[Openswan Users] Openswan using Radius server for authentication

Discussion:

Arnel B. Espanola

2008-04-30 17:16:32 UTC

Is there anyone here setup their Openswan VPN server to use a radius
server for client's authentication? If there is, sharing some
information on how to implement it would be appreciated. Thanks.

--
Arnel

Jacco de Leeuw

2008-05-01 14:57:49 UTC

Permalink

Post by Arnel B. Espanola
Is there anyone here setup their Openswan VPN server to use a radius
server for client's authentication? If there is, sharing some
information on how to implement it would be appreciated. Thanks.

It can be done with L2TP/IPsec if you use a PPP server with support
for RADIUS authentication. See this webpage and search for RADIUS:
http://www.jacco2.dds.nl/networking/openswan-l2tp.html

Somebody else will have to fill you in if you rather use RADIUS with
XAUTH or IKEv2.

Jacco

--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl

Arnel B. Espanola

2008-05-23 18:25:01 UTC

Permalink

I already have Openswan working with this version:

Linux Openswan U2.4.5/K2.6.22.14-72.fc6 (netkey)

I'm currently running it with Pre-shared key as method for
authentication. Now I would like to authenticate VPN users using radius
server. Can someone provide me more information on how to
configure/setup the Openswan with PPP/Radius authentication. I'm running
PPP daemon version 2.4.4 with Radius support.

Appreciate your help.

Thanks,
Arnel

Post by Jacco de Leeuw

It can be done with L2TP/IPsec if you use a PPP server with support
http://www.jacco2.dds.nl/networking/openswan-l2tp.html
Somebody else will have to fill you in if you rather use RADIUS with
XAUTH or IKEv2.
Jacco

Arnel B. Espanola

2008-05-27 21:10:56 UTC

Permalink

Hi Gbenga,

I found an equivalent radiusclient1 package for Fedora. It is
radiusclient-ng. I've successfully installed it but I'm having problem
authenticating to the radius servers. We already have existing Radius
servers but they are managed by different group. Below are the error
messages in my vpn server. I was able to establish IPSec but failed to
authenticate due to radius errors. Any hints that you can provide will
be appreciated.

May 27 14:04:58 vpn pppd[4127]: Plugin radius.so loaded.
May 27 14:04:58 vpn pppd[4127]: RADIUS plugin initialized.
May 27 14:04:58 vpn pppd[4127]: pppd 2.4.4 started by root, uid 0
May 27 14:04:58 vpn pppd[4127]: Using interface ppp0
May 27 14:04:58 vpn pppd[4127]: Connect: ppp0 <--> /dev/pts/0
May 27 14:05:00 vpn pppd[4127]: rc_read_dictionary: couldn't open
dictionary @pkgdatadir@/dictionary: No such file or directory
May 27 14:05:00 vpn pppd[4127]: RADIUS: Can't read dictionary file
@pkgdatadir@/dictionary
May 27 14:05:00 vpn pppd[4127]: Peer user1 failed CHAP authentication
May 27 14:05:00 vpn pppd[4127]: Connection terminated.
May 27 14:05:00 vpn xl2tpd[3521]: control_finish: Connection closed to
10.0.1.1, serial 0 ()
May 27 14:05:00 vpn xl2tpd[3521]: control_finish: Connection closed to
10.0.1.1, port 1701 (), Local: 572, Remote: 16

Arnel

Hi Arnel,
I have this working since the second time I set up
OpenSwan. It worked like a charm! I found the documentation on the web
- I cannot remember the link anymore, so if this looks like someone
work, the credit belong to them.
I skipped the mysql part, I only use the file file to manage the FreeRadius configuration. If you need more helpp with it, post and I will try to reply.
Rgds,
Gbenga
Linux Openswan U2.4.5/K2.6.22.14-72.fc6 (netkey)
I'm currently running it with Pre-shared key as method for
authentication. Now I would like to authenticate VPN users using radius
server. Can someone provide me more information on how to
configure/setup the Openswan with PPP/Radius authentication. I'm running
PPP daemon version 2.4.4 with Radius support.
Appreciate your help.
Thanks,
Arnel

Post by Jacco de Leeuw

_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html

Giovani Moda

2008-05-28 11:52:39 UTC

Permalink

May 27 14:04:58 vpn pppd[4127]: Connect: ppp0 <--> /dev/pts/0 May 27

14:05:00 vpn pppd[4127]: rc_read_dictionary: >>>>
directory May 27 14:05:00 vpn pppd[4127]: RADIUS: Can't >read dictionary
file @pkgdatadir@/dictionary May 27 14:05:00 vpn pppd[4127]: Peer user1
failed CHAP authentication May 27 >14:05:00 vpn pppd[4127]: Connection
terminated.

It's complaining that it can't find radiusclient dictionary files. Check
radiusclient.conf (probably at /etc/radiusclient)
For the line "dictionary". It should be pointing out to a directory
where you dictionary files should be. In my case, it looks like that:

dictionary /etc/radiusclient/dictionary

Make sure the directory exists and contains dictionary files. I'll
attach a dictionary file specific for l2tp/ipsec with MS Windows. Copy
it to tour dictionary directory and include this line in the dictionary
file inside this directory:

INCLUDE /path/to/dictionary/dictionary.microsoft

I remember loosing a LOT of time because of this.

