I have attached gdb to charon process and set breakpoint at function
load_cfg_candidates( ) to debug this issue. However when I execute
"ipsec up net-net" on SUN, the breakpoint I set on MOON never hits.
Apparently when I ran nm on libcharon.so I do not see the symbol
load_cfg_candidates( ). Does anybody know what is happening in here ?
Regards,
Nagaraj
[root@moon ~]# ldd /usr/local/libexec/ipsec/charon
linux-gate.so.1 => (0x00110000)
libstrongswan.so.0 => /usr/local/lib/ipsec/libstrongswan.so.0
(0x00111000)
libhydra.so.0 => /usr/local/lib/ipsec/libhydra.so.0 (0x00141000)
libcharon.so.0 => /usr/local/lib/ipsec/libcharon.so.0 (0x00146000)
libm.so.6 => /lib/libm.so.6 (0x005a8000)
libpthread.so.0 => /lib/libpthread.so.0 (0x005da000)
libdl.so.2 => /lib/libdl.so.2 (0x005d3000)
libc.so.6 => /lib/libc.so.6 (0x0044d000)
librt.so.1 => /lib/librt.so.1 (0x006d5000)
/lib/ld-linux.so.2 (0x0042e000)
[root@moon ~]#
[root@moon etc]# ps aux | grep charon
root 29547 0.0 0.1 168148 1872 ? Ssl 19:14 0:00
/usr/local/libexec/ipsec/charon --use-syslog
root 29566 0.0 0.0 4044 680 pts/2 S+ 19:14 0:00 grep charon
[root@moon etc]# gdb attach 29547
GNU gdb Red Hat Linux (6.6-35.fc8rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
attach: No such file or directory.
Attaching to process 29547
Reading symbols from /usr/local/libexec/ipsec/charon...done.
Using host libthread_db library "/lib/libthread_db.so.1".
Reading symbols from /usr/local/lib/ipsec/libstrongswan.so.0...done.
Loaded symbols for /usr/local/lib/ipsec/libstrongswan.so.0
Reading symbols from /usr/local/lib/ipsec/libhydra.so.0...done.
Loaded symbols for /usr/local/lib/ipsec/libhydra.so.0
Reading symbols from /usr/local/lib/ipsec/libcharon.so.0...done.
Loaded symbols for /usr/local/lib/ipsec/libcharon.so.0
Reading symbols from /lib/libm.so.6...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/92/8ab51a53627c59877a85dd9afecc1619ca866c.debug
done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libpthread.so.0...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/6c/1cdbb38ae2a292613c8c31195417ee80ea7e1e.debug
done.
[Thread debugging using libthread_db enabled]
[New Thread -1208505760 (LWP 29547)]
[New Thread -1365857392 (LWP 29563)]
[New Thread -1355367536 (LWP 29562)]
[New Thread -1344877680 (LWP 29561)]
[New Thread -1334387824 (LWP 29560)]
[New Thread -1323897968 (LWP 29559)]
[New Thread -1313408112 (LWP 29558)]
[New Thread -1302918256 (LWP 29557)]
[New Thread -1292428400 (LWP 29556)]
[New Thread -1281938544 (LWP 29555)]
[New Thread -1271448688 (LWP 29554)]
[New Thread -1260958832 (LWP 29553)]
[New Thread -1250468976 (LWP 29552)]
[New Thread -1239979120 (LWP 29551)]
[New Thread -1229489264 (LWP 29550)]
[New Thread -1218999408 (LWP 29549)]
[New Thread -1208509552 (LWP 29548)]
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libdl.so.2...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/db/a292aff9720bfc3f25c53fa8e469168460a894.debug
done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libc.so.6...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/ba/4ea1118691c826426e9410cafb798f25cefad5.debug
done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/librt.so.1...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/e3/3448de964a5ca97b70edbdcea227c6ea5d3657.debug
done.
