OpenWrt Forum Archive

Topic: strongswan troubles with EAP-MSCHAPV2

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello everybody,
i tried to follow the howto from the wiki to setup an vpn server with strongswan for my android clients. But it seems with the current version of strongswan ( 5.3.2 ) the EAP-MSCHAPV2 plugin won't get loaded.

Also i need to limit the plugins with charon, if not it would stuck in a restart loop.

Especually anybody can help me to fix that? Would be great!
Currently using Chaos Calmer 15.05 for this setup.

And here the log outputs:

Mon Aug 31 22:13:39 2015 daemon.info syslog: 08[CFG] added configuration 'roadwarrior'
Mon Aug 31 22:13:52 2015 daemon.info syslog: 04[NET] received packet: from xxx.xxx.xxx.254[11894] to xxx.xxx.xxx.154[500] (1012 bytes)
Mon Aug 31 22:13:52 2015 daemon.info syslog: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Mon Aug 31 22:13:52 2015 daemon.info syslog: 04[IKE] xxx.xxx.xxx.254 is initiating an IKE_SA
Mon Aug 31 22:13:52 2015 authpriv.info syslog: 04[IKE] xxx.xxx.xxx.254 is initiating an IKE_SA
Mon Aug 31 22:13:53 2015 daemon.info syslog: 04[IKE] remote host is behind NAT
Mon Aug 31 22:13:53 2015 daemon.info syslog: 04[IKE] sending cert request for "C=AT, O=HeimNetz, CN=xxxx"
Mon Aug 31 22:13:53 2015 daemon.info syslog: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Mon Aug 31 22:13:53 2015 daemon.info syslog: 04[NET] sending packet: from xxx.xxx.xxx.154[500] to xxx.xxx.xxx.254[11894] (481 bytes)
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[NET] received packet: from xxx.xxx.xxx.254[22502] to xxx.xxx.xxx.154[4500] (4700 bytes)
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ]
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[IKE] received cert request for "C=AT, O=HeimNetz, CN=xxxx"
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[IKE] received 153 cert requests for an unknown ca
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[IKE] received end entity cert "C=AT, O=HeimNetz, CN=client"
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[CFG] looking for peer configs matching xxx.xxx.xxx.154[%any]...xxx.xxx.xxx.254[C=AT, O=HeimNetz, CN=client]
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[CFG] selected peer config 'roadwarrior'
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[CFG]   using trusted ca certificate "C=AT, O=HeimNetz, CN=xxxx"
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[CFG] checking certificate status of "C=AT, O=HeimNetz, CN=client"
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[CFG] certificate status is not available
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[CFG]   reached self-signed root ca with a path length of 0
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[CFG]   using trusted certificate "C=AT, O=HeimNetz, CN=client"
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[IKE] authentication of 'C=AT, O=HeimNetz, CN=client' with RSA_EMSA_PKCS1_SHA256 successful
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[IKE] peer supports MOBIKE
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[IKE] authentication of xxx.xxx.xxx.org' (myself) with RSA_EMSA_PKCS1_SHA256 successful
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[IKE] sending end entity cert "C=AT, O=HeimNetz, CN=xxx.xxx.xxx.org"
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH ]
Mon Aug 31 22:13:55 2015 daemon.info syslog: 03[NET] sending packet: from xxx.xxx.xxx.154[4500] to xxx.xxx.xxx.254[22502] (1260 bytes)
Mon Aug 31 22:13:55 2015 daemon.info syslog: 02[NET] received packet: from xxx.xxx.xxx.254[22502] to xxx.xxx.xxx.154[4500] (76 bytes)
Mon Aug 31 22:13:55 2015 daemon.info syslog: 02[ENC] parsed IKE_AUTH request 2 [ IDi ]
Mon Aug 31 22:13:55 2015 daemon.info syslog: 02[IKE] loading EAP_MSCHAPV2 method failed
Mon Aug 31 22:13:55 2015 daemon.info syslog: 02[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
Mon Aug 31 22:13:55 2015 daemon.info syslog: 02[NET] sending packet: from xxx.xxx.xxx.154[4500] to xxx.xxx.xxx.254[22502] (76 bytes

fixed!!

solution:

charon {
  load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
}

and mschapv2 will be loaded.

The discussion might have continued from here.