我需要您的帮助和专业知识来解决我面临的情况。我目前正在使用带证书 + EAP 的 IKEv2 在 IPsec 客户端 (TheGreenBow)、OpenWRT 路由器上的 VPN 服务器和 FreeRADIUS 服务器之间测试 IPsec 隧道。当我使用带证书 + XAuth 的 IKEv1 执行测试时,隧道成功建立,整个链似乎运行正常。但是,当我切换到带 EAP 的 IKEv2 时,隧道无法建立,并且我收到路由器发送到 RADIUS 服务器的异常格式。以下是来自客户端、VPN 服务器和 RADIUS 服务器的日志。
日志客户端
TIKEV2_Ikev2Gateway SEND IKE_SA_INIT [HDR][SA][KE][NONCE][N(NAT_DETECTION_SOURCE_IP)][N(NAT_DETECTION_DESTINATION_IP)][VID][N(SIGNATURE_HASH_ALGORITHMS)]
TIKEV2_Ikev2Gateway RECV IKE_SA_INIT [HDR][SA][KE][NONCE][N(NAT_DETECTION_SOURCE_IP)][N(NAT_DETECTION_DESTINATION_IP)][CERTREQ][N(MULTIPLE_AUTH_SUPPORTED)][VID][VID]
TIKEV2_Ikev2Gateway IKE SA I-SPI 661715392CB994EF R-SPI 892874DACC2BB2A0
TIKEV2_Ikev2Gateway SEND IKE_AUTH [HDR][IDi][CERT][N(INITIAL_CONTACT)][CERTREQ][AUTH][SA]
[TSi][TSr][N(ESP_TFC_PADDING_NOT_SUPPORTED)][N(ANOTHER_AUTH_FOLLOWS)]
TIKEV2_Ikev2Gateway RECV IKE_AUTH [HDR][IDr][CERT][AUTH]
TIKEV2_Ikev2Gateway SEND IKE_AUTH [HDR][IDi]
TIKEV2_Ikev2Gateway RECV IKE_AUTH [HDR][EAP(REQUEST/MS-EAP-Authentication/Challenge)]
TIKEV2_Ikev2Gateway SEND IKE_AUTH [HDR][EAP(RESPONSE/MS-EAP-Authentication/Response)]
TIKEV2_Ikev2Gateway RECV IKE_AUTH [HDR][EAP(FAILURE)]
TIKEV2_Ikev2Gateway Remote endpoint sent EAP FAILURE code
日志服务器
ipsec: 01[IKE] <Test-VPN|1> authentication of 'CN=fenix' with RSA signature successful
ipsec: 01[IKE] <Test-VPN|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
ipsec: 01[IKE] <Test-VPN|1> authentication of 'CN=server' (myself) with RSA signature successful
ipsec: 01[IKE] <Test-VPN|1> sending end entity cert "CN=server"
ipsec: 01[ENC] <Test-VPN|1> generating IKE_AUTH response 1 [ IDr CERT AUTH ]
ipsec: 03[ENC] <Test-VPN|1> parsed IKE_AUTH request 2 [ IDi ]
ipsec: 03[CFG] <Test-VPN|1> sending RADIUS Access-Request to server 'PISERVER2'
ipsec: 03[CFG] <Test-VPN|1> received RADIUS Access-Challenge from server 'PISERVER2'
ipsec: 03[IKE] <Test-VPN|1> initiating EAP_MSCHAPV2 method (id 0x01)
ipsec: 03[ENC] <Test-VPN|1> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
ipsec: 12[ENC] <Test-VPN|1> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
ipsec: 12[CFG] <Test-VPN|1> sending RADIUS Access-Request to server 'PISERVER2'
ipsec: 12[CFG] <Test-VPN|1> received RADIUS Access-Reject from server 'PISERVER2'
ipsec: 12[IKE] <Test-VPN|1> RADIUS authentication of 'CN=fenix' failed
ipsec: 12[IKE] <Test-VPN|1> EAP method EAP_MSCHAPV2 failed for peer CN=fenix
ipsec: 12[ENC] <Test-VPN|1> generating IKE_AUTH response 3 [ EAP/FAIL ]
ipsec: 12[IKE] <Test-VPN|1> destroying IKE_SA in state CONNECTING without notification
记录 Freeradius
(32) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(32) authenticate {
(32) eap: Expiring EAP session with state 0x581fe34d581ef956
(32) eap: Finished EAP session with state 0x581fe34d581ef956
(32) eap: Previous EAP request found for state 0x581fe34d581ef956, released from the list
(32) eap: Broken NAS did not set User-Name, setting from EAP Identity
(32) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(32) eap: Calling submodule eap_mschapv2 to process data
(32) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(32) eap_mschapv2: authenticate {
(32) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(32) mschap: WARNING: User-Name (0?1?0???U????fenix) is not the same as MS-CHAP Name
(alice) from EAP-MSCHAPv2
(32) mschap: Creating challenge hash with username: alice
(32) mschap: Client is using MS-CHAPv2
(32) mschap: ERROR: FAILED: No NT-Password. Cannot perform authentication
(32) mschap: ERROR: MS-CHAP2-Response is incorrect
(32) eap_mschapv2: [mschap] = reject
(32) eap_mschapv2: } # authenticate = reject
(32) eap: Sending EAP Failure (code 4) ID 1 length 4
(32) eap: Freeing handler
(32) [eap] = reject
(32) } # authenticate = reject
(32) Failed to authenticate the user
(32) Using Post-Auth-Type Reject
(32) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(32) Post-Auth-Type REJECT {
(32) attr_filter.access_reject: EXPAND %{User-Name}
(32) attr_filter.access_reject: --> 0\0201\0160\014\006\003U\004\003\014\005fenix
(32) attr_filter.access_reject: Matched entry DEFAULT at line 11
(32) [attr_filter.access_reject] = updated
(32) [eap] = noop
(32) policy remove_reply_message_if_eap {
(32) if (&reply:EAP-Message && &reply:Reply-Message) {
(32) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(32) else {
(32) [noop] = noop
(32) } # else = noop
(32) } # policy remove_reply_message_if_eap = noop
(32) } # Post-Auth-Type REJECT = updated
(32) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [0?1?0???U????fenix/<via Auth-Type = eap>] (from client any port 0)
(32) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
(32) Sent Access-Reject Id 238 from 192.168.100.20:1812 to 192.168.100.1:48596 length 127
(32) MS-CHAP-Error = "\001E=691 R=1 C=8dd1e38e788b7fd823ab10a4fa9fff70 V=3 M=Authentication rejected"
我还进行了其他测试,使用(StrongSwan 客户端 + StrongSwan 服务器 + FreeRADIUS)和(TheGreenBow 客户端 + OpenWRT StrongSwan 服务器 + 链接到 Active Directory 的 NPS),但我总是遇到相同的用户名格式,而我的 RADIUS 服务器不接受该格式。
> 0\0201\0160\014\006\003U\004\003\014\005fenix
与 Xauth 不同,客户端根据其证书的 CN 发送用户名,而不是真实用户名。infos client --> username : alice, CN=fenix
如能得到您的帮助以解决此事,我们将不胜感激。
此致