Loaded symbols for /lib/librt.so.1
Reading symbols from /lib/ld-linux.so.2...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/ac/2eeb206486bb7315d6ac4cd64de0cb50838ff6.debug
done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-aes.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-aes.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-des.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-des.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-sha1.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-sha1.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-sha2.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-sha2.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-md5.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-md5.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-pem.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-pem.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-pkcs1.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-pkcs1.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-gmp.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-gmp.so
Reading symbols from /usr/lib/sse2/libgmp.so.3...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/37/55d27c6449d134914657849fa2365db4001a93.debug
done.
Loaded symbols for /usr/lib/sse2/libgmp.so.3
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-random.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-random.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-x509.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-x509.so
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-revocation.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-revocation.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-hmac.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-hmac.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-xcbc.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-xcbc.so
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-stroke.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-stroke.so
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-kernel-netlink.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-socket-default.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-socket-default.so
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-updown.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-updown.so
0x00110402 in __kernel_vsyscall ()
(gdb) b load_cfg_candidates
Function "load_cfg_candidates" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (load_cfg_candidates) pending.
(gdb) c
Continuing.
On Thu, May 24, 2012 at 7:23 PM, nagaraj <[email protected]> wrote:
> IKE_AUTH fails when I try to bring up net-net connection. I have
> attached config files, certs for MOON and SUN below. I see that error
> message is coming from the function load_cfg_candidates in
> src/libcharon/sa/tasks/ike_auth.c. I have used the setup and configs
> indicated at the following link
> http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/. Please
> let me know why it is throwing the error message "no matching peer
> config found". Any help is appreciated.
>
> Thanks,
> Nagaraj
>
> config files on MOON:
> ipsec.conf
> =========
