Re: [strongSwan] Auth Failed

[Chris Arnold]

Here is the complete (with lines commented out) ipsec.secrets file: 

# ipsec.secrets 
# 
# This file holds the RSA private keys or the PSK preshared secrets for 
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page. 
# 
: RSA elcKey.pem 
#: RSA akimmo-key.pem 
#: RSA server_priv.pem 
#kimmo : EAP "test" 
#: RSA elcKey.pem ----->commented out to see if this was the issue 
#username : XAUTH "" --->commented out to see if this was the issue 

----- Original Message -----

From: "Chris Arnold" <carn...@electrichendrix.com> 
To: users@lists.strongswan.org 
Sent: Monday, December 31, 2012 4:42:00 PM 
Subject: Re: [strongSwan] Auth Failed 

>Chris, 

>Assuming elcKey.pem is the private key associated with the certificate 
>elcCert.pem (used for conn teknerds), shouldn't there be another private key 
>associated with server_cert.crt used in conn rclientscerts? Just >wondering 
>since you are using separate (left) certificates for the connections... 

Nothing has been changed in the ipsec.secret file except ios secret commented 
out. This worked for months without any issues. Kimmo, a user here on the list, 
configured it and tested it and it was working. The last thing that was done 
was SLES strongSwan update from 4.3 to 4.4. The other conn, teknerds, works 
fine. 
  
>The ipsec.secrets should be more like 
>  : RSA eleKey.pem 
>  : RSA server_Key.pem <"my-passphrase"> 
> 
>Where the passphrase is needed only if the private key is password protected. 

  




On Mon, Dec 31, 2012 at 10:55 AM, Chris Arnold < carn...@electrichendrix.com > 
wrote: 

<blockquote>
strongSwan 4.4.06 on SLES 11 SP2. This use to work, i am working on adding 
users with ios to strongSwan but have commented that out of ipsec.conf and 
ipsec.secret to verify this is not the problem. User with Windows 7 with client 
cert connects and receives: 
Error 13801: IKE Authentication Credentials are unacceptable 

All other VPN connections work (like the conn teknerds which is strongSwan to 
sonicwall). 

Error in the charon.log: 
13[IKE] received end entity cert "O=Chris VPN service, CN=Client2" 
13[CFG] looking for peer configs matching 
192.168.1.18[%any]...public.ip[O=Chris VPN service, CN=Client2] 
13[CFG] selected peer config 'rclientscerts' 
13[CFG]   using certificate "O=Chris VPN service, CN=Client2" 
13[CFG]   using trusted ca certificate "C=US, ST=NC, L=Durham, O=Edens Land 
Corp, OU=ELC, CN=Jarrod, E=email@address" 
13[CFG] checking certificate status of "O=Chris VPN service, CN=Client2" 
13[CFG] certificate status is not available 
13[CFG]   reached self-signed root ca with a path length of 0 
13[IKE] authentication of 'O=Chris VPN service, CN=Client2' with RSA signature 
successful 
13[IKE] peer supports MOBIKE 
13[IKE] no private key found for 'O=Chris VPN service, CN=70.63.136.95' 
13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 

Here is ipsec.conf: 
config setup 
        # plutodebug=all 
          crlcheckinterval=600 
          strictcrlpolicy=no 
        # cachecrls=yes 
          nat_traversal=yes 
        # charonstart=no 
          plutostart=no 
        #charondebug="cfg 3,lib=3" 

# Add connections here. 

conn %default 
        ikelifetime=28800s 
        keylife=20m 
        rekeymargin=3m 
        keyingtries=1 
        keyexchange=ikev2 
        mobike=no 

conn rclientseap 
        rekey=no 
        left=%any 
        leftauth=pubkey 
        leftcert=server_cert.crt 
        leftid=@public.ip 
        leftsubnet= 0.0.0.0/0 
        right=%any 
        rightsourceip= 192.168.2.0/24 
        rightauth=eap-mschapv2 
        rightsendcert=never 
        eap_identity=%any 
        mobike=yes 
        auto=ignore 

conn rclientscerts 
        rekey=no 
        left=%any 
        leftauth=pubkey 
        leftcert=server_cert.crt 
        leftid=@public.ip 
        leftsubnet= 0.0.0.0/0 
        right=%any 
        rightsourceip= 192.168.2.0/24 
        #rightauth=eap-mschapv2 
        #rightsendcert=never 
        #eap_identity=%any 
        mobike=yes 
        auto=add 




conn teknerds 
        left=%defaultroute 
        leftcert=elcCert.pem 
        leftsubnet= 192.168.1.0/24 
        #leftid="C=XX, O=X, CN=Edens Land Corp VPN" 
        #leftfirewall=yes 
        right=sonicwall.public.ip 
        rightsubnet= 192.168.123.0/24 
        rightcert=teknerdsCert.pem 
        rightid="C=XX, O=X, CN=Tek-Nerds VPN" 
        auto=add 


#conn iOS 
#       keyexchange=ikev1 
#       authby=xauthrsasig 
#       xauth=server 
#       left=%defaultroute 
#       leftsubnet= 192.168.1.0/24 
#       leftcert=elcCert.pem 
#       right=%any 
#       rightsourceip= 192.168.3.0/24 
#       #rightcert= 
#       pfs=no 
#       auto=add 

Here is ipsec.secret: 
: RSA elcKey.pem 

Any help with this is greatly appreciated 

_______________________________________________ 
Users mailing list 
Users@lists.strongswan.org 
https://lists.strongswan.org/mailman/listinfo/users 





</blockquote>



_______________________________________________ 
Users mailing list 
Users@lists.strongswan.org 
https://lists.strongswan.org/mailman/listinfo/users 


_______________________________________________ 
Users mailing list 
Users@lists.strongswan.org 
https://lists.strongswan.org/mailman/listinfo/users 


_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users