Let me know if you need further help.

Giovani Moda

Arnel B. Espanola

2008-05-28 17:03:20 UTC

Permalink

Hi Giovani,

Thanks. It fixes the dictionary errors but another error comes up. See
the log.

May 28 09:54:09 vpn pppd[24108]: Plugin radius.so loaded.
May 28 09:54:09 vpn pppd[24108]: RADIUS plugin initialized.
May 28 09:54:09 vpn pppd[24108]: Plugin radattr.so loaded.
May 28 09:54:09 vpn pppd[24108]: RADATTR plugin initialized.
May 28 09:54:09 vpn pppd[24108]: pppd 2.4.4 started by root, uid 0
May 28 09:54:09 vpn pppd[24108]: Using interface ppp0
May 28 09:54:09 vpn pppd[24108]: Connect: ppp0 <--> /dev/pts/1
May 28 09:54:12 vpn pppd[24108]: rc_send_server: bind:
[radius.server.host]: Permission denied
May 28 09:54:12 vpn pppd[24108]: Peer user1 failed CHAP authentication
May 28 09:54:12 vpn pppd[24108]: Connection terminated.
May 28 09:54:12 vpn pppd[24108]: Exit.
May 28 09:54:12 vpn xl2tpd[4739]: call_close: Call 11693 to 10.0.1.1
disconnected
May 28 09:54:17 vpn xl2tpd[4739]: Maximum retries exceeded for tunnel
56079. Closing.
May 28 09:54:17 vpn xl2tpd[4739]: Connection 19 closed to 10.0.1.1, port
50300 (Timeout)

Arnel

Post by Giovani Moda

May 27 14:04:58 vpn pppd[4127]: Connect: ppp0 <--> /dev/pts/0 May 27

14:05:00 vpn pppd[4127]: rc_read_dictionary: >>>>
directory May 27 14:05:00 vpn pppd[4127]: RADIUS: Can't >read dictionary
failed CHAP authentication May 27 >14:05:00 vpn pppd[4127]: Connection
terminated.
It's complaining that it can't find radiusclient dictionary files. Check
radiusclient.conf (probably at /etc/radiusclient)
For the line "dictionary". It should be pointing out to a directory
dictionary /etc/radiusclient/dictionary
Make sure the directory exists and contains dictionary files. I'll
attach a dictionary file specific for l2tp/ipsec with MS Windows. Copy
it to tour dictionary directory and include this line in the dictionary
INCLUDE /path/to/dictionary/dictionary.microsoft
I remember loosing a LOT of time because of this.
Let me know if you need further help.
Giovani Moda
------------------------------------------------------------------------
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Giovani Moda

2008-05-28 17:46:11 UTC

Permalink

[radius.server.host]: Permission denied

Is your file "servers" inside radiusclient directory setup properly? It
appears to me that radiusclient is unable to login (or connnect) to you
radius server. Make sure "radius.server.host" is resolvable. Better yet,
use IP it's address instead. And make sure the password provided in this
file matches the settings provided in clients.conf of freeradius.

If you need to debug, stop freeradius service and run it with radiusd
-XX . It should give you some output of what is going on.

Giovani Moda

Gbenga

2008-05-29 10:50:04 UTC

Permalink

Hi Arnel,
I have not access my openswan mail for a while.
You are nearly done. What has happened, I guess, is that you have not set up your chap authentication well. I have included truncated part of my relevant files.
You will need to configure the following files:
1.]    /etc/ppp/options.l2pd [whatever you call it]
2.]    /etc/xl2tpd/xl2tpd.conf [to use relevant ip addresses and options]
3.]    /etc/ppp/chap [ there is no need to for this since you are usind radius]
4.]    /etc/radiusclient/radiusclient.conf: [the stuff below is what I have in mine.]
auth_order      radius,local
login_tries     4
login_timeout   60
nologin /etc/nologin
issue   /etc/radiusclient/issue

authserver      10.10.1.XX:1812
acctserver      10.10.1.XX:1813
servers         /etc/radiusclient/servers
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local     /bin/login

5.]    /etc/radiusclient/servers: [the stuff below is from my file.]
#Server Name or Client/Server pair              Key
#----------------                               ---------------
10.10.1.XX   [radius server]                                  *****
10.10.1.X     [vpn vpn server]                                *****
6.]    /etc/ppp/option.l2tpd: [relevant optios]
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.11.0.90
noccp
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
plugin radius.so

7.]    /etc/xl2tpd/xl2tpd.conf: [relevant portion]

[lns default]
ip range = 10.10.3.128 - 10.10.3.254
local ip = 10.10.3.100
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
; some name from ppp users
name = pppuser
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
require chap = yes
refuse pap = yes
require authentication = no
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

8.]     /usr/local/etc/raddb/users [relevant portion]
        pppuser       Auth-Type := Local, User-Password == "your password"
                              Service-Type = Framed-User,
                              Framed-Protocol = PPP
9.]    /usr/local/etc/raddb/clients.conf
         client 10.10.1.57 {
                                secret          = secret
                                shortname       = vpn_server
                                nastype         = other
}

I hope this help you. You can also read up on L2TP/VPN at http://www.jacco2.dds.nl/networking/win2000xp-openswan.html.
Rgds,
Gbenga

Thanks. It fixes the dictionary errors but another error comes up. See
the log.

