-extra-plugins
libstrongswan-standard-plugins
libstrongswan-extra-plugins

        Remember to restart the client before try the connection.

        Marco

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.