Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

How to configure strongSwan eap-radius with FreeRadius for EAP-MSCHAPv2 authentication?

by |Published

I am trying to configure a strongSwan IPsec VPN with RADIUS authentication. The actual EAP-MSCHAPv2 authentication to FreeRadius with OpenLDAP for username/passwords is successful, but then I am stuck with the following error message:

Jul 15 21:31:04 odroidc4 charon-systemd[814594]: authentication of '100.80.129.171' with EAP successful
Jul 15 21:31:04 odroidc4 charon-systemd[814594]: constraint check failed: peer not authenticated by CA 'C=DE, O=ahpohl, CN=ahpohl Root CA'
Jul 15 21:31:04 odroidc4 charon-systemd[814594]: selected peer config 'eap-radius' unacceptable: non-matching authentication done
Jul 15 21:31:04 odroidc4 charon-systemd[814594]: no alternative config found

Searching for the constraint check failure message did not give any conclusive results. I tried Windows 10 Pro and iPhone iOS 15.5 clients, both fail with same constraint check.

How do I make the check pass or alternatively disable the check? Who is meant with ‘peer’, the client or the RADIUS server?

I use the following swantctl.conf:

connections {
  eap-radius {
    pools = ipv4, ipv6
    send_cert = always
    local {
      auth = pubkey
      certs = vpnCert.pem
      id = vpn.ahpohl.com
    }
    remote {
      auth = eap-radius
      cacerts = ahpohlCert.pem
      eap_id = %any
    }
    children {
      eap-radius {
        local_ts = 0.0.0.0/0, ::/0
        esp_proposals = aes256-sha256-sha1-modp2048
      }
      version = 2
      proposals = aes256-sha256-modp2048
    }
  }
}

pools {
  ipv4 {
    addrs = 10.10.1.64/26
    dns = 192.168.178.1
  }
  ipv6 {
    addrs = 2a02:168:4407:1::/122
    dns = fd00::ca0e:14ff:fe0c:e6a5
  }
}

The CA and the server certificate were created using the strongSwan pki tool:

# create CA
pki --gen --type rsa --size 3072 --outform pem > private/ahpohlKey.pem
pki --self --ca --lifetime 3652 --in private/ahpohlKey.pem --dn "C=DE, O=ahpohl, CN=ahpohl Root CA" --outform pem > x509ca/ahpohlCert.pem

# create server certificate:
pki --gen --type rsa --size 3072 --outform pem > private/vpnKey.pem
pki --req --type priv --in private/vpnKey.pem --dn "C=DE, O=ahpohl, CN=vpn.ahpohl.com" --san vpn.ahpohl.com --outform pem > vpnReq.pem
pki --issue --cacert x509ca/ahpohlCert.pem --cakey private/ahpohlKey.pem --type pkcs10 --in vpnReq.pem --serial 01 --lifetime 1826 --flag serverAuth --flag ikeIntermediate --crl https://www.ahpohl.com/crl/ahpohl.crl --outform pem > x509/vpnCert.pem

I followed the howtos on the StrongSwan wiki for strongSwan configuration, cert creation and certificate interoperability recommendations. The full connection logs of the strongSwan VPN gateway and the FreeRadius radiusd -X debug output are a bit long to be put here, but available if necessary.

You may also like