May 28 09:54:09 vpn pppd[24108]: Plugin radius.so loaded.
May 28 09:54:09 vpn pppd[24108]: RADIUS plugin initialized.
May 28 09:54:09 vpn pppd[24108]: Plugin radattr.so loaded.
May 28 09:54:09 vpn pppd[24108]: RADATTR plugin initialized.
May 28 09:54:09 vpn pppd[24108]: pppd 2.4.4 started by root, uid 0

__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html

Arnel B. Espanola

2008-05-30 22:44:24 UTC

Permalink

Hi GBenga,

Thanks for the info. But it's unfortunate that I couldn't make it work
and I'm getting frustrated. This is the show stopper for me. I don't
know what I'm doing wrong but configuration wise looks ok. I'm still
getting the same error message everytime I connect to VPN. I can connect
to radius server with 'radtest' command from my vpn server. Somehow the
client unable to reach the radius server. It successfully establishes
IPSec with the VPN server but fails to reach the radius server for
authentication.

May 30 15:31:34 vpn pppd[11331]: Plugin radius.so loaded.
May 30 15:31:34 vpn pppd[11331]: RADIUS plugin initialized.
May 30 15:31:34 vpn pppd[11331]: pppd 2.4.4 started by root, uid 0
May 30 15:31:34 vpn pppd[11331]: Using interface ppp0
May 30 15:31:34 vpn pppd[11331]: Connect: ppp0 <--> /dev/pts/1
May 30 15:31:36 vpn pppd[11331]: rc_send_server: bind: 10.0.1.101:
Permission denied
May 30 15:31:36 vpn pppd[11331]: Peer arnel failed CHAP authentication
May 30 15:31:36 vpn pppd[11331]: Connection terminated.
May 30 15:31:36 vpn xl2tpd[11201]: control_finish: Connection closed to
10.0.1.146, serial 0 ()
May 30 15:31:36 vpn xl2tpd[11201]: control_finish: Connection closed to
10.0.1.146, port 1701 (), Local: 4446, Remote: 8

Note:
10.0.1.100 - vpn server
10.0.1.101 - radius server
10.0.1.146 - client

Arnel

Hi Arnel,
I have not access my openswan mail for a while.
You are nearly done. What has happened, I guess, is that you have not set up your chap authentication well. I have included truncated part of my relevant files.
1.] /etc/ppp/options.l2pd [whatever you call it]
2.] /etc/xl2tpd/xl2tpd.conf [to use relevant ip addresses and options]
3.] /etc/ppp/chap [ there is no need to for this since you are usind radius]
4.] /etc/radiusclient/radiusclient.conf: [the stuff below is what I have in mine.]
auth_order radius,local
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
authserver 10.10.1.XX:1812
acctserver 10.10.1.XX:1813
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login
5.] /etc/radiusclient/servers: [the stuff below is from my file.]
#Server Name or Client/Server pair Key
#---------------- ---------------
10.10.1.XX [radius server] *****
10.10.1.X [vpn vpn server] *****
6.] /etc/ppp/option.l2tpd: [relevant optios]
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.11.0.90
noccp
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
plugin radius.so
7.] /etc/xl2tpd/xl2tpd.conf: [relevant portion]
[lns default]
ip range = 10.10.3.128 - 10.10.3.254
local ip = 10.10.3.100
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
; some name from ppp users
name = pppuser
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
require chap = yes
refuse pap = yes
require authentication = no
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
8.] /usr/local/etc/raddb/users [relevant portion]
pppuser Auth-Type := Local, User-Password == "your password"
Service-Type = Framed-User,
Framed-Protocol = PPP
9.] /usr/local/etc/raddb/clients.conf
client 10.10.1.57 {
secret = secret
shortname = vpn_server
nastype = other
}
I hope this help you. You can also read up on L2TP/VPN at http://www.jacco2.dds.nl/networking/win2000xp-openswan.html.
Rgds,
Gbenga
Thanks. It fixes the dictionary errors but another error comes up. See
the log.
May 28 09:54:09 vpn pppd[24108]: Plugin radius.so loaded.
May 28 09:54:09 vpn pppd[24108]: RADIUS plugin initialized.
May 28 09:54:09 vpn pppd[24108]: Plugin radattr.so loaded.
May 28 09:54:09 vpn pppd[24108]: RADATTR plugin initialized.
May 28 09:54:09 vpn pppd[24108]: pppd 2.4.4 started by root, uid 0
__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html

Giovani Moda

2008-05-31 11:53:12 UTC

Permalink

May 30 15:31:34 vpn pppd[11331]: Connect: ppp0 <--> /dev/pts/1 May 30

15:31:36 vpn pppd[11331]: rc_send_server: bind: >10.0.1.101: Permission
denied

"Permission denied" could mean a file permission problem. Is radius.so
executable? Also check permissions for options.xl2tpd and the files
under /etc/radiusclient. Make sure the user running pppd has the
permissions to read the configuration files and execute radius plugin.

