This is our configuration - SEG <IPSEC TUNNEL> ENodeB
The eNodeB is the initiator. The eNodeB must know in advance the attributes that it will receive in the certificate of the SEG in the name of the SEG. I have been able to get the authentication working only by specifying rightid="O=*, CN=*" (attributes in the certificate of the SEG) on the eNodeB If we set the rightid as "C=*, O=*, OU=*, CN=*" initiating IKE_SA 30[3] to 172.21.11.181 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 172.21.11.21[500] to 172.21.11.181[500] received packet: from 172.21.11.181[500] to 172.21.11.21[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for "O=Alcatel, CN=CMS" sending cert request for "O=Alcatel, CN=CMS" authentication of 'O=Alcatel, CN=123456.CMS1' (myself) with RSA signature successful sending end entity cert "O=Alcatel, CN=123456.CMS1" sending issuer cert "O=Alcatel, CN=CMS1" establishing CHILD_SA 30 generating IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 172.21.11.21[500] to 172.21.11.181[500] received packet: from 172.21.11.181[500] to 172.21.11.21[500] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr ] received end entity cert "O=Alcatel, [email protected]<mailto:[email protected]>" using certificate "O=Alcatel, [email protected]<mailto:[email protected]>" using trusted ca certificate "O=Alcatel, CN=CMS" checking certificate status of "O=Alcatel, [email protected]<mailto:[email protected]>" certificate status is not available reached self-signed root ca with a path length of 0 authentication of 'O=Alcatel, [email protected]<mailto:[email protected]>' with RSA signature successful constraint check failed: identity 'C=*, O=*, OU=*, CN=*' required selected peer config '30' inacceptable no alternative config found Without specifying the righid, I get authentication failure initiating IKE_SA 30[8] to 172.21.11.181 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 172.21.11.21[500] to 172.21.11.181[500] received packet: from 172.21.11.181[500] to 172.21.11.21[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for "O=Alcatel, CN=CMS" sending cert request for "O=Alcatel, CN=CMS" authentication of 'O=Alcatel, CN=123456.CMS1' (myself) with RSA signature successful sending end entity cert "O=Alcatel, CN=123456.CMS1" sending issuer cert "O=Alcatel, CN=CMS1" establishing CHILD_SA 30 generating IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 172.21.11.21[500] to 172.21.11.181[500] received packet: from 172.21.11.181[500] to 172.21.11.21[500] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] received AUTHENTICATION_FAILED notify error I would like to understand the purpose of leftid and rightid. Why do we need to specify them? Regards, Lakshmi
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
