Hi Andreas, This problem was solved by the solution provided in http://www.mail-archive.com/[email protected]/msg02152.html. I now have a new problem for which I cannot find a solution. It would be great if you could help me understand the problem, and hopefully provide a solution too.
I generated the private key and certificate for my machines (the initiator and the receiver) by executing the following command on each of them: openssl req -x509 -days 1460 -newkey rsa:2048 \ > -keyout strongswanKey.pem -out strongswanCert.pem I then placed the file strongswanKey.pem in the path /etc/ipsec.d/private/, and the file strongswanCert.pem in the path /etc/ipsec.d/certs. So now, the line " : RSA strongswanKey.pem "xxxx" " is added to the file ipsec.secrets, and the line "leftcert=strongswanCert.pem" is added to the file ipsec.conf. After starting strongswan, the following was seen in the log file: Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/strongswanKey.pem' *Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed *Mar 17 18:35:32 cip-Latitude-D520 charon: 00[DMN] loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr kernel-netlink socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve Later on in the logs, I see that CHILD_SA was established, but IKE authentication failed. I am not sure if this is connected to the above problem. Please find a part of the logfile here: *Mar 17 18:35:44 cip-Latitude-D520 charon: 12[IKE] establishing CHILD_SA sample-with-ca-cert *Mar 17 18:35:44 cip-Latitude-D520 charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Mar 17 18:35:44 cip-Latitude-D520 charon: 12[NET] sending packet: from 10.58.114.215[4500] to 10.58.112.139[4500] Mar 17 18:35:44 cip-Latitude-D520 charon: 13[NET] received packet: from 10.58.112.139[4500] to 10.58.114.215[4500] Mar 17 18:35:44 cip-Latitude-D520 charon: 13[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] *Mar 17 18:35:44 cip-Latitude-D520 charon: 13[IKE] received AUTHENTICATION_FAILED notify error * Could you please help me sort this out? Thanks in advance, Meera On Wed, Mar 9, 2011 at 11:26 PM, Andreas Steffen < [email protected]> wrote: > The log entry: > > > : 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) ] > : 06[NET] sending packet: from 10.58.114.215[500] to 10.58.112.139[500] > : 14[IKE] retransmit 1 of request with message ID 0 > > just means that your peer either does not receive the IKE_SA_INIT > request or that the IKE_SA_INIT reply gets lost on the way back. > You should check the log on the peer side. > > Regards > > Andreas > > > On 03/09/2011 08:08 AM, Meera Sudhakar wrote: > >> Hi, >> I am new to strongswan, and would really appreciate some help in setting >> up the SAs. For some reason, packets being sent are not being received >> by the other machine. After retries, it says "peer not responding, try >> again". Please fine below an excerpt of my log file: >> Mar 9 13:25:59 cip-Latitude-D520 charon: 06[CFG] received stroke: add >> connection 'sample-with-ca-cert' >> Mar 9 13:25:59 cip-Latitude-D520 charon: 06[CFG] loaded certificate >> "C=CH, O=Linux strongSwan, OU=Sales, [email protected] >> <mailto:[email protected]>" from 'myCert.pem' >> >> Mar 9 13:25:59 cip-Latitude-D520 charon: 06[CFG] id '10.58.114.215' >> not confirmed by certificate, defaulting to 'C=CH, O=Linux strongSwan, >> OU=Sales, [email protected]' <mailto:[email protected]'> >> >> Mar 9 13:25:59 cip-Latitude-D520 charon: 06[CFG] added configuration >> 'sample-with-ca-cert' >> Mar 9 13:25:59 cip-Latitude-D520 charon: 06[CFG] received stroke: >> initiate 'sample-with-ca-cert' >> Mar 9 13:25:59 cip-Latitude-D520 charon: 06[IKE] initiating IKE_SA >> sample-with-ca-cert[1] to 10.58.112.139 >> Mar 9 13:25:59 cip-Latitude-D520 charon: 06[ENC] generating IKE_SA_INIT >> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] >> Mar 9 13:25:59 cip-Latitude-D520 charon: 06[NET] sending packet: from >> 10.58.114.215[500] to 10.58.112.139[500] >> Mar 9 13:26:03 cip-Latitude-D520 charon: 14[IKE] retransmit 1 of >> request with message ID 0 >> Mar 9 13:26:03 cip-Latitude-D520 charon: 14[NET] sending packet: from >> 10.58.114.215[500] to 10.58.112.139[500] >> Mar 9 13:26:04 cip-Latitude-D520 charon: 10[CFG] received stroke: add >> connection 'sample-with-ca-cert' >> Also, please find below my ipsec.conf file: >> ipsec.conf - strongSwan IPsec configuration file >> # basic configuration >> config setup >> charondebug=all >> # plutodebug=all >> # crlcheckinterval=600 >> strictcrlpolicy=yes >> # cachecrls=yes - only for ikev1 >> # nat_traversal=yes >> charonstart=yes >> # plutostart=yes - only for ikev1 >> # Add connections here. >> # Sample VPN connections >> #conn sample-self-signed >> # left=10.58.112.170 >> # leftsubnet=10.1.0.0/16 <http://10.1.0.0/16> >> >> # leftcert=selfCert.der >> # leftsendcert=never >> # right=10.58.112.235 >> # rightsubnet=10.2.0.0/16 <http://10.2.0.0/16> >> >> # rightcert=peerCert.der >> # auto=start >> conn sample-with-ca-cert >> left=10.58.114.215 >> leftsubnet=10.58.114.0/24 <http://10.58.114.0/24> >> >> leftcert=myCert.pem >> right=10.58.112.139 >> rightsubnet=10.58.112.0/24 <http://10.58.112.0/24> >> >> rightid="C=CH, O=Linux strongSwan CN=peer name" >> keyexchange=ikev2 >> auto=start >> include /var/lib/strongswan/ipsec.conf.inc >> Can someone help me out? >> Thanks, >> Mira >> >> ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