Did you debug your radius server to see if your VPN server attempts a
connection to it? If it doesn't, the problem isn't your radiusclient
configuration, it's happening before, at pppd.

Also try debugging pppd. Add

debug

To options.xl2tpd and

# The next line writes pppd messages to /var/log/pppd.log
daemon.*
/var/log/pppd.log

To your /etc/syslog.conf. Create the log file (touch /var/log/pppd.log)
and restart syslogd.

It should help you trace down the problem.

Giovani Moda

Arnel B. Espanola

2008-06-02 16:37:12 UTC

Permalink

I enabled the pppd log and I see more details in it when I tried to
connect to my vpn server using my radius for authentication. But I still
don't have clue why it fails as I don't know what are those error codes.
And I don't see anything on my radius server logs so it means I couldn't
reach the radius server. The plugin radius.so is executable and
permissions seem ok on the files you've asked me to verify.

Thanks,
Arnel

Jun 2 09:07:19 vpn xl2tpd[11201]: ourtid = 4635, entropy_buf = 121b
Jun 2 09:07:19 vpn xl2tpd[11201]: ourcid = 28165, entropy_buf = 6e05
Jun 2 09:07:19 vpn xl2tpd[11201]: check_control: control, cid = 0, Ns =
0, Nr = 0
Jun 2 09:07:21 vpn xl2tpd[11201]: ourtid = 7476, entropy_buf = 1d34
Jun 2 09:07:21 vpn xl2tpd[11201]: check_control: control, cid = 0, Ns =
0, Nr = 0
Jun 2 09:07:21 vpn xl2tpd[11201]: control_finish: Peer requested tunnel
1 twice , ignoring second one.
Jun 2 09:07:21 vpn xl2tpd[11201]: check_control: control, cid = 0, Ns =
1, Nr = 1
Jun 2 09:07:21 vpn xl2tpd[11201]: Connection established to 10.0.1.146,
1701. Local: 4635, Remote: 1
(ref=0/0). LNS session is 'default'
Jun 2 09:07:21 vpn xl2tpd[11201]: check_control: control, cid = 0, Ns =
2, Nr = 1
Jun 2 09:07:21 vpn xl2tpd[11201]: ourcid = 2360, entropy_buf = 938
Jun 2 09:07:21 vpn xl2tpd[11201]: check_control: control, cid = 0, Ns =
3, Nr = 1
Jun 2 09:07:21 vpn xl2tpd[11201]: check_control: control, cid = 1, Ns =
3, Nr = 2
Jun 2 09:07:21 vpn xl2tpd[11201]: start_pppd: I'm running:
Jun 2 09:07:21 vpn xl2tpd[11201]: "/usr/sbin/pppd"
Jun 2 09:07:21 vpn xl2tpd[11201]: "passive"
Jun 2 09:07:21 vpn xl2tpd[11201]: "-detach"
Jun 2 09:07:21 vpn xl2tpd[11201]: "10.0.1.65:10.0.1.70"
Jun 2 09:07:21 vpn xl2tpd[11201]: "refuse-pap"
Jun 2 09:07:21 vpn xl2tpd[11201]: "auth"
Jun 2 09:07:21 vpn xl2tpd[11201]: "require-chap"
Jun 2 09:07:21 vpn xl2tpd[11201]: "name"
Jun 2 09:07:21 vpn xl2tpd[11201]: "pppuser"
Jun 2 09:07:21 vpn xl2tpd[11201]: "debug"
Jun 2 09:07:21 vpn xl2tpd[11201]: "file"
Jun 2 09:07:21 vpn xl2tpd[11201]: "/etc/ppp/options.xl2tpd"
Jun 2 09:07:21 vpn xl2tpd[11201]: "/dev/pts/1"
Jun 2 09:07:21 vpn xl2tpd[11201]: Call established with 10.0.1.146,
Local: 2360 , Remote: 1, Serial: 0
Jun 2 09:07:21 vpn xl2tpd[11201]: check_control: control, cid = 0, Ns =
4, Nr = 2
Jun 2 09:07:21 vpn pppd[22040]: Plugin radius.so loaded.
Jun 2 09:07:21 vpn pppd[22040]: RADIUS plugin initialized.
Jun 2 09:07:21 vpn pppd[22040]: pppd 2.4.4 started by root, uid 0
Jun 2 09:07:21 vpn pppd[22040]: using channel 107
Jun 2 09:07:21 vpn pppd[22040]: Using interface ppp0
Jun 2 09:07:21 vpn pppd[22040]: Connect: ppp0 <--> /dev/pts/1
Jun 2 09:07:21 vpn pppd[22040]: sent [LCP ConfReq id=0x1 <mru 1410>
<asyncmap 0 x0> <auth chap MD5> <magic
0x3e7be82e> <pcomp> <accomp>]
Jun 2 09:07:21 vpn pppd[22040]: rcvd [LCP ConfReq id=0x0 <mru 1400>
<magic 0x2b 827b2a> <pcomp> <accomp>
<callback CBCP>]
Jun 2 09:07:21 vpn pppd[22040]: sent [LCP ConfRej id=0x0 <callback CBCP>]
Jun 2 09:07:21 vpn pppd[22040]: rcvd [LCP ConfAck id=0x1 <mru 1410>
<asyncmap 0 x0> <auth chap MD5> <magic
0x3e7be82e> <pcomp> <accomp>]
Jun 2 09:07:21 vpn pppd[22040]: rcvd [LCP ConfReq id=0x1 <mru 1400>
<magic 0x2b 827b2a> <pcomp> <accomp>]
Jun 2 09:07:21 vpn pppd[22040]: sent [LCP ConfAck id=0x1 <mru 1400>
<magic 0x2b 827b2a> <pcomp> <accomp>]
Jun 2 09:07:21 vpn pppd[22040]: sent [CHAP Challenge id=0x24
<d6853ec0fdb015738 1bc7bd85af509238b>,
name = "pppuser"]
Jun 2 09:07:21 vpn pppd[22040]: rcvd [LCP Ident id=0x2 magic=0x2b827b2a
"MSRASV 5.10"]
Jun 2 09:07:21 vpn pppd[22040]: rcvd [LCP Ident id=0x3 magic=0x2b827b2a
"MSRAS- 0-ARTS-D610-06"]
Jun 2 09:07:21 vpn pppd[22040]: rcvd [CHAP Response id=0x24
<142753bdd1814d7b94 2514bb7dc79569>,
name = "arnel"]
Jun 2 09:07:21 vpn pppd[22040]: rc_send_server: bind: 10.0.1.101:
Permission de nied
Jun 2 09:07:21 vpn pppd[22040]: Peer arnel failed CHAP authentication
Jun 2 09:07:21 vpn pppd[22040]: sent [CHAP Failure id=0x24 ""]
Jun 2 09:07:21 vpn pppd[22040]: sent [LCP TermReq id=0x2
"Authentication failed "]
Jun 2 09:07:21 vpn xl2tpd[11201]: check_control: control, cid = 1, Ns =
4, Nr = 2
Jun 2 09:07:21 vpn xl2tpd[11201]: control_finish: Connection closed to
10.0.1.1 46, serial 0 ()
Jun 2 09:07:21 vpn xl2tpd[11201]: Untrustingly terminating pppd:
sending KILL s ignal to pid 22040
Jun 2 09:07:21 vpn xl2tpd[11201]: pppd 22040 successfully terminated
Jun 2 09:07:21 vpn xl2tpd[11201]: check_control: control, cid = 0, Ns =
5, Nr = 2
Jun 2 09:07:21 vpn xl2tpd[11201]: control_finish: Connection closed to
10.0.1.1 46, port 1701 (), Local: 4635,
Remote: 1

