Hi Justin, for another problem, I have already set subjectAltName of the server cert to the external IP. Do I have to put this somewhere in my client config? It´s not StrongSwan on the client side, so there is no ipsec.conf. What should I look for in my client software? You probably don´t know the ShrewSoft client, but perhaps you can push me in the right direction.
Second question: What value should I put into my client software as leftid/rightid? Please bear in mind that I´m a total newbie with IPsec =/ Lars On Wed, 13 Mar 2013 16:36:33 +0100, Justin Grover <[email protected]> wrote: > Lars, > > When I got this error previously, it was because I didn't have a matching > leftid / rightid in my ipsec.conf files. this should be the subject or > altsubjectname from your cert. > > I'm not seeing the leftid or rightid in your configs. If you add them, > that > might fix it. > > Justin > On Mar 13, 2013 10:26 AM, "Larsen" <[email protected]> wrote: > >> Hi, >> >> I am still trying to establish a VPN connection between my Windows XP >> box >> using the ShrewSoft client and our IPFire server running Strongswan >> 5.0.2, >> but now I get the error "no peer config found" in the server log: >> >> >> charon: 16[NET] received packet: from 192.168.120.24[500] to #external >> IP#[500] (365 bytes) >> charon: 16[IKE] ignoring certificate request without data >> charon: 16[IKE] sending cert request for "C=DE, ST=city, L=city, >> O=mycompany, OU=IPFire, CN=mycompanyCA, [email protected]" >> charon: 16[NET] sending packet: from #external IP#[500] to >> 192.168.120.24[500] (549 bytes) >> charon: 12[NET] sending packet: from #external IP#[500] to >> 192.168.120.24[500] >> charon: 16[MGR] checkin IKE_SA (unnamed)[5] >> charon: 16[MGR] check-in of IKE_SA successful. >> charon: 06[NET] received packet: from 192.168.120.24[500] to #external >> IP#[500] >> charon: 06[NET] waiting for data on sockets >> charon: 08[MGR] checkout IKE_SA by message >> charon: 08[MGR] IKE_SA (unnamed)[5] successfully checked out >> charon: 08[NET] received packet: from 192.168.120.24[500] to #external >> IP#[500] (1292 bytes) >> charon: 08[IKE] received end entity cert "C=DE, ST=city, O=mycompany, >> OU=IPFire, CN=JonDoe" >> charon: 08[CFG] looking for RSA signature peer configs matching >> #external >> IP#...192.168.120.24 >> charon: 08[IKE] no peer config found >> charon: 08[NET] sending packet: from #external IP#[500] to >> 192.168.120.24[500] (92 bytes) >> charon: 08[MGR] checkin and destroy IKE_SA (unnamed)[5] >> charon: 08[MGR] check-in and destroy of IKE_SA successful >> >> >> I already did a search, but couldn´t find the right answers to my >> problem. >> As far as I understand this error, it seems to me that the certificate >> is >> missing on the server, but I have created it there via IPFire. That >> client >> cert was then imported into the local computer store according to >> http://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs . >> >> I get the same error message trying this with TheGreenBow client or an >> iPhone. My computer is on the same subnet it shall connect to via VPN, >> but >> I guess that shouldn´t be a problem for now. Also, the iPhone is not >> using >> the LAN, but still has the same problem. >> >> >> # cat /etc/ipsec.conf >> version 2 >> >> config setup >> charondebug="dmn 2, mgr 2, ike 1, chd 2, job 2, cfg 1, knl 2, >> net >> 2, asn 1, enc 0, lib 1, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2" >> >> conn %default >> keyingtries=%forever >> >> include /etc/ipsec.user.conf >> >> conn JonDoe >> left=#external IP# >> leftsubnet=192.168.120.0/24 >> leftfirewall=yes >> lefthostaccess=yes >> right=%any >> rightsubnet=vhost:%no,%priv >> leftcert=/var/ipfire/certs/hostcert.pem >> rightcert=/var/ipfire/certs/JonDoecert.pem >> >> >> ike=aes256-sha2_256-modp8192,aes256-sha2_256-modp6144,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp8192,aes256-sha-modp6144,aes256-sha-modp4096,aes256-sha-modp3072,aes256-sha-modp2048,aes256-sha-modp1536,aes256-sha-modp1024,aes256-md5-modp8192,aes256-md5-modp6144,aes256-md5-modp4096,aes256-md5-modp3072,aes256-md5-modp2048,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_256-modp8192,aes192-sha2_256-modp6144,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp8192,aes192-sha-modp6144,aes192-sha-modp4096,aes192-sha-modp3072,aes192-sha-modp2048,aes192-sha-modp1536,aes192-sha-modp1024,aes192-md5-modp8192,aes192-md5-modp6144,aes192-md5-modp4096,aes192-md5-modp3072,aes192-md5-modp2048,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_256-modp8192,aes128-sha2_256-modp6144,aes128-sha2_256-modp4096,a >> >> es128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp8192,aes128-sha-modp6144,aes128-sha-modp4096,aes128-sha-modp3072,aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp8192,aes128-md5-modp6144,aes128-md5-modp4096,aes128-md5-modp3072,aes128-md5-modp2048,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha2_256-modp8192,3des-sha2_256-modp6144,3des-sha2_256-modp4096,3des-sha2_256-modp3072,3des-sha2_256-modp2048,3des-sha2_256-modp1536,3des-sha2_256-modp1024,3des-sha-modp8192,3des-sha-modp6144,3des-sha-modp4096,3des-sha-modp3072,3des-sha-modp2048,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp8192,3des-md5-modp6144,3des-md5-modp4096,3des-md5-modp3072,3des-md5-modp2048,3des-md5-modp1536,3des-md5-modp1024 >> >> >> esp=aes256-sha2_256-modp8192,aes256-sha2_256-modp6144,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp8192,aes256-sha1-modp6144,aes256-sha1-modp4096,aes256-sha1-modp3072,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-md5-modp8192,aes256-md5-modp6144,aes256-md5-modp4096,aes256-md5-modp3072,aes256-md5-modp2048,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_256-modp8192,aes192-sha2_256-modp6144,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp8192,aes192-sha1-modp6144,aes192-sha1-modp4096,aes192-sha1-modp3072,aes192-sha1-modp2048,aes192-sha1-modp1536,aes192-sha1-modp1024,aes192-md5-modp8192,aes192-md5-modp6144,aes192-md5-modp4096,aes192-md5-modp3072,aes192-md5-modp2048,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_256-modp8192,aes128-sha2_256-modp6144,aes128-sha2_ >> >> 256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp8192,aes128-sha1-modp6144,aes128-sha1-modp4096,aes128-sha1-modp3072,aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp8192,aes128-md5-modp6144,aes128-md5-modp4096,aes128-md5-modp3072,aes128-md5-modp2048,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha2_256-modp8192,3des-sha2_256-modp6144,3des-sha2_256-modp4096,3des-sha2_256-modp3072,3des-sha2_256-modp2048,3des-sha2_256-modp1536,3des-sha2_256-modp1024,3des-sha1-modp8192,3des-sha1-modp6144,3des-sha1-modp4096,3des-sha1-modp3072,3des-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp8192,3des-md5-modp6144,3des-md5-modp4096,3des-md5-modp3072,3des-md5-modp2048,3des-md5-modp1536,3des-md5-modp1024 >> keyexchange=ikev1 >> ikelifetime=1h >> keylife=8h >> compress=yes >> dpddelay=30 >> dpdtimeout=120 >> dpdaction=clear >> authby=rsasig >> leftrsasigkey=%cert >> rightrsasigkey=%cert >> auto=add >> rightsourceip= >> >> >> # ll /var/ipfire/certs/hostcert.pem >> -rw-r--r-- 1 nobody nobody 1639 2013-02-25 16:19 >> /var/ipfire/certs/hostcert.pem >> >> ~# ll /var/ipfire/certs/JonDoecert.pem >> -rw-r--r-- 1 nobody nobody 1533 2013-02-25 16:20 >> /var/ipfire/certs/JonDoecert.pem >> >> >> What is the cause of this error message? >> >> >> Lars >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