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> plutostart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> mobike=no
>
> conn net-net
> left=192.167.21.1
> leftcert=moonCert.pem
> leftid=@localhost
> leftsubnet=192.167.2.0/24
> leftfirewall=no
> right=192.167.21.2
> rightid=@localhost
> rightsubnet=192.167.1.0/24
> auto=add
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
> : RSA moonKey.pem "testing"
>
> # /etc/strongswan.conf - strongSwan configuration file
>
> # /etc/strongswan.conf - strongSwan configuration file
>
> charon {
> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation hmac xcbc stroke kernel-netlink socket-default updown
> multiple_authentication = no
> }
>
> [root@moon certs]# openssl x509 -in moonCert.pem -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 44 (0x2c)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
> Master/[email protected]
> Validity
> Not Before: May 24 23:37:15 2012 GMT
> Not After : May 24 23:37:15 2014 GMT
> Subject: C=SG, ST=CA, O=DemoCA,
> CN=localhost/[email protected]
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:c8:f8:21:05:4e:b6:ea:43:28:ee:aa:3f:0a:72:
> 39:39:f1:1b:f9:a2:79:50:39:5b:09:a9:c9:00:e2:
> 76:39:07:1f:8a:83:9b:74:26:74:81:ba:be:73:14:
> 01:bb:76:44:a8:9f:48:13:2b:c5:e4:9b:41:78:75:
> 5b:e5:e2:06:cf:d2:c6:49:5b:f7:1f:d1:4a:2f:d2:
> bb:35:c8:d9:36:e3:0a:60:c5:b0:a6:58:56:3e:fc:
> c0:da:a6:7d:09:94:9e:da:2c:e2:e3:6e:27:3a:4a:
> 43:f8:0e:f4:6f:9a:95:86:0e:f0:5d:83:ce:6f:f0:
> 6f:af:c8:55:ba:cf:8d:26:df
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> E0:C3:F6:51:C6:B2:81:B2:55:51:11:E3:24:77:CD:6D:CC:C0:DE:D3
> X509v3 Authority Key Identifier:
>
> keyid:A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
>
> Signature Algorithm: sha1WithRSAEncryption
> 5a:dc:47:41:9e:c9:65:d6:33:36:e8:b1:0b:72:4b:ed:b5:a5:
> 3d:ea:73:1f:3c:e6:f4:93:54:33:dc:37:90:eb:b8:49:23:2e:
> 79:06:30:e9:a2:4c:4f:46:8f:1f:24:14:13:c1:45:80:1a:fb:
> ea:59:68:a7:be:22:59:1d:94:9d:47:0d:d0:0e:fc:22:f2:63:
> 44:db:f8:cf:a3:df:bd:36:16:dd:bb:b4:22:fa:63:ee:39:cf:
> 65:5f:b0:2e:72:c7:ba:f0:6c:67:63:84:6e:96:42:36:eb:03:
> fb:63:7b:32:75:17:cd:60:5c:b5:7b:a3:29:ff:64:54:93:d5:
> 68:e9:39:3a:03:3b:6d:b7:16:e2:89:a9:c9:24:60:e7:0a:bb:
> 44:c1:d8:ce:50:7a:80:be:ca:6b:33:b2:c5:68:77:72:c8:28:
> 0d:0f:aa:3c:7e:f7:01:7c:e2:7a:d4:83:27:8a:54:aa:22:a4:
> 63:6b:37:f8:60:eb:5f:70:e4:1b:54:0f:ee:09:ff:55:cb:44:
> 96:24:3e:6f:60:12:e1:31:45:c1:8e:6c:bc:f5:eb:81:f1:39:
> 50:58:b6:9c:f3:1d:76:8e:c5:ae:83:a4:b3:c1:66:e2:13:e5:
> ab:64:29:08:b3:4f:5e:10:31:69:aa:ff:73:7b:a6:af:bd:da:
> a3:8d:e1:38
> [root@moon certs]#
>
> config files on SUN:
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> plutostart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> mobike=no
>
> conn net-net
> left=192.167.21.2
> leftcert=sunCert.pem
> leftid=@localhost
> leftsubnet=192.167.1.0/24
> leftfirewall=no
> right=192.167.21.1
> rightid=@localhost
> rightsubnet=192.167.2.0/24
> auto=add
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
> : RSA sunKey.pem "testing"
>
> # /etc/strongswan.conf - strongSwan configuration file
>
> charon {
> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation hmac xcbc stroke kernel-netlink socket-default updown
> multiple_authentication = no
> }
>