Post by Giovani Moda

May 30 15:31:34 vpn pppd[11331]: Connect: ppp0 <--> /dev/pts/1 May 30

15:31:36 vpn pppd[11331]: rc_send_server: bind: >10.0.1.101: Permission
denied
"Permission denied" could mean a file permission problem. Is radius.so
executable? Also check permissions for options.xl2tpd and the files
under /etc/radiusclient. Make sure the user running pppd has the
permissions to read the configuration files and execute radius plugin.
Did you debug your radius server to see if your VPN server attempts a
connection to it? If it doesn't, the problem isn't your radiusclient
configuration, it's happening before, at pppd.
Also try debugging pppd. Add
debug
To options.xl2tpd and
# The next line writes pppd messages to /var/log/pppd.log
daemon.*
/var/log/pppd.log
To your /etc/syslog.conf. Create the log file (touch /var/log/pppd.log)
and restart syslogd.
It should help you trace down the problem.
Giovani Moda
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Gbenga

2008-05-31 00:24:55 UTC

Permalink

Hi Arnel,

Can you post your relevant configuration files (you can mask sensitive data if you want). Your issue will get a quicker resolution if people can see your files. I think you will need to post your [1.] /etc/ppp/chaps-secrets. [2.] /etc/xl2tpd/xl2tpd.conf [3.] ipsec conn section for roadwarrior [4.] /etc/ppp/options.xl2tpd

I suspect that you have misconfigured something in your ppp/chap/xl2tpd files.

Rgds,
Gbenga

IPSec with the VPN server but fails to reach the radius server for
authentication.

