See my inline comments: On 17.10.2011 12:15, Jayateerth Hulgi wrote: > Hi, > > > > I am not able to resolve the following error no private key found for > '[email protected]' .. > > I have included logs as well as my conf please do help me to establish > connection .. > > I m having doubt in ipsec.secrets file . > > > Host1: > > ./ipsec up host-host > > initiating IKE_SA host-host[4] to 107.108.204.245 > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > sending packet: from 107.108.204.246[500] to 107.108.204.245[500] > > received packet: from 107.108.204.245[500] to 107.108.204.246[500] > > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > CERTREQ N(MULT_AUTH) ] > > received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" > > no private key found for '[email protected]' > > > > conn host-host > > left=107.108.204.246 > > right=107.108.204.245 > > leftcert=aliceCert.pem > > leftfirewall=no > > [email protected] > > rightid=venus.strongswan.org > > rightsendcert=never > since you seem to have changed your authentication from EAP-AKA to mutual certificate-based authentication you should remove the rightsendcert=never option. The fatal consequences of this directive is shown below.
> mobike=no > > auto=add > > > > > > Oct 17 14:44:20 localhost charon: 00[DMN] Starting IKEv2 charon daemon > (strongSwan 4.5.3) > > Oct 17 14:44:20 localhost charon: 00[CFG] disabling load-tester plugin, > not configured > > Oct 17 14:44:20 localhost charon: 00[LIB] plugin 'load-tester': failed > to load - load_tester_plugin_create returned NULL > > Oct 17 14:44:20 localhost charon: 00[KNL] listening on interfaces: > > Oct 17 14:44:20 localhost charon: 00[KNL] eth1 > > Oct 17 14:44:20 localhost charon: 00[KNL] 107.108.204.246 > > Oct 17 14:44:20 localhost charon: 00[KNL] 10.10.1.1 > > Oct 17 14:44:20 localhost charon: 00[KNL] 2011::14 > > Oct 17 14:44:20 localhost charon: 00[KNL] fe80::21b:11ff:febb:263c > > Oct 17 14:44:20 localhost charon: 00[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > > Oct 17 14:44:20 localhost charon: 00[CFG] loaded ca certificate "C=CH, > O=Linux strongSwan, CN=strongSwan Root CA" from > '/etc/ipsec.d/cacerts/strongswanCert.pem' > > Oct 17 14:44:20 localhost charon: 00[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts' > > Oct 17 14:44:20 localhost charon: 00[CFG] loading ocsp signer > certificates from '/etc/ipsec.d/ocspcerts' > > Oct 17 14:44:20 localhost charon: 00[CFG] loading attribute certificates > from '/etc/ipsec.d/acerts' > > Oct 17 14:44:20 localhost charon: 00[CFG] loading crls from > '/etc/ipsec.d/crls' > > Oct 17 14:44:20 localhost charon: 00[CFG] loading secrets from > '/etc/ipsec.secrets' > > Oct 17 14:44:20 localhost charon: 00[CFG] loaded RSA private key from > '/etc/ipsec.d/private/aliceKey.pem' > > Oct 17 14:44:20 localhost charon: 00[CFG] eap-simaka-sql database URI > missing > > Oct 17 14:44:20 localhost charon: 00[LIB] plugin 'eap-simaka-sql': > failed to load - eap_simaka_sql_plugin_create returned NULL > > Oct 17 14:44:20 localhost charon: 00[DMN] loaded plugins: aes des sha1 > sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl > fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default > socket-raw stroke updown eap-identity eap-aka eap-aka-3gpp2 > > Oct 17 14:44:20 localhost charon: 00[JOB] spawning 16 worker threads > > Oct 17 14:44:21 localhost charon: 07[CFG] received stroke: add > connection 'host-host' > > Oct 17 14:44:21 localhost charon: 07[CFG] loaded certificate "C=CH, > O=Linux strongSwan, OU=Sales, [email