Ping a Specific Port

Question

Christian

Asked: 2018-11-14 03:31:46 +0800 CST2018-11-14 03:31:46 +0800 CST 2018-11-14 03:31:46 +0800 CST

StrongSwan on Amazon Linux with RADIUS

772

I'm trying to run strongSwan on an Amazon Linux instance with authentication against RADIUS but I receive an error when trying to start strongSwan

charon[9518]: 00[CFG] RADIUS initialization failed, HMAC/MD5/RNG required

To install strongSwan I ran

yum install strongswan

# swanctl --version strongSwan swanctl 5.7.1

# swanctl --stats loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters

cat <<EOF > /etc/strongswan/strongswan.d/charon/eap-radius.conf
eap-radius {
    load = yes
    nas_identifier = ${DNSNAME}
    retransmit_timeout = 30
    retransmit_tries = 1
    servers {
        primary {
            preference = 99
            address = ${RADIUSFQDN}
            auth_port = 1812
            secret = ${RADIUSPSWD}
            sockets = 5
        }
    }
}
EOF

Complete startup log

Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[MGR] tried to checkin and delete nonexisting IKE_SA
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[IKE] unable to resolve %any, initiate aborted
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[CFG] received stroke: initiate 'pod'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] added configuration 'pod'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG]   loaded certificate "CN=vpn.test.dev.poddev.naimuri.uk" from 'vpnserver.crt'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] adding virtual IP address pool 192.168.250.0/24
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] received stroke: add connection 'pod'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal strongswan[10484]: charon (10493) started after 60 ms
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal ipsec_starter[10484]: charon (10493) started after 60 ms
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[JOB] spawning 16 worker threads
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation const
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] no script for ext-auth script defined, disabled
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] HA config misses local/remote address
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loaded 0 RADIUS server configurations
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading RADIUS server 'primary' failed, skipped
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] RADIUS initialization failed, HMAC/MD5/RNG required
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] sql plugin: database URI not set
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG]   loaded RSA private key from '/etc/strongswan/ipsec.d/private/vpnserver.key'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG]   loaded ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" from '/etc/strongswan/ipsec.d/
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[LIB] openssl FIPS mode(2) - enabled
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] PKCS11 module '<name>' lacks library path
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.1, Linux 4.14.72-73.55.amzn2.x86_64, x86_64)
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal ipsec_starter[10484]: Starting strongSwan 5.7.1 IPsec [starter]...
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal strongswan[10484]: Starting strongSwan 5.7.1 IPsec [starter]...

1 Answers

Voted

ecdsa · Answer 1 · 2018-11-14T06:27:20+08:00

The problem is that you are using OpenSSL in FIPS mode, which disables MD5 as that's not FIPS-approved.

While you do have both the md5 and hmac plugins loaded, the latter is ordered after the openssl plugin, which still registers its own implementation of HMAC_MD5_128. This implementation can even be instantiated, as the plugin's HMAC constructor really only checks if there is a static EVP_MD instance for the given hash algorithm, which, unfortunately, is the case for MD5 even in FIPS mode. However, using that instance with HMAC_INIT_ex() later fails (what triggers the error is trying to set the key on the HMAC instance).

To avoid this you could either disable FIPS mode (via charon.plugins.openssl.fips_mode), or make sure that the HMAC implementation provided by the hmac plugin is used instead of that of the openssl plugin.

The latter can be achieved by modifying the load setting of either of these plugins in their respective config snippet in /etc/strongswan/strongswan.d/charon in order to either demote the openssl plugin (set it to a negative numeric value), or by promoting the hmac plugin (set it to a value > 1). After a restart, the plugin order seen in swanctl --stats should be changed accordingly, and the output of swanctl --list-algs should show that the hmac plugin is providing HMAC_MD5_128.

StrongSwan on Amazon Linux with RADIUS

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?