[strongSwan] Auth Failed

[Chris Arnold]

strongSwan 4.4.06 on SLES 11 SP2. This use to work, i am working on adding 
users with ios to strongSwan but have commented that out of ipsec.conf and 
ipsec.secret to verify this is not the problem. User with Windows 7 with client 
cert connects and receives:
Error 13801: IKE Authentication Credentials are unacceptable

All other VPN connections work (like the conn teknerds which is strongSwan to 
sonicwall).

Error in the charon.log:
13[IKE] received end entity cert "O=Chris VPN service, CN=Client2"
13[CFG] looking for peer configs matching 
192.168.1.18[%any]...public.ip[O=Chris VPN service, CN=Client2]
13[CFG] selected peer config 'rclientscerts'
13[CFG]   using certificate "O=Chris VPN service, CN=Client2"
13[CFG]   using trusted ca certificate "C=US, ST=NC, L=Durham, O=Edens Land 
Corp, OU=ELC, CN=Jarrod, E=email@address"
13[CFG] checking certificate status of "O=Chris VPN service, CN=Client2"
13[CFG] certificate status is not available
13[CFG]   reached self-signed root ca with a path length of 0
13[IKE] authentication of 'O=Chris VPN service, CN=Client2' with RSA signature 
successful
13[IKE] peer supports MOBIKE
13[IKE] no private key found for 'O=Chris VPN service, CN=70.63.136.95'
13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Here is ipsec.conf:
config setup
        # plutodebug=all
          crlcheckinterval=600
          strictcrlpolicy=no
        # cachecrls=yes
          nat_traversal=yes
        # charonstart=no
          plutostart=no
        #charondebug="cfg 3,lib=3"

# Add connections here.

conn %default
        ikelifetime=28800s
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        mobike=no

conn rclientseap
        rekey=no
        left=%any
        leftauth=pubkey
        leftcert=server_cert.crt
        leftid=@public.ip
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=192.168.2.0/24
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any
        mobike=yes
        auto=ignore

conn rclientscerts
        rekey=no
        left=%any
        leftauth=pubkey
        leftcert=server_cert.crt
        leftid=@public.ip
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=192.168.2.0/24
        #rightauth=eap-mschapv2
        #rightsendcert=never
        #eap_identity=%any
        mobike=yes
        auto=add




conn teknerds
        left=%defaultroute
        leftcert=elcCert.pem
        leftsubnet=192.168.1.0/24
        #leftid="C=XX, O=X, CN=Edens Land Corp VPN"
        #leftfirewall=yes
        right=sonicwall.public.ip
        rightsubnet=192.168.123.0/24
        rightcert=teknerdsCert.pem
        rightid="C=XX, O=X, CN=Tek-Nerds VPN"
        auto=add


#conn iOS
#       keyexchange=ikev1
#       authby=xauthrsasig
#       xauth=server
#       left=%defaultroute
#       leftsubnet=192.168.1.0/24
#       leftcert=elcCert.pem
#       right=%any
#       rightsourceip=192.168.3.0/24
#       #rightcert=
#       pfs=no
#       auto=add

Here is ipsec.secret:
: RSA elcKey.pem

Any help with this is greatly appreciated

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users