Thanks, that let me connect the 2. One thing I found is that the public key of my SUN server needed to be in the /etc/ipsec.d/aacerts of MOON. Once that was done, I was able to send traffic. If I put the public key of the CA into the cacerts directory would I need to keep the SUN cert on MOON?
-----Original Message----- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: Tuesday, November 22, 2011 1:06 AM To: Edward Cooke Cc: users@lists.strongswan.org Subject: Re: [strongSwan] Site to site vpn using certificates-no peer config in log files Hello Ed, on the moon side you must configure rightid="***SUN DN ON CERTIFICATE***" Regards Andreas On 11/22/2011 07:59 AM, Edward Cooke wrote: > Hi all, > > I'm trying to get a site to site VPN set up between to strongswan Linux > systems. I can't get past the "no matching peer config found" message on > Sun (my datacenter). I've tried using the net-net ikev2 config example > in the tests as that is closest to what I am trying to do. Does anyone > have any suggestions, below is detailed info on the setup's. If anybody > could help it would be most appreciated. > > Thanks in advance, > > -Ed- > > The way my setup looks is this: > > Moon -> Firewall -> internet <- Sun > > Here's the log entries during the connection attempts: > > SUN > > ------- > > Nov 21 23:31:55 firewall1 charon: 12[NET] received packet: from ***MOON > EXTERNAL IP***[65146] to ***SUN IP***[500] > > Nov 21 23:31:55 firewall1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ > SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > Nov 21 23:31:55 firewall1 charon: 12[IKE] ***MOON EXTERNAL IP*** is > initiating an IKE_SA > > Nov 21 23:31:55 firewall1 charon: 12[IKE] ***MOON EXTERNAL IP*** is > initiating an IKE_SA > > Nov 21 23:31:56 firewall1 charon: 12[IKE] remote host is behind NAT > > Nov 21 23:31:56 firewall1 charon: 12[IKE] sending cert request for "***" > > Nov 21 23:31:56 firewall1 charon: 12[ENC] generating IKE_SA_INIT > response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] > > Nov 21 23:31:56 firewall1 charon: 12[NET] sending packet: from ***SUN > IP***[500] to ***MOON EXTERNAL IP***[65146] > > Nov 21 23:31:56 firewall1 charon: 04[NET] received packet: from ***MOON > EXTERNAL IP***[11060] to ***SUN IP***[4500] > > Nov 21 23:31:56 firewall1 charon: 04[ENC] parsed IKE_AUTH request 1 [ > IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] > > Nov 21 23:31:56 firewall1 charon: 04[IKE] received end entity cert "***" > > Nov 21 23:31:56 firewall1 charon: 04[CFG] looking for peer configs > matching ***SUN IP***[SUN HOSTNAME]...***MOON IP***[***MOON DN ON > CERTIFICATE***] > > Nov 21 23:31:56 firewall1 charon: 04[CFG] no matching peer config found > > Nov 21 23:31:56 firewall1 charon: 04[ENC] generating IKE_AUTH response 1 > [ N(AUTH_FAILED) ] > > Nov 21 23:31:56 firewall1 charon: 04[NET] sending packet: from ***SUN > IP***[4500] to ***MOON IP***[11060] > > MOON > > ------- > > Nov 21 16:43:54 linuxfw charon: 11[IKE] initiating IKE_SA site-site[22] > to ***SUN IP*** > > Nov 21 16:43:54 linuxfw charon: 11[IKE] initiating IKE_SA site-site[22] > to ***SUN IP*** > > Nov 21 16:43:54 linuxfw charon: 11[ENC] generating IKE_SA_INIT request 0 > [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > Nov 21 16:43:54 linuxfw charon: 11[NET] sending packet: from ***MOON > IP***[500] to ***SUN IP***[500] > > Nov 21 16:43:54 linuxfw charon: 14[NET] received packet: from ***SUN > IP***[500] to ***MOON IP***[500] > > Nov 21 16:43:54 linuxfw charon: 14[ENC] parsed IKE_SA_INIT response 0 [ > SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] > > Nov 21 16:43:54 linuxfw charon: 14[IKE] local host is behind NAT, > sending keep alives > > Nov 21 16:43:54 linuxfw charon: 14[IKE] received 1 cert requests for an > unknown ca > > Nov 21 16:43:54 linuxfw charon: 14[IKE] authentication of '***MOON DN ON > CERTIFICATE***' (myself) with RSA signature successful > > Nov 21 16:43:54 linuxfw charon: 14[IKE] sending end entity cert "***MOON > DN ON CERTIFICATE***" > > Nov 21 16:43:54 linuxfw charon: 14[IKE] establishing CHILD_SA site-site > > Nov 21 16:43:54 linuxfw charon: 14[IKE] establishing CHILD_SA site-site > > Nov 21 16:43:54 linuxfw charon: 14[ENC] generating IKE_AUTH request 1 [ > IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] > > Nov 21 16:43:54 linuxfw charon: 14[NET] sending packet: from ***MOON > IP***[4500] to ***SUN IP***[4500] > > Nov 21 16:43:54 linuxfw charon: 04[NET] received packet: from ***SUN > IP***[4500] to ***MOON IP***[4500] > > Nov 21 16:43:54 linuxfw charon: 04[ENC] parsed IKE_AUTH response 1 [ > N(AUTH_FAILED) ] > > Nov 21 16:43:54 linuxfw charon: 04[IKE] received AUTHENTICATION_FAILED > notify error > > And ipsec.conf files > > SUN > > ------- > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > > #strict is new > > strictcrlpolicy=no > > plutostart=no > > conn %default > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=1 > > keyexchange=ikev2 > > mobike=no > > conn site-site > > left=***SUN IP*** > > leftsubnet=***SUN INTERNAL SUBNET*** > > leftcert=***CERT FILE NAME*** > > leftfirewall=yes > > right=%any > > rightsubnet=***MOON INTERNAL SUBNET*** > > rightid="***MOON DN ON CERTIFICATE***" > > auto=add > > MOON > > ------- > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > > plutostart=no > > strictcrlpolicy=no > > conn %default > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=1 > > keyexchange=ikev2 > > mobike=no > > # Sample VPN connections > > conn site-site > > left=%defaultroute > > leftcert=***CERT FILE NAME*** > > leftsubnet=***MOON INTERNAL SUBNET*** > > leftfirewall=yes > > right=***SUN FQDN*** > > #rightid=@vpn.frakkingsweet.com > > rightsubnet=***SUN INTERNAL SUBNET*** > > auto=add > > > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users