> root@sun:/etc/ipsec.d/certs# openssl x509 -in sunCert.pem -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 44 (0x2c)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
> Master/[email protected]
> Validity
> Not Before: May 25 00:16:10 2012 GMT
> Not After : May 25 00:16:10 2014 GMT
> Subject: C=SG, ST=CA, O=DemoCA,
> CN=localhost/[email protected]
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:cc:d3:74:06:38:b5:57:77:6c:fc:24:3a:7d:32:
> f2:33:60:61:31:b3:f9:8b:af:49:8b:da:f8:69:ac:
> af:e4:b2:da:22:8d:b9:f0:68:8c:d7:13:05:ca:9e:
> ef:38:6e:c5:29:1e:f5:6e:88:8f:95:8a:b3:f3:90:
> 04:5a:d9:67:eb:ba:48:cd:69:02:77:72:e2:47:2a:
> f0:8c:6e:78:0b:f3:c8:3d:1d:b5:82:7b:05:59:e5:
> 91:22:30:22:4e:bc:27:df:bc:89:2b:42:32:75:90:
> 72:ec:e6:40:1a:f0:05:72:89:53:f5:af:d0:f8:fe:
> 8b:73:5d:e6:f9:2e:a2:ab:3b
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Alternative Name:
> DNS:sun.a10networks.com
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> A4:86:07:B5:12:84:5C:AC:2E:86:DE:63:E1:27:BE:A4:8B:4D:6C:3B
> X509v3 Authority Key Identifier:
>
> keyid:A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
>
> Signature Algorithm: sha1WithRSAEncryption
> b8:17:ce:d3:8b:83:54:f3:b2:5a:5f:4e:5c:ac:bf:21:2b:a2:
> ac:b5:17:8d:bf:f6:b8:31:b6:b1:05:eb:54:c9:69:dc:9b:5e:
> b0:d6:60:b8:bd:f0:c7:91:f6:9e:53:e8:8b:57:27:95:46:d9:
> 68:c4:a3:04:26:b5:9f:38:a3:37:89:09:01:31:63:55:aa:9b:
> cc:9e:5d:9c:b5:cc:42:66:f8:3c:ff:8f:c9:b0:28:60:a9:07:
> 8a:3c:b8:10:9f:f9:42:14:d9:0d:39:19:6c:2d:46:67:94:4c:
> b2:7f:54:ea:1d:2b:1c:90:31:0c:ba:32:73:62:ab:39:7a:04:
> 4f:27:cf:cb:2c:1c:4d:05:35:2e:da:ea:65:1f:74:80:95:8a:
> 9a:96:1c:9c:e4:6a:52:1a:3f:c8:3f:23:b3:dc:51:70:47:f6:
> 3f:b1:fe:66:b9:c5:6f:68:a7:28:dc:5f:35:3e:da:b4:95:c4:
> 97:cf:e1:b0:1e:06:cc:a8:c6:d5:64:e4:cb:7e:77:67:89:39:
> 8d:01:e9:cd:81:ad:00:16:35:d5:fd:5c:22:16:70:f3:60:d3:
> a4:7f:96:70:7a:2c:97:8f:8a:f3:cd:54:7b:d3:5c:6e:d7:d9:
> e5:aa:fc:dd:9a:70:ff:5b:04:05:8b:9c:b5:eb:1f:2e:16:e5:
> 58:8c:b6:ab
> root@sun:/etc/ipsec.d/certs#
>
> CA Certificate
> ===========
> root@sun:/etc/ipsec.d/cacerts# openssl x509 -in strongswanCert.pem -noout
> -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> ad:86:88:ea:13:7f:c2:85
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
> Master/[email protected]
> Validity
> Not Before: May 24 23:17:55 2012 GMT
> Not After : May 23 23:17:55 2016 GMT
> Subject: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
> Master/[email protected]
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (2048 bit)
> Modulus (2048 bit):
> 00:d2:22:43:3d:b9:d1:ab:49:b5:24:3d:7a:a9:24:
> 7d:87:9e:3b:7a:ea:9b:96:71:7f:87:4c:e2:05:55:
> f5:e7:ed:0c:62:fd:3f:05:a5:7d:33:d5:1e:dd:39:
> 81:07:60:9d:98:20:14:f8:c1:f9:4b:55:8b:a5:5d:
> 8c:67:6f:fe:45:b3:bd:6f:da:a8:4d:04:aa:6e:e6:
> 9c:eb:1f:52:da:94:0a:b6:ae:6e:6a:9d:45:7f:c6:
> b8:9d:34:ad:8b:97:da:b1:e2:6f:eb:e9:3c:fd:df:
> 0a:d2:e1:dd:c3:57:3d:8b:aa:d6:fe:32:8f:1d:ae:
> 77:93:6a:f5:83:d2:ad:cc:da:d6:68:69:6e:c5:a0:
> e7:fd:e6:85:10:ab:c7:ea:2c:40:25:4f:34:eb:c6:
> 17:d2:af:b5:40:ef:bd:c9:96:8e:89:cc:af:99:34:
> 28:5a:f3:83:2a:15:c6:ab:94:c3:62:5d:31:32:05:
> 16:ef:53:8a:5b:28:49:67:f0:09:76:79:6c:cb:18:
> b0:80:df:bd:26:0f:15:2b:c7:65:c7:7c:bb:77:28:
> 0d:8a:ce:63:f8:7b:74:df:b6:0e:6f:50:5f:4a:eb:
