I need your help and expertise to resolve a situation I'm facing. I'm currently testing an IPsec tunnel using IKEv2 with certificate + EAP between an IPsec client (TheGreenBow), a VPN server on an OpenWRT router, and a FreeRADIUS server. When I perform tests using IKEv1 with certificate + XAuth, the tunnel establishes successfully, and the entire chain seems to be functioning correctly. However, when I switch to IKEv2 with EAP, the tunnel doesn't establish, and I'm getting an unusual format that the router sends to the RADIUS server. Below are the logs from the client, VPN server, and RADIUS server.
Log client
TIKEV2_Ikev2Gateway SEND IKE_SA_INIT [HDR][SA][KE][NONCE][N(NAT_DETECTION_SOURCE_IP)][N(NAT_DETECTION_DESTINATION_IP)][VID][N(SIGNATURE_HASH_ALGORITHMS)]
TIKEV2_Ikev2Gateway RECV IKE_SA_INIT [HDR][SA][KE][NONCE][N(NAT_DETECTION_SOURCE_IP)][N(NAT_DETECTION_DESTINATION_IP)][CERTREQ][N(MULTIPLE_AUTH_SUPPORTED)][VID][VID]
TIKEV2_Ikev2Gateway IKE SA I-SPI 661715392CB994EF R-SPI 892874DACC2BB2A0
TIKEV2_Ikev2Gateway SEND IKE_AUTH [HDR][IDi][CERT][N(INITIAL_CONTACT)][CERTREQ][AUTH][SA]
[TSi][TSr][N(ESP_TFC_PADDING_NOT_SUPPORTED)][N(ANOTHER_AUTH_FOLLOWS)]
TIKEV2_Ikev2Gateway RECV IKE_AUTH [HDR][IDr][CERT][AUTH]
TIKEV2_Ikev2Gateway SEND IKE_AUTH [HDR][IDi]
TIKEV2_Ikev2Gateway RECV IKE_AUTH [HDR][EAP(REQUEST/MS-EAP-Authentication/Challenge)]
TIKEV2_Ikev2Gateway SEND IKE_AUTH [HDR][EAP(RESPONSE/MS-EAP-Authentication/Response)]
TIKEV2_Ikev2Gateway RECV IKE_AUTH [HDR][EAP(FAILURE)]
TIKEV2_Ikev2Gateway Remote endpoint sent EAP FAILURE code
Log Server
ipsec: 01[IKE] <Test-VPN|1> authentication of 'CN=fenix' with RSA signature successful
ipsec: 01[IKE] <Test-VPN|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
ipsec: 01[IKE] <Test-VPN|1> authentication of 'CN=server' (myself) with RSA signature successful
ipsec: 01[IKE] <Test-VPN|1> sending end entity cert "CN=server"
ipsec: 01[ENC] <Test-VPN|1> generating IKE_AUTH response 1 [ IDr CERT AUTH ]
ipsec: 03[ENC] <Test-VPN|1> parsed IKE_AUTH request 2 [ IDi ]
ipsec: 03[CFG] <Test-VPN|1> sending RADIUS Access-Request to server 'PISERVER2'
ipsec: 03[CFG] <Test-VPN|1> received RADIUS Access-Challenge from server 'PISERVER2'
ipsec: 03[IKE] <Test-VPN|1> initiating EAP_MSCHAPV2 method (id 0x01)
ipsec: 03[ENC] <Test-VPN|1> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
ipsec: 12[ENC] <Test-VPN|1> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
ipsec: 12[CFG] <Test-VPN|1> sending RADIUS Access-Request to server 'PISERVER2'
ipsec: 12[CFG] <Test-VPN|1> received RADIUS Access-Reject from server 'PISERVER2'
ipsec: 12[IKE] <Test-VPN|1> RADIUS authentication of 'CN=fenix' failed
ipsec: 12[IKE] <Test-VPN|1> EAP method EAP_MSCHAPV2 failed for peer CN=fenix
ipsec: 12[ENC] <Test-VPN|1> generating IKE_AUTH response 3 [ EAP/FAIL ]
ipsec: 12[IKE] <Test-VPN|1> destroying IKE_SA in state CONNECTING without notification
Log Freeradius
(32) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(32) authenticate {
(32) eap: Expiring EAP session with state 0x581fe34d581ef956
(32) eap: Finished EAP session with state 0x581fe34d581ef956
(32) eap: Previous EAP request found for state 0x581fe34d581ef956, released from the list
(32) eap: Broken NAS did not set User-Name, setting from EAP Identity
(32) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(32) eap: Calling submodule eap_mschapv2 to process data
(32) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(32) eap_mschapv2: authenticate {
(32) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(32) mschap: WARNING: User-Name (0?1?0???U????fenix) is not the same as MS-CHAP Name
(alice) from EAP-MSCHAPv2
(32) mschap: Creating challenge hash with username: alice
(32) mschap: Client is using MS-CHAPv2
(32) mschap: ERROR: FAILED: No NT-Password. Cannot perform authentication
(32) mschap: ERROR: MS-CHAP2-Response is incorrect
(32) eap_mschapv2: [mschap] = reject
(32) eap_mschapv2: } # authenticate = reject
(32) eap: Sending EAP Failure (code 4) ID 1 length 4
(32) eap: Freeing handler
(32) [eap] = reject
(32) } # authenticate = reject
(32) Failed to authenticate the user
(32) Using Post-Auth-Type Reject
(32) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(32) Post-Auth-Type REJECT {
(32) attr_filter.access_reject: EXPAND %{User-Name}
(32) attr_filter.access_reject: --> 0\0201\0160\014\006\003U\004\003\014\005fenix
(32) attr_filter.access_reject: Matched entry DEFAULT at line 11
(32) [attr_filter.access_reject] = updated
(32) [eap] = noop
(32) policy remove_reply_message_if_eap {
(32) if (&reply:EAP-Message && &reply:Reply-Message) {
(32) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(32) else {
(32) [noop] = noop
(32) } # else = noop
(32) } # policy remove_reply_message_if_eap = noop
(32) } # Post-Auth-Type REJECT = updated
(32) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [0?1?0???U????fenix/<via Auth-Type = eap>] (from client any port 0)
(32) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
(32) Sent Access-Reject Id 238 from 192.168.100.20:1812 to 192.168.100.1:48596 length 127
(32) MS-CHAP-Error = "\001E=691 R=1 C=8dd1e38e788b7fd823ab10a4fa9fff70 V=3 M=Authentication rejected"
I've also conducted other tests, using (StrongSwan client + StrongSwan server + FreeRADIUS) and (TheGreenBow client + OpenWRT StrongSwan server + NPS linked to an Active Directory), but I consistently encounter the same format for the User-Name, which my RADIUS server or servers don't accept.
> 0\0201\0160\014\006\003U\004\003\014\005fenix
unlike Xauth, the client sends a user-name based on the CN of its certificate and not the real username. infos client --> username : alice, CN=fenix
Your assistance in resolving this matter would be greatly appreciated.
Best regards
