Hi Daniel, Thanks for your quick response. The /etc/ipsec.conf file listed as followed:
1. /etc/ipsec.conf in peer - SUN config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=%defaultroute leftcert=/etc/ipsec.d/certs/sunCert.pem right=172.19.2.123 rightcert=/etc/ipsec.d/certs/moonCert.pem rightid="C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, e=m...@picochip.com" auto=add 2. /etc/ipsec.conf in peer - MOON config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=%defaultroute leftcert=/etc/ipsec.d/certs/moonCert.pem right=172.19.2.112 #192.168.1.106 # 172.19.2.123 rightcert=/etc/ipsec.d/certs/sunCert.pem rightid="C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=...@picochip.com" auto=add 3. the result information: initiating IKE_SA host-host[2] to 172.19.2.112 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 172.19.2.123[500] to 172.19.2.112[500] received packet: from 172.19.2.112[500] to 172.19.2.123[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] authentication of '172.19.2.123' (myself) with RSA signature successful establishing CHILD_SA host-host generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] sending packet: from 172.19.2.123[4500] to 172.19.2.112[4500] received packet: from 172.19.2.112[4500] to 172.19.2.123[4500] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] received AUTHENTICATION_FAILED notify error 4. /var/log/messages Jun 8 13:35:01 JerryPico ipsec_starter[3870]: Starting strongSwan 4.2.14 IPsec [starter]... Jun 8 13:35:02 JerryPico charon: 01[DMN] starting charon (strongSwan Version 4.2.14) Jun 8 13:35:02 JerryPico charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jun 8 13:35:02 JerryPico charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/cacert.pem' Jun 8 13:35:02 JerryPico charon: 01[LIB] ca certificate must have ca basic constraint set, discarded Jun 8 13:35:02 JerryPico charon: 01[LIB] failed to create a builder for credential type CRED_CERTIFICATE, subtype (1) Jun 8 13:35:02 JerryPico charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jun 8 13:35:02 JerryPico charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jun 8 13:35:02 JerryPico charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jun 8 13:35:02 JerryPico charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Jun 8 13:35:02 JerryPico charon: 01[LIB] loaded crl file '/etc/ipsec.d/crls/crl.pem' Jun 8 13:35:02 JerryPico charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Jun 8 13:35:02 JerryPico charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/sunKey.pem' Jun 8 13:35:02 JerryPico charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown Jun 8 13:35:02 JerryPico charon: 01[KNL] listening on interfaces: Jun 8 13:35:02 JerryPico charon: 01[KNL] eth0 Jun 8 13:35:02 JerryPico charon: 01[KNL] 172.19.2.112 Jun 8 13:35:02 JerryPico charon: 01[KNL] fe80::20c:29ff:fe18:698e Jun 8 13:35:02 JerryPico charon: 01[JOB] spawning 16 worker threads Jun 8 13:35:02 JerryPico ipsec_starter[3878]: charon (3879) started after 20 ms Jun 8 13:35:02 JerryPico charon: 02[CFG] received stroke: add connection 'host-host' Jun 8 13:35:02 JerryPico charon: 02[LIB] loaded certificate file '/etc/ipsec.d/certs/sunCert.pem' Jun 8 13:35:02 JerryPico charon: 02[CFG] peerid 172.19.2.112 not confirmed by certificate, defaulting to subject DN Jun 8 13:35:02 JerryPico charon: 02[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' Jun 8 13:35:02 JerryPico charon: 02[CFG] peerid C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, e=m...@picochip.com not confirmed by certificate, defaulting to subject DN Jun 8 13:35:02 JerryPico charon: 02[CFG] added configuration 'host-host': 172.19.2.112[C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=...@picochip.com]...172.19.2.123[c=cn, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, e=m...