May 30 15:31:34 vpn pppd[11331]: Plugin radius.so loaded.
May 30 15:31:34 vpn pppd[11331]: RADIUS plugin initialized.
May 30 15:31:34 vpn pppd[11331]: pppd 2.4.4 started by root, uid 0
May 30 15:31:34 vpn pppd[11331]: Using interface ppp0
May 30 15:31:34 vpn pppd[11331]: Connect: ppp0 <--> /dev/pts/1
May 30 15:31:36 vpn pppd[11331]: rc_send_server: bind: 10.0.1.101:
Permission denied
May 30 15:31:36 vpn pppd[11331]: Peer arnel failed CHAP authentication
May 30 15:31:36 vpn pppd[11331]: Connection terminated.
May 30 15:31:36 vpn xl2tpd[11201]: control_finish: Connection closed to
10.0.1.146, serial 0 ()
May 30 15:31:36 vpn xl2tpd[11201]: control_finish: Connection closed to
10.0.1.146, port 1701 (), Local: 4446, Remote: 8

Note:
10.0.1.100 - vpn server
10.0.1.101 - radius server
10.0.1.146 - client

Arnel

Hi Arnel,
I have not access my openswan mail for a while.
You are nearly done. What has happened, I guess, is that you have not set up your chap authentication well. I have included truncated part of my relevant files.
1.] /etc/ppp/options.l2pd [whatever you call it]
2.] /etc/xl2tpd/xl2tpd.conf [to use relevant ip addresses and options]
3.] /etc/ppp/chap [ there is no need to for this since you are usind radius]
4.] /etc/radiusclient/radiusclient.conf: [the stuff below is what I have in mine.]
auth_order radius,local
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
authserver 10.10.1.XX:1812
acctserver 10.10.1.XX:1813
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login
5.] /etc/radiusclient/servers: [the stuff below is from my file.]
#Server Name or Client/Server pair Key
#---------------- ---------------
10.10.1.XX [radius server] *****
10.10.1.X [vpn vpn server] *****
6.] /etc/ppp/option.l2tpd: [relevant optios]
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.11.0.90
noccp
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
plugin radius.so
7.] /etc/xl2tpd/xl2tpd.conf: [relevant portion]
[lns default]
ip range = 10.10.3.128 - 10.10.3.254
local ip = 10.10.3.100
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
; some name from ppp users
name = pppuser
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
require chap = yes
refuse pap = yes
require authentication = no
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
8.] /usr/local/etc/raddb/users [relevant portion]
pppuser Auth-Type := Local, User-Password == "your password"
Service-Type = Framed-User,
Framed-Protocol = PPP
9.] /usr/local/etc/raddb/clients.conf
client 10.10.1.57 {
secret = secret
shortname = vpn_server
nastype = other
}
I hope this help you. You can also read up on L2TP/VPN at http://www.jacco2.dds.nl/networking/win2000xp-openswan.html.
Rgds,
Gbenga
Thanks. It fixes the dictionary errors but another error comes up. See
the log.
May 28 09:54:09 vpn pppd[24108]: Plugin radius.so loaded.
May 28 09:54:09 vpn pppd[24108]: RADIUS plugin initialized.
May 28 09:54:09 vpn pppd[24108]: Plugin radattr.so loaded.
May 28 09:54:09 vpn pppd[24108]: RADATTR plugin initialized.
May 28 09:54:09 vpn pppd[24108]: pppd 2.4.4 started by root, uid 0
__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html

__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html

Arnel B. Espanola

2008-06-02 16:25:19 UTC

Permalink

Here are my configs. Take note that I'm actually using public IPs but I
just changed them into private IPs. Thanks.

/Arnel

1.) /etc/ppp/chap-secrets (basically empty)

# Secrets for authentication using CHAP
# client server secret IP addresses

2.) /etc/xl2tpd/xl2tpd.conf

[global]
port = 1701

[lns default]
ip range = 10.0.1.70-10.0.1.126
local ip = 10.10.1.65
require chap = yes
refuse pap = yes
require authentication = yes
;name = LinuxVPNserver
name = pppuser
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

3.) /etc/ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
overridemtu=1410
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
conn roadwarrior-net
leftsubnet=192.168.0.0/16
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
# MAC OSX
conn roadwarrior-l2tp-macosx
leftprotoport=17/1701
rightprotoport=17/%any
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
pfs=no
left=10.0.1.23
leftnexthop=10.0.1.1
right=%any
rightsubnet=vhost:%no,%priv
auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

4.) /etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns 10.0.2.196
ms-dns 10.0.2.176
ms-wins 10.0.2.188
ms-wins 10.0.2.189
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
#silent
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
nologfd
plugin radius.so

Hi Arnel,
Can you post your relevant configuration files (you can mask sensitive data if you want). Your issue will get a quicker resolution if people can see your files. I think you will need to post your [1.] /etc/ppp/chaps-secrets. [2.] /etc/xl2tpd/xl2tpd.conf [3.] ipsec conn section for roadwarrior [4.] /etc/ppp/options.xl2tpd
I suspect that you have misconfigured something in your ppp/chap/xl2tpd files.
Rgds,
Gbenga
IPSec with the VPN server but fails to reach the radius server for
authentication.
May 30 15:31:34 vpn pppd[11331]: Plugin radius.so loaded.
May 30 15:31:34 vpn pppd[11331]: RADIUS plugin initialized.
May 30 15:31:34 vpn pppd[11331]: pppd 2.4.4 started by root, uid 0
May 30 15:31:34 vpn pppd[11331]: Using interface ppp0
May 30 15:31:34 vpn pppd[11331]: Connect: ppp0 <--> /dev/pts/1
Permission denied
May 30 15:31:36 vpn pppd[11331]: Peer arnel failed CHAP authentication
May 30 15:31:36 vpn pppd[11331]: Connection terminated.
May 30 15:31:36 vpn xl2tpd[11201]: control_finish: Connection closed to
10.0.1.146, serial 0 ()
May 30 15:31:36 vpn xl2tpd[11201]: control_finish: Connection closed to
10.0.1.146, port 1701 (), Local: 4446, Remote: 8
10.0.1.100 - vpn server
10.0.1.101 - radius server
10.0.1.146 - client
Arnel

