On 17.03.2011 12:33, Meera Sudhakar wrote: > Hi Andreas, > > This problem was solved by the solution provided in > http://www.mail-archive.com/[email protected]/msg02152.html. I > now have a new problem for which I cannot find a solution. It would be > great if you could help me understand the problem, and hopefully provide > a solution too. > > I generated the private key and certificate for my machines (the > initiator and the receiver) by executing the following command on each > of them: > > openssl req -x509 -days 1460 -newkey rsa:2048 \ >> -keyout strongswanKey.pem -out strongswanCert.pem > This generates a self-signed CA certificate which cannot be used as a peer certificate.
> I then placed the file strongswanKey.pem in the path > /etc/ipsec.d/private/, and the file strongswanCert.pem in the path > /etc/ipsec.d/certs. So now, the line " : RSA strongswanKey.pem "xxxx" " > is added to the file ipsec.secrets, and the line > "leftcert=strongswanCert.pem" is added to the file ipsec.conf. > > After starting strongswan, the following was seen in the log file: > > Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] loading secrets from > '/etc/ipsec.secrets' > Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] loaded RSA private > key from '/etc/ipsec.d/private/strongswanKey.pem' > *Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] expanding file > expression '/var/lib/strongswan/ipsec.secrets.inc' failed do you include secrets from /var/lib/strongswan/ipsec.secrets.inc ? > *Mar 17 18:35:32 cip-Latitude-D520 charon: 00[DMN] loaded plugins: curl > ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem > openssl fips-prf xcbc hmac agent gmp attr kernel-netlink socket-default > farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 > dhcp resolve > > Later on in the logs, I see that CHILD_SA was established, but IKE > authentication failed. I am not sure if this is connected to the above > problem. Please find a part of the logfile here: > > *Mar 17 18:35:44 cip-Latitude-D520 charon: 12[IKE] establishing CHILD_SA > sample-with-ca-cert This is just an announcement that a CHILD_SA is going to be established. > *Mar 17 18:35:44 cip-Latitude-D520 charon: 12[ENC] generating IKE_AUTH > request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] > Mar 17 18:35:44 cip-Latitude-D520 charon: 12[NET] sending packet: from > 10.58.114.215[4500] to 10.58.112.139[4500] > Mar 17 18:35:44 cip-Latitude-D520 charon: 13[NET] received packet: from > 10.58.112.139[4500] to 10.58.114.215[4500] > Mar 17 18:35:44 cip-Latitude-D520 charon: 13[ENC] parsed IKE_AUTH > response 1 [ N(AUTH_FAILED) ] > *Mar 17 18:35:44 cip-Latitude-D520 charon: 13[IKE] received > AUTHENTICATION_FAILED notify error > * The peer side has an authentication problem because you are sending a self-signed certificate. You must send an end entity certificate signed by the strongSwan CA and put strongswanCert.pem into /etc/ipsec.d/cacerts as a trust anchor. > > Could you please help me sort this out? > Consult the following link how to set up a simple PKI: http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA > Thanks in advance, > > Meera Regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
