"peer requested EAP, config inacceptable" with IKEv2 and EAP-RADIUS



  • I've setup ipsec according to the RADIUS-EAP guide on the wiki, but I keep getting this error: "charon: 05[IKE] <bypasslan|3>peer requested EAP, config inacceptable".

    Our freeradius server is setup to accept PEAP-MSCHAPv2 requests, which successfully authenticates our wireless network users just fine. Do we need to enable a different protocol on the freeradius server?</bypasslan|3>



  • Logs:

    Log entries

    Dec 16 11:51:20	charon: 16[NET] <bypasslan|1> sending packet: from  216.x.x.x[4500] to  215.x.x.x[61443] (68 bytes)
    Dec 16 11:51:20	charon: 16[ENC] <bypasslan|1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> peer supports MOBIKE
    Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Dec 16 11:51:20	charon: 16[CFG] <bypasslan|1> no alternative config found
    Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> peer requested EAP, config inacceptable
    Dec 16 11:51:20	charon: 16[CFG] <bypasslan|1> selected peer config 'bypasslan'
    Dec 16 11:51:20	charon: 16[CFG] <1> looking for peer configs matching  216.x.x.x[ 216.x.x.x]... 215.x.x.x[192.168.125.2]
    Dec 16 11:51:20	charon: 16[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Dec 16 11:51:20	charon: 16[NET] <1> received packet: from  215.x.x.x[61443] to  216.x.x.x[4500] (316 bytes)
    Dec 16 11:51:20	charon: 16[NET] <1> sending packet: from  216.x.x.x[500] to  215.x.x.x[30930] (353 bytes)
    Dec 16 11:51:20	charon: 16[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Dec 16 11:51:20	charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-ec-ca, E=info@xxx.com"
    Dec 16 11:51:20	charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-eap-ec-ca, E=info@xxx.com"
    Dec 16 11:51:20	charon: 16[IKE] <1> remote host is behind NAT
    Dec 16 11:51:20	charon: 16[IKE] <1>  215.x.x.x is initiating an IKE_SA
    Dec 16 11:51:20	charon: 16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1>
    

    Any help much appreciated!



  • Anybody? :( The problem seems to be that it's constantly selecting the "bypass" configuration. I don't know what rules to put in "Outbound Nat", would that possibly be the problem?


  • Rebel Alliance Developer Netgate

    That means something about the inbound request did not match your mobile P1 settings so it fell through to the LAN bypass.



  • Thanks. What has to match exactly?


  • Rebel Alliance Developer Netgate

    Whatever parameters are set on P1 (identifiers, encryption, hash, etc)

    You can increase the logging a bit as shown here: https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29



  • Got it thanks. I upped the logging on the "IKE Configuration" to RAW but it's still not telling me what's not matching…



  • Did you ever get a resolution to this problem?



  • @j@svg:

    Logs:

    Log entries

    Dec 16 11:51:20	charon: 16[NET] <bypasslan|1> sending packet: from  216.x.x.x[4500] to  215.x.x.x[61443] (68 bytes)
    Dec 16 11:51:20	charon: 16[ENC] <bypasslan|1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> peer supports MOBIKE
    Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Dec 16 11:51:20	charon: 16[CFG] <bypasslan|1> no alternative config found
    Dec 16 11:51:20	charon: 16[IKE] <bypasslan|1> peer requested EAP, config inacceptable
    Dec 16 11:51:20	charon: 16[CFG] <bypasslan|1> selected peer config 'bypasslan'
    Dec 16 11:51:20	charon: 16[CFG] <1> looking for peer configs matching  216.x.x.x[ 216.x.x.x]... 215.x.x.x[192.168.125.2]
    Dec 16 11:51:20	charon: 16[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
    Dec 16 11:51:20	charon: 16[NET] <1> received packet: from  215.x.x.x[61443] to  216.x.x.x[4500] (316 bytes)
    Dec 16 11:51:20	charon: 16[NET] <1> sending packet: from  216.x.x.x[500] to  215.x.x.x[30930] (353 bytes)
    Dec 16 11:51:20	charon: 16[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Dec 16 11:51:20	charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-ec-ca, E=info@xxx.com"
    Dec 16 11:51:20	charon: 16[IKE] <1> sending cert request for "C=US, ST=Missouri, L=Kansas City, O=Corp, OU=Information Technology, CN=svg-eap-ec-ca, E=info@xxx.com"
    Dec 16 11:51:20	charon: 16[IKE] <1> remote host is behind NAT
    Dec 16 11:51:20	charon: 16[IKE] <1>  215.x.x.x is initiating an IKE_SA
    Dec 16 11:51:20	charon: 16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1>
    

    Any help much appreciated!

    I've encountered this before in my testing although I can't remember specifically what I did for this particular condition.

    Take a look at the Phase 1 and Phase 2 settings in this doc: https://forum.pfsense.org/index.php?topic=127457.0


Log in to reply