Hi All, I am trying to use certificates to authenticate strongswan peers. I followed the steps mentioned in configuration documentation of strongswan to generate CA and end entity certificates using openssl. After all certificates have been created, I "ipsec start" in two hosts and "ipsec up host-host" in moon. But I have encountered the "AUTHENTICATION_FAILED" problem. Can anyone help me find the root cause of this problem? thanx a lot! The Log information in host "moon" listed as followed:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jun 5 14:43:03 JerryPico ipsec_starter[17495]: Starting strongSwan 4.2.14 IPsec [starter]... Jun 5 14:43:04 JerryPico charon: 01[DMN] starting charon (strongSwan Version 4.2.14) Jun 5 14:43:04 JerryPico charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jun 5 14:43:04 JerryPico charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem' Jun 5 14:43:04 JerryPico charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jun 5 14:43:04 JerryPico charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jun 5 14:43:04 JerryPico charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jun 5 14:43:04 JerryPico charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Jun 5 14:43:04 JerryPico charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Jun 5 14:43:04 JerryPico charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/sunKey.pem' Jun 5 14:43:04 JerryPico charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown Jun 5 14:43:04 JerryPico charon: 01[KNL] listening on interfaces: Jun 5 14:43:04 JerryPico charon: 01[KNL] eth0 Jun 5 14:43:04 JerryPico charon: 01[KNL] 172.19.2.112 Jun 5 14:43:04 JerryPico charon: 01[KNL] fe80::20c:29ff:fe18:698e Jun 5 14:43:04 JerryPico charon: 01[JOB] spawning 16 worker threads Jun 5 14:43:04 JerryPico ipsec_starter[17503]: charon (17504) started after 40 ms Jun 5 14:43:04 JerryPico charon: 17[CFG] received stroke: add connection 'host-host' Jun 5 14:43:04 JerryPico charon: 17[LIB] loaded certificate file '/etc/ipsec.d/certs/sunCert.pem' Jun 5 14:43:04 JerryPico charon: 17[CFG] peerid 172.19.2.112 not confirmed by certificate, defaulting to subject DN Jun 5 14:43:04 JerryPico charon: 17[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' Jun 5 14:43:04 JerryPico charon: 17[CFG] added configuration 'host-host': 172.19.2.112[C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=s...@picochip.com]...172.19.2.123[c=ch, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com] Jun 5 14:43:23 JerryPico charon: 08[NET] received packet: from 172.19.2.123[500] to 172.19.2.112[500] Jun 5 14:43:23 JerryPico charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jun 5 14:43:23 JerryPico charon: 08[IKE] 172.19.2.123 is initiating an IKE_SA Jun 5 14:43:23 JerryPico charon: 08[IKE] 172.19.2.123 is initiating an IKE_SA Jun 5 14:43:23 JerryPico charon: 08[IKE] sending cert request for "C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com" Jun 5 14:43:23 JerryPico charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Jun 5 14:43:23 JerryPico charon: 08[NET] sending packet: from 172.19.2.112[500] to 172.19.2.123[500] Jun 5 14:43:24 JerryPico charon: 09[NET] received packet: from 172.19.2.123[4500] to 172.19.2.112[4500] Jun 5 14:43:24 JerryPico charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Jun 5 14:43:24 JerryPico charon: 09[IKE] received cert request for "C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com" Jun 5 14:43:24 JerryPico charon: 09[IKE] received end entity cert "C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com" Jun 5 14:43:24 JerryPico charon: 09[CFG] using trusted ca certificate "C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com" Jun 5 14:43:24 JerryPico charon: 09[CFG] checking certificate status of "C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=s...@picochip.com" Jun 5 14:43:24 JerryPico charon: 09[CFG] certificate status is not available Jun 5 14:43:24 JerryPico charon: 09[CFG] using trusted certificate "C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=s...@picochip.com" Jun 5 14:43:24 JerryPico charon: 09[IKE] signature validation failed, looking for another key Jun 5 14:43:24 JerryPico charon: 09[CFG] using certificate "C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com" Jun 5 14:43:24 JerryPico charon: 09[CFG] using trusted ca certificate "C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com" Jun 5 14:43:24 JerryPico charon: 09[CFG] checking certificate status of "C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com" Jun 5 14:43:24 JerryPico charon: 09[CFG] certificate status is not available Jun 5 14:43:24 JerryPico charon: 09[IKE] authentication of '172.19.2.123' with RSA signature successful Jun 5 14:43:24 JerryPico charon: 09[IKE] peer supports MOBIKE Jun 5 14:43:24 JerryPico charon: 09[IKE] no matching config found for 'C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=s...@picochip.com'...'172.19.2.123' Jun 5 14:43:24 JerryPico charon: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jun 5 14:43:24 JerryPico charon: 09[NET] sending packet: from 172.19.2.112[4500] to 172.19.2.123[4500] Best Regards, David _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users