protected]" from 'aliceCert.pem' > > Oct 17 14:44:21 localhost charon: 07[CFG] added configuration 'host-host' > > Oct 17 14:44:23 localhost charon: 07[CFG] received stroke: initiate > 'host-host' > > Oct 17 14:44:23 localhost charon: 09[IKE] initiating IKE_SA host-host[1] > to 107.108.204.245 > > Oct 17 14:44:23 localhost charon: 09[ENC] generating IKE_SA_INIT request > 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > Oct 17 14:44:23 localhost charon: 09[NET] sending packet: from > 107.108.204.246[500] to 107.108.204.245[500] > > Oct 17 14:44:23 localhost charon: 10[NET] received packet: from > 107.108.204.245[500] to 107.108.204.246[500] > > Oct 17 14:44:23 localhost charon: 10[ENC] parsed IKE_SA_INIT response 0 > [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] > > Oct 17 14:44:23 localhost charon: 10[IKE] received cert request for > "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" > > Oct 17 14:44:23 localhost charon: 10[IKE] authentication of > '[email protected]' (myself) with RSA signature successful > > Oct 17 14:44:23 localhost charon: 10[IKE] sending end entity cert "C=CH, > O=Linux strongSwan, OU=Sales, [email protected]" > > Oct 17 14:44:23 localhost charon: 10[IKE] establishing CHILD_SA host-host > > Oct 17 14:44:23 localhost charon: 10[ENC] generating IKE_AUTH request 1 > [ IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] > alice does not send a certificate request payload. Therefore venus will not send a certificate payload (see comment below) > Oct 17 14:44:23 localhost charon: 10[NET] sending packet: from > 107.108.204.246[500] to 107.108.204.245[500] > > Oct 17 14:44:23 localhost charon: 11[NET] received packet: from > 107.108.204.245[500] to 107.108.204.246[500] > > Oct 17 14:44:23 localhost charon: 11[ENC] parsed IKE_AUTH response 1 [ > IDr AUTH SA TSi TSr N(AUTH_LFT) ] > The peer venus does not include a certificate payload in the IKE_AUTH response. Therefore alice cannot find the public key of venus. > Oct 17 14:44:23 localhost charon: 11[IKE] no trusted RSA public key > found for 'venus.strongswan.org' > > > > Ipsec.secrets:= > > > > # /etc/ipsec.secrets - strongSwan IPsec secrets file > > > > : RSA alicekey.pem > > > > Host2: > > /ipsec up host-host > > initiating IKE_SA host-host[3] to 107.108.204.246 > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > sending packet: from 107.108.204.245[500] to 107.108.204.246[500] > > received packet: from 107.108.204.246[500] to 107.108.204.245[500] > > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(MULT_AUTH) ] > > sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" > > authentication of 'venus.strongswan.org' (myself) with RSA signature > successful > > establishing CHILD_SA host-host > > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA > TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] > > sending packet: from 107.108.204.245[500] to 107.108.204.246[500] > > received packet: from 107.108.204.246[500] to 107.108.204.245[500] > > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] > > received AUTHENTICATION_FAILED notify error > > > > > > conn host-host > > left=107.108.204.245 > > right=107.108.204.246 > > leftcert=venusCert.pem > > [email protected] > > leftid=venus.strongswan.org > > leftfirewall=no > > mobike=no > > auto=add > > > > logs: > > Oct 17 15:38:18 infba02071 charon: 00[DMN] Starting IKEv2 charon daemon > (strongSwan 4.5.3) > > Oct 17 15:38:18 infba02071 charon: 00[CFG] disabling load-tester plugin, > not configured > > Oct 17 15:38:18 infba02071 