Hi Jim, IPsec is not SSL! If your peer's identity is the IPv4 address 172.16.107.2 then it will not be checked against the CN= field in the certificate. Instead the certificate must contain the IP address as a subjectAltName extension.
It also seems that the host itself is using the same certificate. You should use distinct certs for each VPN host. Regards Andreas Jim Tessier wrote: > Hello, > I am having no luck setting up a mutually authenticated tunnel > using certificates. I have tried mucking around with just about every > ipsec.conf parameter, but no luck. I also saw the FAQ, but could not > make sense of the answer. Any help is appreciated!!! Thanks. > > Here is my output: > > 04[CFG] added configuration 'home' > 08[CFG] received stroke: initiate 'load' > 08[CFG] no config named 'load' > 08[CFG] > 07[CFG] received stroke: initiate 'home' > 10[IKE] initiating IKE_SA home[1] to 172.16.107.2 > 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > ] > 10[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500] > 12[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500] > 12[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ] > 12[IKE] initiating IKE_SA home[1] to 172.16.107.2 > 12[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No > N(NATD_S_IP) N(NATD_D_IP) ] > 12[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500] > 16[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500] > 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) CERTREQ ] > 16[IKE] local host is behind NAT, sending keep alives > 16[IKE] received cert request for "O=AcmePacket, OU=CSE, > [email protected], L=Burlington, ST=MA, C=US, CN=selab.com" > 16[IKE] sending cert request for "O=AcmePacket, OU=CSE, > [email protected], L=Burlington, ST=MA, C=US, CN=selab.com" > 16[IKE] authentication of 'C=US, ST=Massachusetts, O=Acme Packet, > OU=Systems Engineering, CN=172.16.107.2' (myself) with RSA signature > successful > 16[IKE] sending end entity cert "C=US, ST=Massachusetts, O=Acme > Packet, OU=Systems Engineering, CN=172.16.107.2" > 16[IKE] establishing CHILD_SA home > 16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP > SA TSi TSr N(EAP_ONLY) ] > 16[NET] sending packet: from 2.2.2.3[4500] to 172.16.107.2[4500] > 13[NET] received packet: from 172.16.107.2[4500] to 2.2.2.3[4500] > 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr ] > 13[IKE] received end entity cert "C=US, ST=MA, L=Burlington, > O=Engineering, CN=172.16.107.2" > 13[IKE] no trusted RSA public key found for '172.16.107.2' > 00[DMN] signal of type SIGINT received. Shutting down > 00[KNL] received netlink error: Invalid argument (22) > > And here is my ipsec.conf file: > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > plutostart=no > charondebug=all > > ca msg1 > cacert=CA-SS-acmesec1.pem > auto=add > > conn %default > ike=aes128-sha1-modp1024! > esp=aes128-sha1! > ikelifetime=23d > keylife=22d > rekeymargin=10m > keyingtries=1 > keyexchange=ikev2 > mobike=no > auto=add > lefthostaccess=no > dpdaction=restart > dpddelay=45 > rekey=yes > reauth=no > forceencaps=yes > > conn home > left=%defaultroute > leftsourceip=%modeconfig > leftcert=acmesec1Cert.pem > leftfirewall=yes > rightfirewall=yes > right=172.16.107.2 > rightid=%172.16.107.2 > rightsubnet=192.168.105.0/24 > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
