0

I have a working Strongswan IKEv2 VPN, i uses eap-mschapv2 as right auth. It's working fine as long as I use the ipsec.secrets file to store the user credentials.

# ipsec.secrets file
: RSA vpn-server-key.pem
arav %any : EAP "accessit"

But I want to change it to store these secrets in a MySQL database. I've connected the mysql database in the sql.conf file i just want to know how to insert these user credentials in MySQL table.

On refering this guide: https://wiki.strongswan.org/projects/strongswan/wiki/SQLite

It doesn't store the secrets in plain text but it uses any kind of encryption to do so. Can anyone tell me how to do that ?

Any help will be appreciated

Varun Taliyan
  • 26
  • 1
  • 7

1 Answers1

0

It doesn't store the secrets in plain text but it uses any kind of encryption to do so.

That's not the case. The secrets are stored in plain text. So just insert the shared secrets and identities as indicated on the referenced wiki page (using your example data):

/* type: ID_FQDN, data: arav */
INSERT INTO identities (type, data) VALUES (2, X'61726176');
/* type: SHARED_EAP, data: accessit */
INSERT INTO shared_secrets (type, data) VALUES (2, X'6361656373737469');
/* to associate the identity with the secret, use the actual ids of the two rows above */
INSERT INTO shared_secret_identity (shared_secret, identity) VALUES (1, 1);
ecdsa
  • 3,800
  • 12
  • 26
  • I followed your steps but still receiving the same error `Aug 4 11:42:03 ip-172-31-34-103 charon: 07[IKE] no EAP key found for hosts '52.15.108.115' - 'arav'` – Varun Taliyan Aug 04 '17 at 12:15
  • the code in sql.conf file is `sql { load = yes database = mysql://ipsec:accessit@localhost/ipsec }` – Varun Taliyan Aug 04 '17 at 12:17
  • Check the log for errors when the _sql_ plugin is initialized (make sure that it is actually loaded in the first place). – ecdsa Aug 04 '17 at 14:26
  • using ipsec statusall, it shows that it is being loaded, but I'm not sure whether it is pulling the secrets from the database or not? When i place my username in the database it get connected and when i dont, it refused to connect and says the authetication failed in logs. – Varun Taliyan Aug 08 '17 at 04:19
  • You obviously have to associate the password with the username (as outlined in my answer), how else could the password be found? – ecdsa Aug 08 '17 at 06:55
  • I have added the password, i have added the entry in all 3 tables you explained. But still it is not working out – Varun Taliyan Aug 08 '17 at 08:09
  • But you said above that it worked if you added the username to the database. What does that mean then exactly? – ecdsa Aug 08 '17 at 08:57
  • Ahh, sorry for the confusion, Actually when I added the secrets in ipsec.secrets file. It works fine. But when I remove the secrets from the file and put it in the database, it doesn't. Dont know what's wrong with it. I'm using MySQL database and I've added the mysql connection details in `/strongswan.d/charon/sql.conf` – Varun Taliyan Aug 08 '17 at 09:42
  • Could you post a database dump? – ecdsa Aug 08 '17 at 09:47
  • Hi, I've posted all my configuration to this to represent a clear picture about my configurations. https://pastebin.com/aPM7Yw5V – Varun Taliyan Aug 08 '17 at 11:46
  • Do you actually have a `#` character in the DB password? That character is used for comments in the config files, try wrapping the complete DB connection string in quotes (`"`). – ecdsa Aug 08 '17 at 12:15
  • No luck, I've changed the password and removed the `#` and tried wrapping and unwrapping the connection string in `' '` . but still it didn't worked. Here, I'm pasting the server log when i initiate a connection from a VPN client. Hope this will help. https://pastebin.com/x5btFJLM Can you please chat with me ? If possible. I'm new and I dont have enough reputation to initiate a chat. This is the output of `ipsec statusall` command https://pastebin.com/YGB9aLbN – Varun Taliyan Aug 08 '17 at 12:40
  • The _sql_ plugin is not loaded according to `ipsec statusall` (check the log for errors when the daemon starts). – ecdsa Aug 08 '17 at 14:03
  • Thanks for your help so far, Yes, here is the log when i do `ipsec restart` https://pastebin.com/kJSCSYsE . both sql and mysql plugin should be loaded to run ? if it is not loaded , there might be some problem during the installation ? Any advice ? – Varun Taliyan Aug 09 '17 at 04:56
  • Well, the _sql_ plugin is not loaded. And the log output seems awfully sparse (try [increasing log levels](https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration)). Perhaps the _sql_ plugin is not built/installed (if you built strongSwan yourself check previous configure arguments in config.log and make sure `--enable-sql` was included, if not run configure again, then build and install again after running `make clean` first). – ecdsa Aug 14 '17 at 08:18