charon: 00[LIB] plugin 'load-tester': failed > to load - load_tester_plugin_create returned NULL > > Oct 17 15:38:18 infba02071 charon: 00[KNL] listening on interfaces: > > Oct 17 15:38:18 infba02071 charon: 00[KNL] peth1 > > Oct 17 15:38:18 infba02071 charon: 00[KNL] fe80::21b:11ff:febb:2651 > > Oct 17 15:38:18 infba02071 charon: 00[KNL] virbr0 > > Oct 17 15:38:18 infba02071 charon: 00[KNL] 192.168.122.1 > > Oct 17 15:38:18 infba02071 charon: 00[KNL] fe80::200:ff:fe00:0 > > Oct 17 15:38:18 infba02071 charon: 00[KNL] eth1 > > Oct 17 15:38:18 infba02071 charon: 00[KNL] 107.108.204.245 > > Oct 17 15:38:18 infba02071 charon: 00[KNL] fe80::21b:11ff:febb:2651 > > Oct 17 15:38:18 infba02071 charon: 00[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > > Oct 17 15:38:18 infba02071 charon: 00[CFG] loaded ca certificate > "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from > '/etc/ipsec.d/cacerts/strongswanCert.pem' > > Oct 17 15:38:18 infba02071 charon: 00[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts' > > Oct 17 15:38:18 infba02071 charon: 00[CFG] loading ocsp signer > certificates from '/etc/ipsec.d/ocspcerts' > > Oct 17 15:38:18 infba02071 charon: 00[CFG] loading attribute > certificates from '/etc/ipsec.d/acerts' > > Oct 17 15:38:18 infba02071 charon: 00[CFG] loading crls from > '/etc/ipsec.d/crls' > > Oct 17 15:38:18 infba02071 charon: 00[CFG] loading secrets from > '/etc/ipsec.secrets' > > Oct 17 15:38:18 infba02071 charon: 00[CFG] loaded RSA private key from > '/etc/ipsec.d/private/venusKey.pem' > > Oct 17 15:38:18 infba02071 charon: 00[CFG] eap-simaka-sql database URI > missing > > Oct 17 15:38:18 infba02071 charon: 00[LIB] plugin 'eap-simaka-sql': > failed to load - eap_simaka_sql_plugin_create returned NULL > > Oct 17 15:38:18 infba02071 charon: 00[DMN] loaded plugins: aes des sha1 > sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl > fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default > socket-raw stroke updown eap-identity eap-aka eap-aka-3gpp2 > > Oct 17 15:38:18 infba02071 charon: 00[JOB] spawning 16 worker threads > > Oct 17 15:38:18 infba02071 charon: 02[CFG] received stroke: add > connection 'host-host' > > Oct 17 15:38:18 infba02071 charon: 02[CFG] loaded certificate "C=CH, > O=Linux strongSwan, CN=venus.strongswan.org" from 'venusCert.pem' > > Oct 17 15:38:18 infba02071 charon: 02[CFG] added configuration 'host-host' > > Oct 17 15:38:19 infba02071 charon: 07[NET] received packet: from > 107.108.204.246[500] to 107.108.204.245[500] > > Oct 17 15:38:19 infba02071 charon: 07[ENC] parsed IKE_SA_INIT request 0 > [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > Oct 17 15:38:19 infba02071 charon: 07[IKE] 107.108.204.246 is initiating > an IKE_SA > > Oct 17 15:38:19 infba02071 charon: 07[IKE] sending cert request for > "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" > > Oct 17 15:38:19 infba02071 charon: 07[ENC] generating IKE_SA_INIT > response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] > > Oct 17 15:38:19 infba02071 charon: 07[NET] sending packet: from > 107.108.204.245[500] to 107.108.204.246[500] > > Oct 17 15:38:19 infba02071 charon: 08[NET] received packet: from > 107.108.204.246[500] to 107.108.204.245[500] > > Oct 17 15:38:19 infba02071 charon: 08[ENC] parsed IKE_AUTH request 1 [ > IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] > > Oct 17 15:38:19 infba02071 charon: 08[IKE] received end entity cert > "C=CH, O=Linux strongSwan, OU=Sales, [email protected]" > > Oct 17 15:38:19 infba02071 charon: 