running a strongswan server with radius on your VPS

Strongswan install

1. Prepare the environment:

2. Get the package:

3. Install the package:

Note: 1) If you use the OVZ based VPS, you must add –enable-kernel-libipsec, otherwise not.
2) 5.2.1 can be replaced by the other version.

Configuration of Strongswan

The default configuration is under:

1. ipsec.conf: It is the configuration of every client part. You can config it like the following below:

2. ipsec.secrects:

3. strongswan.conf:

Note:
1) radius.xxx.com is your radius server address/ip.
2) secret can be custom by yourself.
3) The two secret can be different.

Install the certificates

Here is the a simpler command to install the certs, but you should replace yourdomain to your host domain:

Configuration for the network(router)

Note: ?.?.?.? is the Strongswan server ip address.

Now the Strongswan part is finished.

Install the FreeRadius

If you met the heart bleed warning, you should do the following steps:

After that, change the /usr/local/etc/raddb/radiusd.conf from “allow_vulnerable_openssl = no” to “allow_vulnerable_openssl = yes”

Configuration of FreeRadius
The directory of the freeRadius is under:

1) Add the following line to the dictionary file:

2) sites-enabled/default: Comment the line with unix and files, delete the comment flag for the sql

3) radiusd.conf: Delete the comment flag for the “include sql.conf”

4) clients.conf: Change the secret = testing123 under localhost section.

5) sql.conf: Change the following code as your database configuration in the sql section:

6) sql/mysql/dialup.conf: Add the following line and comment other sql_user_name line

Uncomment the simul_query_check line.

Create database

Create the base information in db:

After finished, it is better to have a local test, Now we add the test user:

Test code like the following below:

If you receive “Access-Accept”, and your local configuration is ok.

Add NAS clients
NAS is your strongswan client.
You only need to change the clients.conf file only, and just add the section like the following below:

You can also add a coa_server in proxy.conf and add the following codes:

If you set the Coa, and the kik user function is also be enabled. But the traffic have not been set yet, now we should do it with modifying sites-enabled/default:

And you should also listen the coa respond in radius.conf, and add theses lines:

I’m not sure the configutation is right, but it is finished.

Comments

  1. I’m not sure the configutation is right, but it is finished.

    Why do this statement. I configure through the above tutorial and facing issues.

    looking for peer configs matching 138.68.79.62[138.68.79.62]…151.243.102.104[test4]
    Dec 17 18:30:00 16[CFG] no matching peer config found
    Dec 17 18:30:00 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Dec 17 18:30:00 16[IKE] peer supports MOBIKE
    Dec 17 18:30:00 16[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Dec 17 18:30:00 16[NET] sending packet: from 138.68.79.62[4500] to 151.243.102.104[4500] (80 bytes)

  2. I tried with it but it doesn’t work.

    I’m receiving this logs on the server
    RADIUS authentication of ‘varun’ failed
    11[IKE] EAP method EAP_MD5 failed for peer varun

Leave a Reply

Your email address will not be published / Required fields are marked *