[strongSwan] 答复: [help]: please help to find the root cause of "Authentication_ failed" problem, thanx!

weiping deng Sun, 07 Jun 2009 20:12:16 -0700

Hi Daniel,
Thanks for your quick response. The /etc/ipsec.conf file listed as followed:


1.  /etc/ipsec.conf in peer - SUN 
config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=no   
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
conn host-host 
        left=%defaultroute
        leftcert=/etc/ipsec.d/certs/sunCert.pem
        right=172.19.2.123     
        rightcert=/etc/ipsec.d/certs/moonCert.pem
        rightid="C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY,
CN=MOON, e=m...@picochip.com"
        auto=add
2. /etc/ipsec.conf in peer - MOON
config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=no
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
conn host-host 
        left=%defaultroute
        leftcert=/etc/ipsec.d/certs/moonCert.pem
        right=172.19.2.112  #192.168.1.106  # 172.19.2.123
        rightcert=/etc/ipsec.d/certs/sunCert.pem
        rightid="C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY,
CN=SUN, e=...@picochip.com"
        auto=add

3. the result information:
initiating IKE_SA host-host[2] to 172.19.2.112
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 172.19.2.123[500] to 172.19.2.112[500]
received packet: from 172.19.2.112[500] to 172.19.2.123[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
authentication of '172.19.2.123' (myself) with RSA signature successful
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) ]
sending packet: from 172.19.2.123[4500] to 172.19.2.112[4500]
received packet: from 172.19.2.112[4500] to 172.19.2.123[4500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error

4. /var/log/messages
Jun  8 13:35:01 JerryPico ipsec_starter[3870]: Starting strongSwan 4.2.14
IPsec [starter]...
Jun  8 13:35:02 JerryPico charon: 01[DMN] starting charon (strongSwan
Version 4.2.14)
Jun  8 13:35:02 JerryPico charon: 01[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jun  8 13:35:02 JerryPico charon: 01[LIB]   loaded certificate file
'/etc/ipsec.d/cacerts/cacert.pem'
Jun  8 13:35:02 JerryPico charon: 01[LIB]   ca certificate must have ca
basic constraint set, discarded
Jun  8 13:35:02 JerryPico charon: 01[LIB] failed to create a builder for
credential type CRED_CERTIFICATE, subtype (1)
Jun  8 13:35:02 JerryPico charon: 01[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jun  8 13:35:02 JerryPico charon: 01[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Jun  8 13:35:02 JerryPico charon: 01[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Jun  8 13:35:02 JerryPico charon: 01[CFG] loading crls from
'/etc/ipsec.d/crls'
Jun  8 13:35:02 JerryPico charon: 01[LIB]   loaded crl file
'/etc/ipsec.d/crls/crl.pem'
Jun  8 13:35:02 JerryPico charon: 01[CFG] loading secrets from
'/etc/ipsec.secrets'
Jun  8 13:35:02 JerryPico charon: 01[CFG]   loaded private key file
'/etc/ipsec.d/private/sunKey.pem'
Jun  8 13:35:02 JerryPico charon: 01[DMN] loaded plugins: curl aes des sha1
sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown 
Jun  8 13:35:02 JerryPico charon: 01[KNL] listening on interfaces:
Jun  8 13:35:02 JerryPico charon: 01[KNL]   eth0
Jun  8 13:35:02 JerryPico charon: 01[KNL]     172.19.2.112
Jun  8 13:35:02 JerryPico charon: 01[KNL]     fe80::20c:29ff:fe18:698e
Jun  8 13:35:02 JerryPico charon: 01[JOB] spawning 16 worker threads
Jun  8 13:35:02 JerryPico ipsec_starter[3878]: charon (3879) started after
20 ms
Jun  8 13:35:02 JerryPico charon: 02[CFG] received stroke: add connection
'host-host'
Jun  8 13:35:02 JerryPico charon: 02[LIB]   loaded certificate file
'/etc/ipsec.d/certs/sunCert.pem'
Jun  8 13:35:02 JerryPico charon: 02[CFG]   peerid 172.19.2.112 not
confirmed by certificate, defaulting to subject DN
Jun  8 13:35:02 JerryPico charon: 02[LIB]   loaded certificate file
'/etc/ipsec.d/certs/moonCert.pem'
Jun  8 13:35:02 JerryPico charon: 02[CFG]   peerid C=CH, ST=BEIJING,
L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, e=m...@picochip.com not
confirmed by certificate, defaulting to subject DN
Jun  8 13:35:02 JerryPico charon: 02[CFG] added configuration 'host-host':
172.19.2.112[C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN,
e=...@picochip.com]...172.19.2.123[c=cn, ST=BEIJING, L=BEIJING, O=PICOCHIP,
OU=SECURITY, CN=MOON, e=m...@picochip.com]
Jun  8 13:35:10 JerryPico charon: 09[NET] received packet: from
172.19.2.123[500] to 172.19.2.112[500]
Jun  8 13:35:10 JerryPico charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun  8 13:35:10 JerryPico charon: 09[IKE] 172.19.2.123 is initiating an
IKE_SA
Jun  8 13:35:10 JerryPico charon: 09[IKE] 172.19.2.123 is initiating an
IKE_SA
Jun  8 13:35:11 JerryPico charon: 09[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun  8 13:35:11 JerryPico charon: 09[NET] sending packet: from
172.19.2.112[500] to 172.19.2.123[500]
Jun  8 13:35:11 JerryPico charon: 10[NET] received packet: from
172.19.2.123[4500] to 172.19.2.112[4500]
Jun  8 13:35:11 JerryPico charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi
IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Jun  8 13:35:11 JerryPico charon: 10[CFG] no issuer certificate found for
"C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN,
e=...@picochip.com"
Jun  8 13:35:11 JerryPico charon: 10[CFG]   using trusted certificate "C=CN,
ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=...@picochip.com"
Jun  8 13:35:11 JerryPico charon: 10[IKE] signature validation failed,
looking for another key
Jun  8 13:35:11 JerryPico charon: 10[CFG]   using certificate "C=CN,
ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON,
e=m...@picochip.com"
Jun  8 13:35:11 JerryPico charon: 10[CFG] no issuer certificate found for
"C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON,
e=m...@picochip.com"
Jun  8 13:35:11 JerryPico charon: 10[IKE] authentication of '172.19.2.123'
with RSA signature failed
Jun  8 13:35:11 JerryPico charon: 10[IKE] authentication of '172.19.2.123'
with RSA signature failed
Jun  8 13:35:11 JerryPico charon: 10[IKE] peer supports MOBIKE
Jun  8 13:35:11 JerryPico charon: 10[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jun  8 13:35:11 JerryPico charon: 10[NET] sending packet: from
172.19.2.112[4500] to 172.19.2.123[4500]