08[CFG] looking for peer configs > matching > 107.108.204.245[venus.strongswan.org]...107.108.204.246[[email protected]] > > > Oct 17 15:38:19 infba02071 charon: 08[CFG] selected peer config 'host-host' > > Oct 17 15:38:19 infba02071 charon: 08[CFG] using certificate "C=CH, > O=Linux strongSwan, OU=Sales, [email protected]" > > Oct 17 15:38:19 infba02071 charon: 08[CFG] using trusted ca > certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" > > Oct 17 15:38:19 infba02071 charon: 08[CFG] checking certificate status > of "C=CH, O=Linux strongSwan, OU=Sales, [email protected]" > > Oct 17 15:38:19 infba02071 charon: 08[CFG] fetching crl from > 'http://crl.strongswan.org/strongswan.crl' ... > > Oct 17 15:38:19 infba02071 charon: 08[LIB] unable to fetch from > http://crl.strongswan.org/strongswan.crl, no capable fetcher found > > Oct 17 15:38:19 infba02071 charon: 08[CFG] crl fetching failed > > Oct 17 15:38:19 infba02071 charon: 08[CFG] certificate status is not > available > > Oct 17 15:38:19 infba02071 charon: 08[CFG] reached self-signed root ca > with a path length of 0 > > Oct 17 15:38:19 infba02071 charon: 08[IKE] authentication of > '[email protected]' with RSA signature successful > > Oct 17 15:38:19 infba02071 charon: 08[IKE] authentication of > 'venus.strongswan.org' (myself) with RSA signature successful > > Oct 17 15:38:19 infba02071 charon: 08[IKE] IKE_SA host-host[1] > established between > 107.108.204.245[venus.strongswan.org]...107.108.204.246[[email protected]] > > > Oct 17 15:38:19 infba02071 charon: 08[IKE] scheduling reauthentication > in 3253s > > Oct 17 15:38:19 infba02071 charon: 08[IKE] maximum IKE_SA lifetime 3433s > > Oct 17 15:38:19 infba02071 charon: 08[IKE] CHILD_SA host-host{1} > established with SPIs c3186b2f_i c0ed2141_o and TS 107.108.204.245/32 > === 107.108.204.246/32 > > Oct 17 15:38:19 infba02071 charon: 08[ENC] generating IKE_AUTH response > 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ] > > Oct 17 15:38:19 infba02071 charon: 08[NET] sending packet: from > 107.108.204.245[500] to 107.108.204.246[500] > > Oct 17 15:38:20 infba02071 charon: 05[CFG] received stroke: initiate > 'host-host' > > Oct 17 15:38:20 infba02071 charon: 11[IKE] establishing CHILD_SA host-host > > Oct 17 15:38:20 infba02071 charon: 11[ENC] generating CREATE_CHILD_SA > request 0 [ SA No TSi TSr ] > > Oct 17 15:38:20 infba02071 charon: 11[NET] sending packet: from > 107.108.204.245[500] to 107.108.204.246[500] > > Oct 17 15:38:24 infba02071 charon: 12[IKE] retransmit 1 of request with > message ID 0 > > Oct 17 15:38:24 infba02071 charon: 12[NET] sending packet: from > 107.108.204.245[500] to 107.108.204.246[500] > > Oct 17 15:38:32 infba02071 charon: 13[IKE] retransmit 2 of request with > message ID 0 > > Oct 17 15:38:32 infba02071 charon: 13[NET] sending packet: from > 107.108.204.245[500] to 107.108.204.246[500] > > Oct 17 15:38:45 infba02071 charon: 06[IKE] retransmit 3 of request with > message ID 0 > > Oct 17 15:38:45 infba02071 charon: 06[NET] sending packet: from > 107.108.204.245[500] to 107.108.204.246[500] > > Oct 17 15:38:49 infba02071 charon: 00[DMN] signal of type SIGINT > received. Shutting down > > > > Ipsec.secrets:= > > > > # /etc/ipsec.secrets - strongSwan IPsec secrets file > > > > : RSA venusKey.pem > > > > Regards, > > Jayateerth Hulgi It would be helpful if you wouldn't change your VPN setup every time you ask for support. It's like blundering without a torch light in the pitch-black dark! Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