> b7:6f:ca:ba:a1:ab:af:11:f5:10:4f:d0:d1:8d:51:
> 35:9b:43:9c:31:a1:5e:73:21:82:d8:e4:ac:21:b8:
> c2:15
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
> X509v3 Authority Key Identifier:
>
> keyid:A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
> DirName:/C=SG/ST=CA/O=DemoCA/CN=DemoCA Certificate
> Master/[email protected]
> serial:AD:86:88:EA:13:7F:C2:85
>
> X509v3 Basic Constraints:
> CA:TRUE
> Signature Algorithm: sha1WithRSAEncryption
> 1a:6e:af:fc:a4:0d:13:89:19:eb:bd:e2:f3:59:23:44:8a:5e:
> 7c:86:f8:ac:20:9e:07:22:2f:e9:d8:04:e3:59:5b:58:c3:64:
> 5b:47:8e:d2:56:3a:c0:da:c2:55:aa:39:6a:74:24:3b:59:6c:
> f6:72:a1:b6:4c:07:ea:74:8b:6e:97:77:0a:04:69:b2:d1:35:
> 27:42:ad:d7:27:fc:da:68:d7:9d:58:45:3a:90:c7:d8:3b:c6:
> e5:db:b4:a3:cf:bb:5d:f2:1d:eb:a6:9d:f7:06:37:46:22:a9:
> 92:79:00:9c:d0:2c:34:2a:3a:1c:cf:75:9a:c5:70:ca:e3:d1:
> 17:dc:b2:59:5e:3a:50:1f:53:e2:7c:c9:4e:65:1d:5b:b2:3c:
> 9a:1a:eb:db:38:a1:55:7e:aa:6e:0b:03:71:41:53:f3:72:6e:
> d0:f8:a7:d8:ee:db:40:38:68:2a:60:79:8e:43:b0:d9:f2:77:
> 54:8e:b2:ab:34:00:aa:48:14:f7:81:ed:b2:4a:41:ee:a1:53:
> 61:7a:f9:b2:87:79:93:da:44:25:c1:4f:95:07:fa:78:41:a6:
> c7:4f:7e:f8:ad:31:68:25:77:75:99:e5:87:f3:9a:ef:dd:d3:
> 97:59:7d:fb:f8:be:5b:29:06:a8:a7:01:af:4d:22:d4:61:99:
> 33:17:8b:83
> root@sun:/etc/ipsec.d/cacerts#
> HostA------------MOON==============SUN---------------HostB
>
> HostA:
> ipadress: 192.167.2.2/24
>
> MOON:
> ipaddress
> etho: 192.167.2.180/24
> eth1: 192.167.21.1/24
> SUN:
> ipaddress
> eth1: 192.167.21.2/24
> eth0: 192.167.1.180/24
>
> HostB:
> ipaddress 192.167.1.69/24
>
> [root@moon etc]# ipsec up net-net
> initiating IKE_SA net-net[1] to 192.167.21.2
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.167.21.1[500] to 192.167.21.2[500]
> received packet: from 192.167.21.2[500] to 192.167.21.1[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> received cert request for "C=SG, ST=CA, O=DemoCA, CN=DemoCA
> Certificate Master, [email protected]"
> sending cert request for "C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
> Master, [email protected]"
> authentication of 'C=SG, ST=CA, O=DemoCA, CN=localhost,
> [email protected]' (myself) with RSA signature successful
> sending end entity cert "C=SG, ST=CA, O=DemoCA, CN=localhost,
> [email protected]"
> establishing CHILD_SA net-net
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
> AUTH SA TSi TSr N(EAP_ONLY) ]
> sending packet: from 192.167.21.1[500] to 192.167.21.2[500]
> received packet: from 192.167.21.2[500] to 192.167.21.1[500]
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> [root@moon etc]#
>
> root@sun:tail -f /var/log/daemon.log
> May 25 00:54:19 gateway2 charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.6.3)
> May 25 00:54:19 gateway2 charon: 00[LIB] plugin 'curl' failed to load:
> /usr/local/lib/ipsec/plugins/libstrongswan-curl.so: cannot open shared
> object file: No such file or directory
> May 25 00:54:19 gateway2 charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> May 25 00:54:19 gateway2 charon: 00[CFG] loaded ca certificate
> "C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate Master,
> [email protected]" from
> '/etc/ipsec.d/cacerts/strongswanCert.pem'
