Hello, I am having no luck setting up a mutually authenticated tunnel using certificates. I have tried mucking around with just about every ipsec.conf parameter, but no luck. I also saw the FAQ, but could not make sense of the answer. Any help is appreciated!!! Thanks.
Here is my output: 04[CFG] added configuration 'home' 08[CFG] received stroke: initiate 'load' 08[CFG] no config named 'load' 08[CFG] 07[CFG] received stroke: initiate 'home' 10[IKE] initiating IKE_SA home[1] to 172.16.107.2 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 10[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500] 12[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500] 12[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ] 12[IKE] initiating IKE_SA home[1] to 172.16.107.2 12[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 12[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500] 16[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500] 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] 16[IKE] local host is behind NAT, sending keep alives 16[IKE] received cert request for "O=AcmePacket, OU=CSE, [email protected], L=Burlington, ST=MA, C=US, CN=selab.com" 16[IKE] sending cert request for "O=AcmePacket, OU=CSE, [email protected], L=Burlington, ST=MA, C=US, CN=selab.com" 16[IKE] authentication of 'C=US, ST=Massachusetts, O=Acme Packet, OU=Systems Engineering, CN=172.16.107.2' (myself) with RSA signature successful 16[IKE] sending end entity cert "C=US, ST=Massachusetts, O=Acme Packet, OU=Systems Engineering, CN=172.16.107.2" 16[IKE] establishing CHILD_SA home 16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(EAP_ONLY) ] 16[NET] sending packet: from 2.2.2.3[4500] to 172.16.107.2[4500] 13[NET] received packet: from 172.16.107.2[4500] to 2.2.2.3[4500] 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr ] 13[IKE] received end entity cert "C=US, ST=MA, L=Burlington, O=Engineering, CN=172.16.107.2" 13[IKE] no trusted RSA public key found for '172.16.107.2' 00[DMN] signal of type SIGINT received. Shutting down 00[KNL] received netlink error: Invalid argument (22) And here is my ipsec.conf file: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup plutostart=no charondebug=all ca msg1 cacert=CA-SS-acmesec1.pem auto=add conn %default ike=aes128-sha1-modp1024! esp=aes128-sha1! ikelifetime=23d keylife=22d rekeymargin=10m keyingtries=1 keyexchange=ikev2 mobike=no auto=add lefthostaccess=no dpdaction=restart dpddelay=45 rekey=yes reauth=no forceencaps=yes conn home left=%defaultroute leftsourceip=%modeconfig leftcert=acmesec1Cert.pem leftfirewall=yes rightfirewall=yes right=172.16.107.2 rightid=%172.16.107.2 rightsubnet=192.168.105.0/24 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
