Hi all,
I would like to authenticate users connecting to VPN (Remote-Access) by RADIUS and EAP-TLS (certificates). Is it possible?
I tried to do it and created lab in GNS and configured FreeRADIUS to use EAP-TLS but it doesn't work...
My router config:
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization network default group radius
!
!
aaa session-id common
ip source-route
ip cef
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group vpn
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr aes 256
hash sha
authentication rsa-sig
group 5
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map vpn 10
set nat demux
set transform-set vpn
!
!
crypto map vpn 10 ipsec-isakmp dynamic vpn
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet1/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool vpn-pool
ppp mtu adaptive
ppp authentication eap
!
!
ip local pool vpn-pool 10.1.1.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.12.2
no ip http server
no ip http secure-server
!
!
!
radius-server host 192.168.2.100 auth-port 1812 acct-port 1813 retransmit 1 key testing123
!
control-plane
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
end
I tried to connect using VPN CLient and in debug was:
*May 20 12:30:35.739: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 20 12:30:35.739: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 20 12:30:35.743: ISAKMP:(0):no offers accepted!
*May 20 12:30:35.743: ISAKMP:(0): phase 1 SA policy not acceptable! (local 192.168.12.1 remote 192.168.56.1)
*May 20 12:30:35.743: ISKAMP: growing send buffer from 1024 to 3072
*May 20 12:30:35.747: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*May 20 12:30:35.747: ISAKMP:(0): Failed to construct AG informational message.
*May 20 12:30:35.747: ISAKMP:(0): sending packet to 192.168.56.1 my_port 500 peer_port 1043 (R) MM_NO_STATE
*May 20 12:30:35.747: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 20 12:30:35.747: ISAKMP:(0):peer does not do paranoid keepalives.
*May 20 12:30:35.747: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.56.1)
*May 20 12:30:35.747: ISAKMP (0): FSM action returned error: 2
*May 20 12:30:35.747: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 20 12:30:35.747: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*May 20 12:30:35.751: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.56.1)
*May 20 12:30:35.751: ISAKMP: Unlocking peer struct 0x670060AC for isadb_mark_sa_deleted(), count 0
*May 20 12:30:35.751: ISAKMP: Deleting peer node by peer_reap for 192.168.56.1: 670060AC
*May 20 12:30:35.759: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*May 20 12:30:35.759: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*May 20 12:30:35.763: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 192.168.56.1)
*May 20 12:30:35.763: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*May 20 12:30:35.763: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA
VPN Client support only IPSec and can't work with L2TP? I can't find how configure Windows XP client with L2TP and certificate...
Any ideas?
