I am trying to use certificate to connect multiple roaming user with one
IPSec server (each side is running libreswan 3.8).
It failed when I use ikev2 mode. If I use ikev1 mode (by removing the
line ikev2=insist), it works fine.
Below is my configuration. Is there anything wrong in the configuration
to make it work in ikev2 mode? Thanks.
Server Side:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=no
nhelpers=1
oe=off
plutorestartoncrash=no
protostack=netkey
conn R2-R9
authby=rsasig
auto=add
phase2=esp
ikev2=insist
left=192.168.22.2
leftcert=R4
leftid="C=CA, ST=Ontario, O=RuggedCom, CN=R4, [email protected]"
leftnexthop=%defaultroute
leftsubnet=192.168.21.0/24
pfs=no
right=%any
rightid=%fromcert
rightupdown="ipsec _updown --route yes"
type=tunnel
Client Side:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=no
nhelpers=1
oe=off
plutorestartoncrash=no
protostack=netkey
conn R2-R9
connaddrfamily=ipv4
authby=rsasig
auto=start
phase2=esp
ikev2=insist
left=192.168.22.2
leftid="C=CA, ST=Ontario, O=RuggedCom, CN=R4, [email protected]"
leftsubnet=192.168.21.0/24
pfs=no
right=192.168.34.9
rightcert=R9
rightid="C=CA, ST=Ontario, O=RuggedCom, CN=R9, [email protected]"
rightnexthop=%defaultroute
rightupdown="ipsec _updown --route yes"
type=tunnel
The tunnel is established successfully in ikev1 mode. But failed in
ikev2 mode. It gives the following error message in ikev2 mode:
Apr 30 09:44:17 rrjc2 pluto[5068]: | found connection: R2-R9
Apr 30 09:44:17 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1:
transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Apr 30 09:44:17 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128
integ=sha1_96 prf=oakley_sha group=modp2048}
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: IKEv2
mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, O=RuggedCom, CN=R9,
[email protected]'
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: no crl
from issuer "C=CA, ST=Ontario, O=RuggedCom, CN=CA, [email protected]"
found (strict=no)
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: no RSA
public key known for '%fromcert'
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: RSA
authentication failed
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: sending
notification v2N_AUTHENTICATION_FAILED to 192.168.34.9:500
Apr 30 09:44:18 rrjc2 pluto[5068]: | ikev2_parent_inI2outR2_tail
returned STF_FATAL
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9: deleting
connection "R2-R9" instance with peer 192.168.34.9 {isakmp=#0/ipsec=#0}
--
Jeff Chen
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
