I have installed strongSwan 4.5.2 on Mandriv linux 2011 and we connected to Juniper VPN server. When my /etc/ipsec.secrets is RSA <USERACCOUNT>Key.pem "<password>"everything is OK and VPN connection established, but when I changed the RSA <USERACCOUNT>Key.pem "<password>"to RSA <USERACCOUNT>Key.pem %prompt in /etc/ipsec.secrets and I started IPSEC by ipsec start command then my connection is not established and my log file is as below:
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2) Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[KNL] listening on interfaces: Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[KNL] eth0 Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[KNL] 192.168.1.183 Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[KNL] fe80::221:70ff:fea7:55ea Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loaded ca certificate "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5" from '/etc/ipsec.d/cacerts/VeriRootCA.pem' Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loaded ca certificate "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3" from '/etc/ipsec.d/cacerts/VeriIssueCA.pem' Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[DMN] loaded plugins: ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[JOB] spawning 16 worker threads Nov 6 17:32:32 wthr-lm9-p0106 charon: 03[CFG] crl caching to /etc/ipsec.d/crls enabled Nov 6 17:32:32 wthr-lm9-p0106 charon: 07[CFG] received stroke: add connection 'thrghazas' Nov 6 17:32:32 wthr-lm9-p0106 charon: 07[CFG] left nor right host is our side, assuming left=local Nov 6 17:32:32 wthr-lm9-p0106 charon: 07[CFG] loaded certificate "DC=com, DC=XXX, DC=CORP, OU=MandrivaUser, OU=YYYY, CN=thrghazas" from 'thrghazasCert.pem' Nov 6 17:32:32 wthr-lm9-p0106 charon: 07[CFG] added configuration 'thrghazas' Nov 6 17:32:32 wthr-lm9-p0106 charon: 10[CFG] received stroke: initiate 'thrghazas' Nov 6 17:32:32 wthr-lm9-p0106 charon: 10[IKE] initiating IKE_SA thrghazas[1] to A.B.C.D Nov 6 17:32:32 wthr-lm9-p0106 charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 6 17:32:32 wthr-lm9-p0106 charon: 10[NET] sending packet: from 192.168.1.183[500] to A.B.C.D[500] Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[NET] received packet: from A.B.C.D[500] to 192.168.1.183[500] Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) ] Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] local host is behind NAT, sending keep alives Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] remote host is behind NAT Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] received 2 cert requests for an unknown ca Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3" Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5" Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] no private key found for 'DC=com, DC=XXX, DC=CORP, OU=MandrivaUser, OU=Iran, CN=thrghazas' And after that I run ipsec serets and I got the following prompt: wthr-lm9-p0106 charon: 05[CFG] rereading secrets wthr-lm9-p0106 charon: 05[CFG] loading secrets from '/etc/ipsec.secrets' wthr-lm9-p0106 charon: 05[CFG] loaded RSA private key from '/etc/ipsec.d/private/thrghazasKey.pem' and the following line will be added to log file: Nov 6 17:32:37 wthr-lm9-p0106 charon: 11[CFG] rereading secrets Nov 6 17:32:37 wthr-lm9-p0106 charon: 11[CFG] loading secrets from '/etc/ipsec.secrets' Nov 6 17:32:52 wthr-lm9-p0106 charon: 11[CFG] loaded RSA private key from '/etc/ipsec.d/private/thrghazasKey.pem' and nothing else in log file. (no error but no VPN connection) At that time, my log file at Junniper VPN server is as below: Info NWC23465 2012-11-06 13:39:42 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: Session ended for user with IP 10.84.255.160 Info ERR24670 2012-11-06 13:39:42 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: ACL count = 0. Info NWC23508 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - Key Exchange number 1 occured for user with NCIP 10.84.255.160 Info NWC30477 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: User with IP 10.84.255.160 connected with ESP transport mode. Info NWC23464 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: Session started for user with IP 10.84.255.160, hostname Info ERR24670 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: ACL count = 25. Info AUT24326 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[] - Primary authentication successful for thrghazas/XXX-CERT-SN from 188.245.200.84
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
