[strongSwan] Site to site vpn using certificates-no peer config in log files

Edward Cooke Mon, 21 Nov 2011 23:01:01 -0800

Hi all,
                I'm trying to get a site to site VPN set up between to 
strongswan Linux systems. I can't get past the "no matching peer config found" 
message on Sun (my datacenter). I've tried using the net-net ikev2 config 
example in the tests as that is closest to what I am trying to do. Does anyone 
have any suggestions, below is detailed info on the setup's. If anybody could 
help it would be most appreciated.


Thanks in advance,
-Ed-




The way my setup looks is this:
Moon -> Firewall -> internet <- Sun

Here's the log entries during the connection attempts:
SUN
-------
Nov 21 23:31:55 firewall1 charon: 12[NET] received packet: from ***MOON 
EXTERNAL IP***[65146] to ***SUN IP***[500]
Nov 21 23:31:55 firewall1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 21 23:31:55 firewall1 charon: 12[IKE] ***MOON EXTERNAL IP*** is initiating 
an IKE_SA
Nov 21 23:31:55 firewall1 charon: 12[IKE] ***MOON EXTERNAL IP*** is initiating 
an IKE_SA
Nov 21 23:31:56 firewall1 charon: 12[IKE] remote host is behind NAT
Nov 21 23:31:56 firewall1 charon: 12[IKE] sending cert request for "***"
Nov 21 23:31:56 firewall1 charon: 12[ENC] generating IKE_SA_INIT response 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 21 23:31:56 firewall1 charon: 12[NET] sending packet: from ***SUN 
IP***[500] to ***MOON EXTERNAL IP***[65146]
Nov 21 23:31:56 firewall1 charon: 04[NET] received packet: from ***MOON 
EXTERNAL IP***[11060] to ***SUN IP***[4500]
Nov 21 23:31:56 firewall1 charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi CERT 
N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Nov 21 23:31:56 firewall1 charon: 04[IKE] received end entity cert "***"
Nov 21 23:31:56 firewall1 charon: 04[CFG] looking for peer configs matching 
***SUN IP***[SUN HOSTNAME]...***MOON IP***[***MOON DN ON CERTIFICATE***]
Nov 21 23:31:56 firewall1 charon: 04[CFG] no matching peer config found
Nov 21 23:31:56 firewall1 charon: 04[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]
Nov 21 23:31:56 firewall1 charon: 04[NET] sending packet: from ***SUN 
IP***[4500] to ***MOON IP***[11060]

MOON
-------
Nov 21 16:43:54 linuxfw charon: 11[IKE] initiating IKE_SA site-site[22] to 
***SUN IP***
Nov 21 16:43:54 linuxfw charon: 11[IKE] initiating IKE_SA site-site[22] to 
***SUN IP***
Nov 21 16:43:54 linuxfw charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 21 16:43:54 linuxfw charon: 11[NET] sending packet: from ***MOON IP***[500] 
to ***SUN IP***[500]
Nov 21 16:43:54 linuxfw charon: 14[NET] received packet: from ***SUN IP***[500] 
to ***MOON IP***[500]
Nov 21 16:43:54 linuxfw charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 21 16:43:54 linuxfw charon: 14[IKE] local host is behind NAT, sending keep 
alives
Nov 21 16:43:54 linuxfw charon: 14[IKE] received 1 cert requests for an unknown 
ca
Nov 21 16:43:54 linuxfw charon: 14[IKE] authentication of '***MOON DN ON 
CERTIFICATE***' (myself) with RSA signature successful
Nov 21 16:43:54 linuxfw charon: 14[IKE] sending end entity cert "***MOON DN ON 
CERTIFICATE***"
Nov 21 16:43:54 linuxfw charon: 14[IKE] establishing CHILD_SA site-site
Nov 21 16:43:54 linuxfw charon: 14[IKE] establishing CHILD_SA site-site
Nov 21 16:43:54 linuxfw charon: 14[ENC] generating IKE_AUTH request 1 [ IDi 
CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Nov 21 16:43:54 linuxfw charon: 14[NET] sending packet: from ***MOON 
IP***[4500] to ***SUN IP***[4500]
Nov 21 16:43:54 linuxfw charon: 04[NET] received packet: from ***SUN 
IP***[4500] to ***MOON IP***[4500]
Nov 21 16:43:54 linuxfw charon: 04[ENC] parsed IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]
Nov 21 16:43:54 linuxfw charon: 04[IKE] received AUTHENTICATION_FAILED notify 
error

And ipsec.conf files

SUN
-------
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        #strict is new
        strictcrlpolicy=no
        plutostart=no

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        mobike=no

conn site-site
        left=***SUN IP***
        leftsubnet=***SUN INTERNAL SUBNET***
        leftcert=***CERT FILE NAME***
        leftfirewall=yes
        right=%any
        rightsubnet=***MOON INTERNAL SUBNET***
        rightid="***MOON DN ON CERTIFICATE***"
        auto=add

MOON
-------
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        plutostart=no
        strictcrlpolicy=no

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        mobike=no

# Sample VPN connections
conn site-site
        left=%defaultroute
        leftcert=***CERT FILE NAME***
        leftsubnet=***MOON INTERNAL SUBNET***
        leftfirewall=yes
        right=***SUN FQDN***
        #[email protected]
        rightsubnet=***SUN INTERNAL SUBNET***
        auto=add

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Site to site vpn using certificates-no peer config in log files

Reply via email to