> May 25 00:54:19 gateway2 charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> May 25 00:54:19 gateway2 charon: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> May 25 00:54:19 gateway2 charon: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> May 25 00:54:19 gateway2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> May 25 00:54:19 gateway2 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> May 25 00:54:19 gateway2 charon: 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/sunKey.pem'
> May 25 00:54:19 gateway2 charon: 00[KNL] listening on interfaces:
> May 25 00:54:19 gateway2 charon: 00[KNL] eth1
> May 25 00:54:19 gateway2 charon: 00[KNL] 192.167.21.2
> May 25 00:54:19 gateway2 charon: 00[KNL] fe80::222:3fff:fef2:2e3
> May 25 00:54:19 gateway2 charon: 00[KNL] eth0
> May 25 00:54:19 gateway2 charon: 00[KNL] 192.167.1.180
> May 25 00:54:19 gateway2 charon: 00[KNL] fe80::212:3fff:fea5:fd63
> May 25 00:54:19 gateway2 charon: 00[DMN] loaded plugins: aes des sha1
> sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke
> kernel-netlink socket-default updown
> May 25 00:54:19 gateway2 charon: 00[JOB] spawning 16 worker threads
> May 25 00:54:19 gateway2 charon: 08[CFG] received stroke: add
> connection 'net-net'
> May 25 00:54:19 gateway2 charon: 08[CFG] loaded certificate "C=SG,
> ST=CA, O=DemoCA, CN=localhost, [email protected]" from
> 'sunCert.pem'
> May 25 00:54:19 gateway2 charon: 08[CFG] id 'localhost' not
> confirmed by certificate, defaulting to 'C=SG, ST=CA, O=DemoCA,
> CN=localhost, [email protected]'
> May 25 00:54:19 gateway2 charon: 08[CFG] added configuration 'net-net'
> May 25 00:54:41 gateway2 charon: 09[NET] received packet: from
> 192.167.21.1[500] to 192.167.21.2[500]
> May 25 00:54:41 gateway2 charon: 09[ENC] parsed IKE_SA_INIT request 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> May 25 00:54:41 gateway2 charon: 09[IKE] 192.167.21.1 is initiating an IKE_SA
> May 25 00:54:41 gateway2 charon: 09[IKE] sending cert request for
> "C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate Master,
> [email protected]"
> May 25 00:54:41 gateway2 charon: 09[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> May 25 00:54:41 gateway2 charon: 09[NET] sending packet: from
> 192.167.21.2[500] to 192.167.21.1[500]
> May 25 00:54:41 gateway2 charon: 10[NET] received packet: from
> 192.167.21.1[500] to 192.167.21.2[500]
> May 25 00:54:41 gateway2 charon: 10[ENC] parsed IKE_AUTH request 1 [
> IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> May 25 00:54:41 gateway2 charon: 10[IKE] received cert request for
> "C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate Master,
> [email protected]"
> May 25 00:54:41 gateway2 charon: 10[IKE] received end entity cert
> "C=SG, ST=CA, O=DemoCA, CN=localhost, [email protected]"
> May 25 00:54:41 gateway2 charon: 10[CFG] looking for peer configs
> matching 192.167.21.2[localhost]...192.167.21.1[C=SG, ST=CA, O=DemoCA,
> CN=localhost, [email protected]]
> May 25 00:54:41 gateway2 charon: 10[CFG] no matching peer config found
> May 25 00:54:41 gateway2 charon: 10[ENC] generating IKE_AUTH response
> 1 [ N(AUTH_FAILED) ]
> May 25 00:54:41 gateway2 charon: 10[NET] sending packet: from
> 192.167.21.2[500] to 192.167.21.1[500]
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
