25.1.5 ikev2 with radius authentication is broken - Solved

Slashing · April 10, 2025, 05:09:36 PM

Hi there. After updating from 25.1.4 to 25.1.5 ikev2 broke.
empty section with radius parameters in /usr/local/etc/strongswan.conf

Code Select

2025-04-10T09:53:13-05:00	Informational	charon	 16[NET] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> sending packet: from 208.124.xx.xxx[4500] to 45.21.xx.xxx[4500] (65 bytes)
2025-04-10T09:53:13-05:00	Informational	charon	 16[ENC] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> generating IKE_AUTH response 2 [ EAP/FAIL ]
2025-04-10T09:53:13-05:00	Informational	charon	 16[IKE] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> loading EAP_RADIUS method failed
2025-04-10T09:53:13-05:00	Informational	charon	 16[IKE] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> received EAP identity 'user'
2025-04-10T09:53:13-05:00	Informational	charon	 16[ENC] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
2025-04-10T09:53:13-05:00	Informational	charon	 16[NET] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> received packet: from 45.21.xx.xxx[4500] to 208.124.xx.xxx[4500] (72 bytes)
2025-04-10T09:53:13-05:00	Informational	charon	 16[NET] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> sending packet: from 208.124.xx.xxx[4500] to 45.21.xx.xxx[4500] (163 bytes)
2025-04-10T09:53:13-05:00	Informational	charon	 16[ENC] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
2025-04-10T09:53:13-05:00	Informational	charon	 16[IKE] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> authentication of 'vpn.on_opnsense.com' (myself) with ECDSA-256 signature successful
2025-04-10T09:53:13-05:00	Informational	charon	 16[IKE] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2025-04-10T09:53:13-05:00	Informational	charon	 16[IKE] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> peer supports MOBIKE
2025-04-10T09:53:13-05:00	Informational	charon	 16[IKE] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> initiating EAP_IDENTITY method (id 0x00)
2025-04-10T09:53:13-05:00	Informational	charon	 16[CFG] <77fea0b5-6d41-4707-a27a-fe283cc74685|4> selected peer config '77fea0b5-6d41-4707-a27a-fe283cc74685'
2025-04-10T09:53:13-05:00	Informational	charon	 16[CFG] <4> looking for peer configs matching 208.124.xx.xxx[vpn.on_opnsense.com]...45.21.xx.xxx[user]
2025-04-10T09:53:13-05:00	Informational	charon	 16[ENC] <4> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) N(EAP_ONLY) ]
2025-04-10T09:53:13-05:00	Informational	charon	 16[ENC] <4> unknown attribute type INTERNAL_DNS_DOMAIN
2025-04-10T09:53:13-05:00	Informational	charon	 16[NET] <4> received packet: from 45.21.xx.xxx[4500] to 208.124.xx.xxx[4500] (340 bytes)
2025-04-10T09:53:13-05:00	Informational	charon	 16[NET] <4> sending packet: from 208.124.xx.xxx[500] to 45.21.xx.xxx[500] (288 bytes)
2025-04-10T09:53:13-05:00	Informational	charon	 16[ENC] <4> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2025-04-10T09:53:13-05:00	Informational	charon	 16[IKE] <4> remote host is behind NAT
2025-04-10T09:53:13-05:00	Informational	charon	 16[CFG] <4> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
2025-04-10T09:53:13-05:00	Informational	charon	 16[IKE] <4> 45.21.xx.xxx is initiating an IKE_SA
2025-04-10T09:53:13-05:00	Informational	charon	 16[ENC] <4> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2025-04-10T09:53:13-05:00	Informational	charon	 16[NET] <4> received packet: from 45.21.xx.xxx[500] to 208.124.xx.xxx[500] (272 bytes)

franco · April 10, 2025, 07:23:28 PM

Thanks, looking into it now.

Cheers,
Franco

franco · April 10, 2025, 07:42:08 PM

What happens when you run this?

# /usr/local/opnsense/mvc/script/run_migrations.php

Cheers,
Franco

Slashing · April 10, 2025, 07:59:37 PM

Thanks for the answer.
# /usr/local/opnsense/mvc/script/run_migrations.php - nothing in response, strongswan.conf also does not change

franco · April 10, 2025, 08:25:26 PM

Ok so migration wasn't it. Can you privately share the output of the following via PM?

# pluginctl -g OPNsense.IPsec.charon.plugins

Thanks,
Franco

franco · April 10, 2025, 08:53:08 PM

Ok, I found something using your data:

# opnsense-patch https://github.com/opnsense/core/commit/fb87f688f6
# pluginctl ipsec

How's this?

Cheers,
Franco

Slashing · April 10, 2025, 08:58:03 PM

Thanks Franco. You're awesome. Everything is working fine with the patch.

franco · April 10, 2025, 09:01:52 PM

Great, this will hotfix with the captive portal issue into 25.1.5_2 as soon as the other one is confirmed as well.

Cheers,
Franco

franco · April 10, 2025, 10:03:57 PM

Hotfixing this now separately because the captive portal thing needs more review.

Cheers,
Franco

25.1.5 ikev2 with radius authentication is broken - Solved

Slashing

April 10, 2025, 05:09:36 PM Last Edit: April 10, 2025, 09:19:49 PM by Slashing

franco

April 10, 2025, 07:23:28 PM #1

franco

April 10, 2025, 07:42:08 PM #2

Slashing

April 10, 2025, 07:59:37 PM #3

franco

April 10, 2025, 08:25:26 PM #4

franco

April 10, 2025, 08:53:08 PM #5

Slashing

April 10, 2025, 08:58:03 PM #6

franco

April 10, 2025, 09:01:52 PM #7

franco

April 10, 2025, 10:03:57 PM #8