Hi Arnel,
I have not access my openswan mail for a while.
You are nearly done. What has happened, I guess, is that you have not set up your chap authentication well. I have included truncated part of my relevant files.
1.] /etc/ppp/options.l2pd [whatever you call it]
2.] /etc/xl2tpd/xl2tpd.conf [to use relevant ip addresses and options]
3.] /etc/ppp/chap [ there is no need to for this since you are usind radius]
4.] /etc/radiusclient/radiusclient.conf: [the stuff below is what I have in mine.]
auth_order radius,local
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
authserver 10.10.1.XX:1812
acctserver 10.10.1.XX:1813
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login
5.] /etc/radiusclient/servers: [the stuff below is from my file.]
#Server Name or Client/Server pair Key
#---------------- ---------------
10.10.1.XX [radius server] *****
10.10.1.X [vpn vpn server] *****
6.] /etc/ppp/option.l2tpd: [relevant optios]
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.11.0.90
noccp
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
plugin radius.so
7.] /etc/xl2tpd/xl2tpd.conf: [relevant portion]
[lns default]
ip range = 10.10.3.128 - 10.10.3.254
local ip = 10.10.3.100
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
; some name from ppp users
name = pppuser
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
require chap = yes
refuse pap = yes
require authentication = no
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
8.] /usr/local/etc/raddb/users [relevant portion]
pppuser Auth-Type := Local, User-Password == "your password"
Service-Type = Framed-User,
Framed-Protocol = PPP
9.] /usr/local/etc/raddb/clients.conf
client 10.10.1.57 {
secret = secret
shortname = vpn_server
nastype = other
}
I hope this help you. You can also read up on L2TP/VPN at http://www.jacco2.dds.nl/networking/win2000xp-openswan.html.
Rgds,
Gbenga
Thanks. It fixes the dictionary errors but another error comes up. See
the log.
May 28 09:54:09 vpn pppd[24108]: Plugin radius.so loaded.
May 28 09:54:09 vpn pppd[24108]: RADIUS plugin initialized.
May 28 09:54:09 vpn pppd[24108]: Plugin radattr.so loaded.
May 28 09:54:09 vpn pppd[24108]: RADATTR plugin initialized.
May 28 09:54:09 vpn pppd[24108]: pppd 2.4.4 started by root, uid 0
__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html

__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html

Giovani Moda

2008-06-02 20:05:11 UTC

Permalink

Post by Arnel B. Espanola
Here are my configs. Take note that I'm actually using public IPs but I

Arnel B. Espanola

2008-06-02 20:45:51 UTC

Permalink

Here are the radiusclient configs in my vpn server. My VPN (10.0.1.23)
and Radius (10.0.1.101) are on different server. I don't have
/etc/radiusclient/clients.conf in my VPN server but I have clients.conf
in my Radius server. Do I need that file in my vpn server as well? Also,
please note that the login.radius file doesn't exist in my vpn server
which is configured in radiusclient.conf.

Please note that I'm running Fedora 6. I installed 'radiuslient-ng'
package because Fedora doesn't have 'radiusclient' package. And then I
created radiusclient directory and copied there all the files from
'radiusclient-ng' directory. File permissions stay the same.

Appreciate your help on this!

Arnel

1.)radiusclient.conf

# General settings

# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order radius,local

# maximum login tries a user has
login_tries 4

# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout 60

# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin

# name of the issue file. it's only display when no username is passed
# on the radlogin command line
# issue /etc/radiusclient-ng/issue
issue /etc/radiusclient/issue

# RADIUS settings

# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
#authserver auth.ucla.edu:1812
authserver 10.0.1.101:1812

# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
#acctserver localhost
#acctserver auth.ucla.edu
acctserver 10.0.1.101:1813

# file holding shared secrets used for the communication
# between the RADIUS client and server
#servers /etc/radiusclient-ng/servers
servers /etc/radiusclient/servers

# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
#dictionary @pkgdatadir@/dictionary
dictionary /etc/radiusclient/dictionary

# program to call for a RADIUS authenticated login
login_radius /usr/sbin/login.radius
Note: this login.radius file doesn't exist in my vpn server

# file which holds sequence number for communication with the
# RADIUS server
seqfile /var/run/radius.seq

# file which specifies mapping between ttyname and NAS-Port attribute
#mapfile /etc/radiusclient-ng/port-id-map
mapfile /etc/radiusclient/port-id-map

# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm

# time to wait for a reply from the RADIUS server
radius_timeout 10

# resend request this many times before trying the next server
radius_retries 3

# local address from which radius packets have to be sent
# bindaddr *

# LOCAL settings

# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local /bin/login

2.) servers

#Server Name or Client/Server pair Key
#---------------- ---------------
10.0.1.23 (vpn server) [removed]
10.0.1.101 (radius server) [removed]

Post by Arnel B. Espanola

Post by Arnel B. Espanola
Here are my configs. Take note that I'm actually using public IPs but I

just changed them into private IPs. Thanks.
Is the radius server on the same machine than your VPN server? If not,
please post your /etc/radiusclient/radiusclient.conf,
/etc/radiusclient/servers and /etc/radiusclient/clients.conf. Feel free
to mask any relevant information, but make sure we can distinguish your
private from your public IP's when doing so.
Giovani Moda
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Giovani Moda

2008-06-02 21:12:21 UTC

Permalink

Post by Arnel B. Espanola
Please note that I'm running Fedora 6. I installed 'radiuslient-ng'
package because Fedora doesn't have 'radiusclient' package. And then I

created radiusclient directory and copied there >all the files from
'radiusclient-ng' directory. File permissions stay the same.

Remove

10.0.1.23 (vpn server) [removed]

Arnel B. Espanola

2008-06-02 22:10:41 UTC

Permalink

Here's the clients.conf. Yes I'm using NETKEY. I've tried your
suggestions but I'm still getting the same error messages.

client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other # localhost isn't usually a NAS...

client 10.0.1.0/24 {
secret = testing123
shortname = vpn
nastype = other
}

/Arnel

Post by Giovani Moda

Post by Arnel B. Espanola
Please note that I'm running Fedora 6. I installed 'radiuslient-ng'
package because Fedora doesn't have 'radiusclient' package. And then I

created radiusclient directory and copied there >all the files from
'radiusclient-ng' directory. File permissions stay the same.
Remove
10.0.1.23 (vpn server) [removed]

Giovani Moda

2008-06-03 12:19:31 UTC

Permalink

Post by Arnel B. Espanola
Here's the clients.conf. Yes I'm using NETKEY. I've tried your

suggestions but I'm still getting the same error messages.

Your config is alright. The problem is somewhere else. I'm out of ideas
here... Maybe you should seek for help with the pppd guys at their
forum. Here is the code in pppd radius plugin that reports that error,
but I can't figure out what leads to it:

243 length = sizeof (salocal);
244 sin = (struct sockaddr_in *) & salocal;
245 memset ((char *) sin, '\0', (size_t) length);
246 sin->sin_family = AF_INET;
247 sin->sin_addr.s_addr = htonl(INADDR_ANY);
248 sin->sin_port = htons ((unsigned short) 0);
249 if (bind (sockfd, (struct sockaddr *) sin, length) < 0 ||
250 getsockname (sockfd, (struct sockaddr *) sin,
&length) < 0)
251 {
252 close (sockfd);
253 memset (secret, '\0', sizeof (secret));
254 error("rc_send_server: bind: %s: %m", server_name);
255 return (ERROR_RC);
256 }

As a last resort, is selinux disabled? Is pppd running as root? When and
if you find na answer, let me know. I came across sume guys with the
same error around, and I'm sure we could help them out. :-)

Giovani Moda

Arnel B. Espanola

2008-06-06 15:16:40 UTC

Permalink

I'd like to thank you for helping me in resolving the issue I had about
the 'permission denied' error. I finally made it working after days of
hard work. It was the selinux that prevented me from connecting to
radius server. By disabling it I was able to connect and authenticate
via radius. So there's really nothing wrong with all the configurations
I have except for some minor changes I made which are irrelevant to the
issue.

/Arnel

Post by Arnel B. Espanola

Post by Arnel B. Espanola
Here's the clients.conf. Yes I'm using NETKEY. I've tried your

suggestions but I'm still getting the same error messages.
Your config is alright. The problem is somewhere else. I'm out of ideas
here... Maybe you should seek for help with the pppd guys at their
forum. Here is the code in pppd radius plugin that reports that error,
243 length = sizeof (salocal);
244 sin = (struct sockaddr_in *) & salocal;
245 memset ((char *) sin, '\0', (size_t) length);
246 sin->sin_family = AF_INET;
247 sin->sin_addr.s_addr = htonl(INADDR_ANY);
248 sin->sin_port = htons ((unsigned short) 0);
249 if (bind (sockfd, (struct sockaddr *) sin, length) < 0 ||
250 getsockname (sockfd, (struct sockaddr *) sin,
&length) < 0)
251 {
252 close (sockfd);
253 memset (secret, '\0', sizeof (secret));
254 error("rc_send_server: bind: %s: %m", server_name);
255 return (ERROR_RC);
256 }
As a last resort, is selinux disabled? Is pppd running as root? When and
if you find na answer, let me know. I came across sume guys with the
same error around, and I'm sure we could help them out. :-)
Giovani Moda
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155