PRE-TEST moon# iptables-restore < /etc/iptables.rules carol# iptables-restore < /etc/iptables.rules dave# iptables-restore < /etc/iptables.rules alice# freeradius moon# ipsec start Starting strongSwan 6.0.1 IPsec [starter]... carol# ipsec start Starting strongSwan 6.0.1 IPsec [starter]... dave# ipsec start Starting strongSwan 6.0.1 IPsec [starter]... moon# expect-connection rw-eap carol# expect-connection home carol# ipsec up home initiating IKE_SA home[1] to 192.168.0.1 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (924 bytes) received packet: from 192.168.0.1[500] to 192.168.0.100[500] (272 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) ] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA" establishing CHILD_SA home{1} generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (416 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1236 bytes) parsed IKE_AUTH response 1 [ EF(1/2) ] received fragment #1 of 2, waiting for complete IKE message received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (516 bytes) parsed IKE_AUTH response 1 [ EF(2/2) ] received fragment #2 of 2, reassembled fragmented IKE message (1680 bytes) parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] received end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org" using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" reached self-signed root ca with a path length of 0 checking certificate status of "C=CH, O=strongSwan Project, CN=moon.strongswan.org" fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA" crl is valid: until Mar 25 18:47:43 2025 certificate status is good authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful server requested EAP_TTLS authentication (id 0x01) EAP_TTLS version is v0 generating IKE_AUTH request 2 [ EAP/RES/TTLS ] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (288 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1104 bytes) parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 generating IKE_AUTH request 3 [ EAP/RES/TTLS ] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (80 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1104 bytes) parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (80 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (912 bytes) parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] received TLS server certificate 'C=CH, O=strongSwan Project, CN=aaa.strongswan.org' received TLS intermediate certificate 'C=CH, O=strongSwan Project, CN=strongSwan Root CA' using certificate "C=CH, O=strongSwan Project, CN=aaa.strongswan.org" using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" reached self-signed root ca with a path length of 0 checking certificate status of "C=CH, O=strongSwan Project, CN=aaa.strongswan.org" using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA" crl is valid: until Mar 25 18:47:43 2025 using cached crl certificate status is good generating IKE_AUTH request 5 [ EAP/RES/TTLS ] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (208 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (144 bytes) parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] sending tunneled EAP-TTLS AVP [EAP/RES/ID] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (144 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (144 bytes) parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] server requested EAP_MD5 authentication (id 0x01) sending tunneled EAP-TTLS AVP [EAP/RES/MD5] generating IKE_AUTH request 7 [ EAP/RES/TTLS ] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (144 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (80 bytes) parsed IKE_AUTH response 7 [ EAP/SUCC ] EAP method EAP_TTLS succeeded, MSK established authentication of 'carol@strongswan.org' (myself) with EAP generating IKE_AUTH request 8 [ AUTH ] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (112 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (288 bytes) parsed IKE_AUTH response 8 [ AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] authentication of 'moon.strongswan.org' with EAP successful received AUTH_LIFETIME of 3365s, scheduling reauthentication in 3185s peer supports MOBIKE IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org] reauthentication already scheduled in 3185s maximum IKE_SA lifetime 3365s selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ CHILD_SA home{1} established with SPIs c0e0e44c_i c4426bb7_o and TS 192.168.0.100/32 === 10.1.0.0/16 connection 'home' established successfully dave# expect-connection home dave# ipsec up home initiating IKE_SA home[1] to 192.168.0.1 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 192.168.0.200[500] to 192.168.0.1[500] (924 bytes) received packet: from 192.168.0.1[500] to 192.168.0.200[500] (272 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) ] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA" establishing CHILD_SA home{1} generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (416 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (1236 bytes) parsed IKE_AUTH response 1 [ EF(1/2) ] received fragment #1 of 2, waiting for complete IKE message received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (516 bytes) parsed IKE_AUTH response 1 [ EF(2/2) ] received fragment #2 of 2, reassembled fragmented IKE message (1680 bytes) parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS ] received end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org" using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" reached self-signed root ca with a path length of 0 checking certificate status of "C=CH, O=strongSwan Project, CN=moon.strongswan.org" fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA" crl is valid: until Mar 25 18:47:43 2025 certificate status is good authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful server requested EAP_TTLS authentication (id 0x01) EAP_TTLS version is v0 generating IKE_AUTH request 2 [ EAP/RES/TTLS ] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (288 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (1104 bytes) parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 generating IKE_AUTH request 3 [ EAP/RES/TTLS ] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (80 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (1104 bytes) parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ] generating IKE_AUTH request 4 [ EAP/RES/TTLS ] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (80 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (912 bytes) parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ] received TLS server certificate 'C=CH, O=strongSwan Project, CN=aaa.strongswan.org' received TLS intermediate certificate 'C=CH, O=strongSwan Project, CN=strongSwan Root CA' using certificate "C=CH, O=strongSwan Project, CN=aaa.strongswan.org" using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" reached self-signed root ca with a path length of 0 checking certificate status of "C=CH, O=strongSwan Project, CN=aaa.strongswan.org" using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA" crl is valid: until Mar 25 18:47:43 2025 using cached crl certificate status is good generating IKE_AUTH request 5 [ EAP/RES/TTLS ] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (208 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (144 bytes) parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ] sending tunneled EAP-TTLS AVP [EAP/RES/ID] generating IKE_AUTH request 6 [ EAP/RES/TTLS ] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (144 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (144 bytes) parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ] received tunneled EAP-TTLS AVP [EAP/REQ/MD5] server requested EAP_MD5 authentication (id 0x01) sending tunneled EAP-TTLS AVP [EAP/RES/MD5] generating IKE_AUTH request 7 [ EAP/RES/TTLS ] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (144 bytes) retransmit 1 of request with message ID 7 sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (144 bytes) received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (80 bytes) parsed IKE_AUTH response 7 [ EAP/FAIL ] received EAP_FAILURE, EAP authentication failed generating INFORMATIONAL request 8 [ N(AUTH_FAILED) ] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (80 bytes) establishing connection 'home' failed TEST carol# cat /var/log/daemon.log | grep 'authentication of 'moon.strongswan.org' with RSA.* successful' [YES] Mar 10 19:41:57 carol charon: 06[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful carol# cat /var/log/daemon.log | grep 'server requested EAP_TTLS authentication' [YES] Mar 10 19:41:57 carol charon: 06[IKE] server requested EAP_TTLS authentication (id 0x01) carol# cat /var/log/daemon.log | grep 'server requested EAP_MD5 authentication' [YES] Mar 10 19:41:57 carol charon: 01[IKE] server requested EAP_MD5 authentication (id 0x01) carol# cat /var/log/daemon.log | grep 'EAP method EAP_TTLS succeeded, MSK established' [YES] Mar 10 19:41:57 carol charon: 16[IKE] EAP method EAP_TTLS succeeded, MSK established carol# cat /var/log/daemon.log | grep 'authentication of 'moon.strongswan.org' with EAP successful' [YES] Mar 10 19:41:57 carol charon: 15[IKE] authentication of 'moon.strongswan.org' with EAP successful dave# cat /var/log/daemon.log | grep 'authentication of 'moon.strongswan.org' with RSA.* successful' [YES] Mar 10 19:41:57 dave charon: 01[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful dave# cat /var/log/daemon.log | grep 'server requested EAP_TTLS authentication' [YES] Mar 10 19:41:57 dave charon: 01[IKE] server requested EAP_TTLS authentication (id 0x01) dave# cat /var/log/daemon.log | grep 'server requested EAP_MD5 authentication' [YES] Mar 10 19:41:58 dave charon: 06[IKE] server requested EAP_MD5 authentication (id 0x01) dave# cat /var/log/daemon.log | grep 'received EAP_FAILURE, EAP authentication failed' [YES] Mar 10 19:41:59 dave charon: 04[IKE] received EAP_FAILURE, EAP authentication failed moon# cat /var/log/daemon.log | grep 'authentication of 'carol@strongswan.org' with EAP successful' [YES] Mar 10 19:41:57 moon charon: 06[IKE] authentication of 'carol@strongswan.org' with EAP successful moon# cat /var/log/daemon.log | grep 'RADIUS authentication of 'dave@strongswan.org' failed' [YES] Mar 10 19:41:58 moon charon: 04[IKE] RADIUS authentication of 'dave@strongswan.org' failed moon# cat /var/log/daemon.log | grep 'EAP method EAP_TTLS failed for peer dave@strongswan.org' [YES] Mar 10 19:41:58 moon charon: 04[IKE] EAP method EAP_TTLS failed for peer dave@strongswan.org moon# ipsec status 2> /dev/null | grep 'rw-eap.*ESTABLISHED.*carol@strongswan.org' [YES] rw-eap[1]: ESTABLISHED 2 seconds ago, 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol@strongswan.org] moon# ipsec status 2> /dev/null | grep 'rw-eap.*ESTABLISHED.*dave@strongswan.org' [NO] carol# ipsec status 2> /dev/null | grep 'home.*ESTABLISHED' [YES] home[1]: ESTABLISHED 2 seconds ago, 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org] dave# ipsec status 2> /dev/null | grep 'home.*ESTABLISHED' [NO] carol# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_.eq=1' [YES] 64 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=1.28 ms moon# killall tcpdump moon# cat /tmp/tcpdump.log | grep 'IP carol.strongswan.org > moon.strongswan.org: ESP' [YES] 19:41:59.570896 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc4426bb7,seq=0x1), length 136 moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > carol.strongswan.org: ESP' [YES] 19:41:59.571636 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0e0e44c,seq=0x1), length 136 POST-TEST moon# ipsec stop Stopping strongSwan IPsec... carol# ipsec stop Stopping strongSwan IPsec... dave# ipsec stop Stopping strongSwan IPsec... alice# killall freeradius moon# iptables-restore < /etc/iptables.flush carol# iptables-restore < /etc/iptables.flush dave# iptables-restore < /etc/iptables.flush