Please save me, I'm about to commit Seppuku! I'm trying to set up a roadwarrior terminator on Ubuntu 10.04 LTS. I've got a near identical setup working on Ubuntu 9.10 but this new one's being difficult.
It appears it's not associating the local certificate with it's private key properly, even though both appear to be being loaded correctly: root@fw:~# ipsec listcerts 000 000 List of X.509 End Certificates: 000 000 Oct 13 18:28:47 2011, count: 2 000 subject: 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, [email protected]' 000 issuer: 'CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, [email protected]' 000 serial: 05 000 validity: not before Oct 13 18:27:55 2011 ok 000 not after Oct 11 18:27:55 2016 ok 000 pubkey: RSA 2048 bits, has private key 000 keyid: 50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3 000 subjkey: 95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54 000 authkey: 5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4 000 aserial: 00:d2:a1:e8:5e:53:ee:9f:63 List of X.509 End Entity Certificates: subject: "C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, [email protected]" issuer: "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, [email protected]" serial: 05 validity: not before Oct 13 18:27:55 2011, ok not after Oct 11 18:27:55 2016, ok pubkey: RSA 2048 bits keyid: 50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3 subjkey: 95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54 authkey: 5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4 Note the top says "has private key" but the bottom doesn't. WTF is up with that? Here's what I'm getting in the logs when I try to connect, which pretty much matches the above: Oct 13 18:03:02 tkh-fw charon: 09[NET] received packet: from 122.63.65.10[500] to x.x.x.x[500] Oct 13 18:03:02 tkh-fw charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Oct 13 18:03:02 tkh-fw charon: 09[IKE] 122.63.65.10 is initiating an IKE_SA Oct 13 18:03:02 tkh-fw charon: 09[IKE] remote host is behind NAT Oct 13 18:03:02 tkh-fw charon: 09[IKE] DH group ECP_192 inacceptable, requesting MODP_2048 Oct 13 18:03:02 tkh-fw charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Oct 13 18:03:02 tkh-fw charon: 09[NET] sending packet: from x.x.x.x[500] to 122.63.65.10[500] Oct 13 18:03:03 tkh-fw charon: 16[NET] received packet: from 122.63.65.10[500] to x.x.x.x[500] Oct 13 18:03:03 tkh-fw charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Oct 13 18:03:03 tkh-fw charon: 16[IKE] 122.63.65.10 is initiating an IKE_SA Oct 13 18:03:03 tkh-fw charon: 16[IKE] remote host is behind NAT Oct 13 18:03:03 tkh-fw charon: 16[IKE] sending cert request for "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, [email protected]" Oct 13 18:03:03 tkh-fw charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Oct 13 18:03:03 tkh-fw charon: 16[NET] sending packet: from x.x.x.x[500] to 122.63.65.10[500] Oct 13 18:03:03 tkh-fw charon: 11[NET] received packet: from 122.63.65.10[4500] to x.x.x.x[4500] Oct 13 18:03:03 tkh-fw charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) ] Oct 13 18:03:03 tkh-fw charon: 11[IKE] received end entity cert "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, [email protected]" Oct 13 18:03:03 tkh-fw charon: 11[CFG] looking for peer configs matching x.x.x.x[C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, [email protected]]...122.63.65.10[C=NZ, ST=N/A, O=XX.net.nz, CN=sin, [email protected]] Oct 13 18:03:03 tkh-fw charon: 11[CFG] selected peer config 'Roadwarriors' Oct 13 18:03:03 tkh-fw charon: 11[CFG] using certificate "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, [email protected]" Oct 13 18:03:03 tkh-fw charon: 11[CFG] using trusted ca certificate "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, [email protected]" Oct 13 18:03:03 tkh-fw charon: 11[CFG] checking certificate status of "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, [email protected]" Oct 13 18:03:03 tkh-fw charon: 11[CFG] certificate status is not available Oct 13 18:03:03 tkh-fw charon: 11[IKE] authentication of 'C=NZ, ST=N/A, O=XX.net.nz, CN=sin, [email protected]' with RSA signature successful Oct 13 18:03:03 tkh-fw charon: 11[IKE] peer supports MOBIKE Oct 13 18:03:03 tkh-fw charon: 11[IKE] no private key found for 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, [email protected]' Oct 13 18:03:03 tkh-fw charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Oct 13 18:03:03 tkh-fw charon: 11[NET] sending packet: from x.x.x.x[4500] to 122.63.65.10[4500] This is the pertinent bit: > no private key found for 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, > [email protected]' Buggered if I know what's going on. Any ideas? Thanks. Luke. Mgate3.telecom.co.nz made the following annotations --------------------------------------------------------------------- This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. --------------------------------------------------------------------- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
