Hi All
I have started using strongswan 4.3.6 and just tried the basic peer to
peer setup using two linux machines. I am unable to get the
connection up and it always displays a private key not found error for
DN name. I have browsed through several related posts in this list but
some how could not find the solution to it. So I really apologize if
this is a duplicate post .
I have two linux machines 211 (Ip Address 10.201.114.211) & 178 ( IP
address 10.201.114.178)
Between which I am trying to create the ipsec connection.
Here is the debugging data for both the machines
211
Ipsec.conf
------------------------------------------------------------------------
-----------------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
charondebug="ike 4, knl 4, cfg 4"
# Add connections here.
# Sample VPN connections
conn 211TO178Tunnel
left=10.201.114.211
leftcert=211Cert.pem
right=10.201.114.178
#rightid="C=IN, O=WT, CN=10.201.114.178"
keyexchange=ikev2
#type=tunnel
auto=add
ipsec.secrets
------------------------------------------------------------------------
--------------------
: RSA 211Key.pem "2111"
ipsec up 211TO178Tunnel
------------------------------------------------------------------------
-----------------------
initiating IKE_SA 211TO178Tunnel[1] to 10.201.114.178
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.201.114.211[500] to 10.201.114.178[500]
received packet: from 10.201.114.178[500] to 10.201.114.211[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
received cert request for "C=IN, ST=KAR, L=EC, O=WT, OU=TEV,
CN=10.201.114.211, [email protected]"
sending cert request for "C=IN, ST=KAR, L=EC, O=WT, OU=TEV,
CN=10.201.114.211, [email protected]"
no private key found for 'C=IN, ST=KAR, O=WT, OU=TEV, CN=10.201.114.211,
[email protected]'
When I do a ipsec start I get the following log in syslog at the end
getting interface name for 10.201.114.178
Apr 20 02:31:11 localhost charon: 14[KNL] 10.201.114.178 is not a local
address
Apr 20 02:31:11 localhost charon: 14[KNL] getting interface name for
10.201.114.211
Apr 20 02:31:11 localhost charon: 14[KNL] 10.201.114.211 is on interface
eth0
Apr 20 02:31:11 localhost charon: 14[CFG] loaded certificate "C=IN,
ST=KAR, O=WT, OU=TEV, CN=211, [email protected]" from '211Cert.pem'
Apr 20 02:31:11 localhost charon: 14[CFG] id '10.201.114.211' not
confirmed by certificate, defaulting to 'C=IN, ST=KAR, O=WT, OU=TEV,
CN=211, [email protected]'
Apr 20 02:31:11 localhost charon: 14[CFG] added configuration
'211TO178Tunnel'
I feel that the message : id '10.201.114.211' not confirmed by
certificate, defaulting to 'C=IN, ST=KAR, O=WT, OU=TEV, CN=211,
[email protected]' could be the culprit but unable to figure out the
reason.
ipsec listcerts
List of X.509 End Entity Certificates:
subject: "C=IN, ST=KAR, O=WT, OU=TEV, CN=10.201.114.211,
[email protected]"
issuer: "C=IN, ST=KAR, L=EC, O=WT, OU=TEV, CN=10.201.114.211,
[email protected]"
serial: 01:22
validity: not before Apr 20 00:35:20 2010, ok
not after Apr 19 00:35:20 2012, ok
pubkey: RSA 1024 bits
keyid: de:70:04:d4:76:ef:23:10:b2:98:88:20:d3:ab:78:8c:54:4c:3b:54
subjkey: 34:b8:59:19:d5:2a:a9:f9:48:76:ff:8d:f1:79:ab:3f:71:d6:4b:86
authkey: 09:57:1b:cc:fa:28:3d:fe:0e:ac:fb:97:fe:89:6f:53:9d:4b:8f:0d
178
Ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
crlcheckinterval=600
strictcrlpolicy=no
charondebug="ike 4, knl 4, cfg 4"
plutostart=no
# Add connections here.
# Sample VPN connections
conn 211TO178Tunnel
right=10.201.114.211
left=10.201.114.178
leftcert=178Cert.pem
#rightid="C=IN, O=WT, CN=10.201.114.211"
keyexchange=ikev2
#type=tunnel
auto=add
ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA 178Key.pem "1788"
ipsec listcerts
List of X.509 End Entity Certificates:
subject: "C=IN, ST=KAR, O=WT, OU=TEV, CN=178, [email protected]"
issuer: "C=IN, ST=KAR, L=EC, O=WT, OU=TEV, CN=10.201.114.211,
[email protected]"
serial: 01:25
validity: not before Apr 20 02:13:03 2010, ok
not after Apr 19 02:13:03 2012, ok
pubkey: RSA 1024 bits
keyid: 5c:ff:4f:12:27:37:95:38:7f:3c:13:e6:c5:43:49:c4:0d:13:10:44
subjkey: 6a:de:d5:87:6f:d6:e5:61:e6:42:f7:84:1f:1c:35:e3:96:1a:92:96
authkey: 09:57:1b:cc:fa:28:3d:fe:0e:ac:fb:97:fe:89:6f:53:9d:4b:8f:0d
When I do a ipsec start in 178 I get the same not confirmed by
certificate message.
I have verified and reverified and recreated the keys several times with
different CN values also but no success.
Regards
Shyam
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to
this message are intended for the exclusive use of the addressee(s) and may
contain proprietary, confidential or privileged information. If you are not the
intended recipient, you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately and destroy all copies of this message and
any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should
check this email and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted by this
email.
www.wipro.com
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