@picochip.com] Jun 8 13:35:10 JerryPico charon: 09[NET] received packet: from 172.19.2.123[500] to 172.19.2.112[500] Jun 8 13:35:10 JerryPico charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jun 8 13:35:10 JerryPico charon: 09[IKE] 172.19.2.123 is initiating an IKE_SA Jun 8 13:35:10 JerryPico charon: 09[IKE] 172.19.2.123 is initiating an IKE_SA Jun 8 13:35:11 JerryPico charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jun 8 13:35:11 JerryPico charon: 09[NET] sending packet: from 172.19.2.112[500] to 172.19.2.123[500] Jun 8 13:35:11 JerryPico charon: 10[NET] received packet: from 172.19.2.123[4500] to 172.19.2.112[4500] Jun 8 13:35:11 JerryPico charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Jun 8 13:35:11 JerryPico charon: 10[CFG] no issuer certificate found for "C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=...@picochip.com" Jun 8 13:35:11 JerryPico charon: 10[CFG] using trusted certificate "C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=...@picochip.com" Jun 8 13:35:11 JerryPico charon: 10[IKE] signature validation failed, looking for another key Jun 8 13:35:11 JerryPico charon: 10[CFG] using certificate "C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, e=m...@picochip.com" Jun 8 13:35:11 JerryPico charon: 10[CFG] no issuer certificate found for "C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, e=m...@picochip.com" Jun 8 13:35:11 JerryPico charon: 10[IKE] authentication of '172.19.2.123' with RSA signature failed Jun 8 13:35:11 JerryPico charon: 10[IKE] authentication of '172.19.2.123' with RSA signature failed Jun 8 13:35:11 JerryPico charon: 10[IKE] peer supports MOBIKE Jun 8 13:35:11 JerryPico charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jun 8 13:35:11 JerryPico charon: 10[NET] sending packet: from 172.19.2.112[4500] to 172.19.2.123[4500] 5. list of certificate: List of X.509 End Entity Certificates: altNames: 172.19.2.123 subject: "C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=...@picochip.com" issuer: "C=CN, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=STRONGSWAN, e=strongs...@picochip.com" serial: 02 validity: not before Jun 07 21:26:35 2009, ok not after Jun 07 21:26:35 2010, ok pubkey: RSA 1024 bits, has private key keyid: eb:ab:ee:d3:bf:cd:93:e0:d5:49:16:97:a8:99:e1:54:e4:61:17:22 subjkey: 6d:56:31:e5:f3:00:4a:84:82:9e:9f:11:be:74:af:a3:e6:bc:25:b7 authkey: de:50:c6:d1:a9:9b:2d:08:5b:9a:f6:cc:8b:f3:0a:96:e9:08:cb:65 altNames: 172.19.2.123 subject: "C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, e=m...@picochip.com" issuer: "C=CN, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=STRONGSWAN, e=strongs...@picochip.com" serial: 01 validity: not before Jun 07 21:22:32 2009, ok not after Jun 07 21:22:32 2010, ok pubkey: RSA 1024 bits keyid: 65:24:bf:2c:50:c7:82:f4:13:d4:0a:c9:c1:2b:e4:44:57:ef:dc:bc subjkey: 00:a4:64:bc:c8:e7:14:fa:fd:00:b9:3d:45:9d:93:6f:02:17:6c:a3 authkey: de:50:c6:d1:a9:9b:2d:08:5b:9a:f6:cc:8b:f3:0a:96:e9:08:cb:65 6. ipsec statusall Performance: uptime: 14 minutes, since Jun 08 13:35:02 2009 worker threads: 10 idle of 16, job queue load: 1, scheduled events: 0 loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown Listening IP addresses: 172.19.2.112 Connections: host-host: 172.19.2.112[C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=...@picochip.com]...172.19.2.123[c=cn, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, e=m...@picochip.com] host-host: CAs: "C=CN, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=STRONGSWAN, e=strongs...@picochip.com"..."C=CN, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=STRONGSWAN, e=strongs...@picochip.com" host-host: public key authentication host-host: dynamic === dynamic Security Associations: None ---------------------------------------------------------------------------- Please help to find the root cause of this problem, thanks a lot! Best Regards, David -----邮件原件----- 发件人: Daniel Mentz [mailto:danielml+mailinglists.strongs...@sent.com] 发送时间: 2009年6月6日 19:58 收件人: weiping deng 抄送: users@lists.strongswan.org 主题: Re: [strongSwan] [help]: please help to find the root cause of "Authentication_failed" problem, thanx! Please provide us with the config file /etc/ipsec.conf and also with the output of the following commands: ipsec statusall ipsec listcerts This makes it easier to help you. @strongSwan Team: I suggest putting a note on http://www.strongswan.org/support.htm asking people to supply this kind of information in their first mail when seeking support on the mailing list. -Daniel _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users