5. list of certificate:
List of X.509 End Entity Certificates:

  altNames:  172.19.2.123
  subject:  "C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN,
e=...@picochip.com"
  issuer:   "C=CN, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=STRONGSWAN,
e=strongs...@picochip.com"
  serial:    02
  validity:  not before Jun 07 21:26:35 2009, ok
             not after  Jun 07 21:26:35 2010, ok 
  pubkey:    RSA 1024 bits, has private key
  keyid:     eb:ab:ee:d3:bf:cd:93:e0:d5:49:16:97:a8:99:e1:54:e4:61:17:22
  subjkey:   6d:56:31:e5:f3:00:4a:84:82:9e:9f:11:be:74:af:a3:e6:bc:25:b7
  authkey:   de:50:c6:d1:a9:9b:2d:08:5b:9a:f6:cc:8b:f3:0a:96:e9:08:cb:65

  altNames:  172.19.2.123
  subject:  "C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON,
e=m...@picochip.com"
  issuer:   "C=CN, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=STRONGSWAN,
e=strongs...@picochip.com"
  serial:    01
  validity:  not before Jun 07 21:22:32 2009, ok
             not after  Jun 07 21:22:32 2010, ok 
  pubkey:    RSA 1024 bits
  keyid:     65:24:bf:2c:50:c7:82:f4:13:d4:0a:c9:c1:2b:e4:44:57:ef:dc:bc
  subjkey:   00:a4:64:bc:c8:e7:14:fa:fd:00:b9:3d:45:9d:93:6f:02:17:6c:a3
  authkey:   de:50:c6:d1:a9:9b:2d:08:5b:9a:f6:cc:8b:f3:0a:96:e9:08:cb:65

6. ipsec statusall
Performance:
  uptime: 14 minutes, since Jun 08 13:35:02 2009
  worker threads: 10 idle of 16, job queue load: 1, scheduled events: 0
  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac
xcbc stroke kernel-netlink updown 
Listening IP addresses:
  172.19.2.112
Connections:
   host-host:  172.19.2.112[C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP,
OU=SECURITY, CN=SUN, e=...@picochip.com]...172.19.2.123[c=cn, ST=BEIJING,
L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, e=m...@picochip.com]
   host-host:  CAs: "C=CN, ST=BEIJING, O=PICOCHIP, OU=SECURITY,
CN=STRONGSWAN, e=strongs...@picochip.com"..."C=CN, ST=BEIJING, O=PICOCHIP,
OU=SECURITY, CN=STRONGSWAN, e=strongs...@picochip.com"
   host-host:  public key authentication
   host-host:    dynamic === dynamic 
Security Associations:
  None
----------------------------------------------------------------------------
Please help to find the root cause of this problem, thanks a lot!

Best Regards,
David 

-----邮件原件-----
发件人: Daniel Mentz [mailto:danielml+mailinglists.strongs...@sent.com] 
发送时间: 2009年6月6日 19:58
收件人: weiping deng
抄送: users@lists.strongswan.org
主题: Re: [strongSwan] [help]: please help to find the root cause of
"Authentication_failed" problem, thanx!

Please provide us with the config file /etc/ipsec.conf and also with the 
output of the following commands:

ipsec statusall
ipsec listcerts

This makes it easier to help you.

@strongSwan Team: I suggest putting a note on
http://www.strongswan.org/support.htm
asking people to supply this kind of information in their first mail 
when seeking support on the mailing list.

-Daniel

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] 答复: [help]: please help to find the root cause of "Authentication_ failed" problem, thanx!

Reply via email to