Hello Shashi, strongSwan does *not* require the keys and certificates to be in binary DER format. It can handle PEM-encoded keys as well and even automatically detects the format. What strongSwan cannot handle are private key files consisting of a concatenation of a PEM private key and a PEM certificate, a format that is often used by SSL servers.
Regards Andreas On 08/25/2011 10:02 PM, Shashi Yash wrote: > Thanks Nguyen / Andreas / Martin for you responses !!! > > I took your suggestions and changed the ipsec.conf as follows and it worked > !!! > > Also i had an error with ipsec.secrets file, for some reason strong > swan expects the key to be in DER format. So I had to convert my keys > to DER format with the below command. > > openssl rsa -in rh1_Key.pem -outform DER -out rh1_Key.der > > RH1: > -------- > conn net-net > left=10.19.61.35 > leftsubnet=192.168.100.0/24 > leftcert=rh1_Cert.pem > right=10.19.61.67 > rightsubnet=192.168.200.0/24 > rightid="C=us, ST=il, O=ics, OU=mp, CN=RH6-2" > auto=start > keyexchange=ikev2 > #authby=secret > auth=esp > ike=3des-sha1-modp2048 > esp=3des-sha1-modp2048 > > RH2: > ---------- > conn net-net > left=10.19.61.67 > leftsubnet=192.168.200.0/24 > leftcert=rh2_Cert.pem > right=10.19.61.35 > rightsubnet=192.168.100.0/24 > rightid="C=us, ST=il, O=ics, OU=mp, CN=RH6-1" > auto=start > keyexchange=ikev2 > #authby=secret > auth=esp > ike=3des-sha1-modp2048 > esp=3des-sha1-modp2048 > > Thanks Again > -shashi.. > > On Wed, Aug 24, 2011 at 5:58 PM, Shashi Yash <[email protected]> wrote: >> Trying to setup ipsec site to site scenario on two red hat machines. I >> get the following error: "no acceptable proposal found" on both >> machines. Can you guys please tell me why I'm getting the following >> error. >> >> I jave pasted the configs and logs from both machines. >> >> RH1: ipsec.conf >> conn net-net >> left=10.19.61.35 >> leftsubnet=192.168.100.0/24 >> leftcert=rh1_Cert.pem >> right=10.19.61.67 >> rightsubnet=192.168.200.0/24 >> leftid="C=us, ST=il, O=ics, OU=mp, CN=RH6-1" >> auto=start >> ike=3des >> esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048 >> >> >> >> RH2:ipsec.conf >> conn net-net >> left=10.19.61.67 >> leftsubnet=192.168.200.0/24 >> leftcert=rh2_Cert.pem >> right=10.19.61.35 >> rightsubnet=192.168.100.0/24 >> rightid="C=us, ST=il, O=ics, OU=mp, CN=RH6-2" >> auto=start >> ike=3des >> esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048 >> >> >> RH1 Log: >> ------------------- >> 13[NET] received packet: from 10.19.61.67[500] to 10.19.61.35[500] >> 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] >> 13[IKE] 10.19.61.67 is initiating an IKE_SA >> 13[IKE] no acceptable proposal found >> 13[ENC] generating IKE_SA_INIT response 0 [ ] >> 13[NET] sending packet: from 10.19.61.35[500] to 10.19.61.67[500] >> 14[NET] received packet: from 10.19.61.67[500] to 10.19.61.35[500] >> 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] >> 14[IKE] 10.19.61.67 is initiating an IKE_SA >> 14[IKE] no acceptable proposal found >> >> >> RH2 Log: >> --------------------- >> >> 10[IKE] initiating IKE_SA net-net[1] to 10.19.61.35 >> 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) ] >> 10[NET] sending packet: from 10.19.61.67[500] to 10.19.61.35[500] >> 11[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500] >> 11[ENC] payload of type SECURITY_ASSOCIATION not occurred 1 times (0) >> 11[IKE] IKE_SA_INIT response with message ID 0 processing failed >> 12[IKE] retransmit 1 of request with message ID 0 >> 12[NET] sending packet: from 10.19.61.67[500] to 10.19.61.35[500] >> 13[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500] >> 13[ENC] payload of type SECURITY_ASSOCIATION not occurred 1 times (0) >> 13[IKE] IKE_SA_INIT response with message ID 0 processing failed >> 14[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500] >> 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] >> 14[IKE] 10.19.61.35 is initiating an IKE_SA >> 14[IKE] no acceptable proposal found >> >> Thanks in Advance >> -shashi.. ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
