Hi All, Let me make my question simpler.
Actually in my testing I was trying to have more than 1 remote Access VPN (Road Warrior VPNs) at Server using different PSK secrets. Since in road warrior, server cannot know about its peer identities, is it logical to have local identity as a selector for PSK in ipsec.secrets file? Or should it only be the remote identity as the selector in ipsec.secrets file for PSK mode. If that's the case, then this becomes a limitation with PSKs that more than 1 road warrior configuration is not allowed because with road warriors we cannot know our peer identities. Can someone confirm. Thanks Sumit From: [email protected] [mailto:[email protected]] On Behalf Of ext Kaur, Sumit (NSN - IN/Bangalore) Sent: Wednesday, January 28, 2015 6:37 PM To: [email protected] Subject: [strongSwan] Peer identities w.r.t. PSK based authentication and Certificates based authentication Hi all, I have configured Ikev2 in strongswan version 4.3.6 as below. ipsec.conf on Host1 Ipsec.secrets on host1 Ipsec.conf on host2 Ipsec.secrets on host2 The Certificates are IP addresses based. Host1 is made to act as responder alone. Ipsec connections are initiated from Host2 always. With above configuration, both connections r1~v1 and r2~v2 gets established (Initiated from Host2). Logs at Host1(Responder) 10[IKE] (vr2)14.0.0.2 is initiating an IKE_SA 10[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, [email protected]<mailto:[email protected]>" 09[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, [email protected]<mailto:[email protected]>" 09[IKE] received end entity cert "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, [email protected]<mailto:[email protected]>" 09[CFG] looking for peer configs matching (vr2)30.0.0.1[(vr*)%any]...(vr2)14.0.0.2[(vr*)14.0.0.2] 09[CFG] selected peer config 'r1~v1' 09[CFG] using certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, [email protected]<mailto:[email protected]>" 09[CFG] using trusted ca certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, [email protected]<mailto:[email protected]>" 09[CFG] checking certificate status of "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, [email protected]<mailto:[email protected]>" 09[CFG] certificate status is not available 09[CFG] reached self-signed root ca with a path length of 0 09[IKE] authentication of '(vr*)14.0.0.2' with RSA signature successful 09[IKE] authentication of '(vr*)30.0.0.1' (myself) with RSA signature successful 10[IKE] 13.0.0.2 is initiating an IKE_SA 10[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, [email protected]<mailto:[email protected]>" 12[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, [email protected]<mailto:[email protected]>" 12[IKE] received end entity cert "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, [email protected]<mailto:[email protected]>" 12[CFG] looking for peer configs matching 20.0.0.1[(vr*)%any]...13.0.0.2[(vr*)13.0.0.2] 12[CFG] selected peer config 'r2~v2' 12[CFG] using certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, [email protected]<mailto:[email protected]>" 12[CFG] using trusted ca certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, [email protected]<mailto:[email protected]>" 12[CFG] checking certificate status of "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, [email protected]<mailto:[email protected]>" 12[CFG] certificate status is not available 12[CFG] reached self-signed root ca with a path length of 0 12[IKE] authentication of '(vr*)13.0.0.2' with RSA signature successful 12[IKE] authentication of '(vr*)20.0.0.1' (myself) with RSA signature successful But same configuration with secrets does not go through fine. Host1 ipsec.conf, ipsec.secrets Host 2 ipsec.conf, ipsec.secrets When r1~v1, r2~v2 are initiated from Host2, Host1 fails the authentication with below error :- 09[IKE] (vr2)14.0.0.2 is initiating an IKE_SA 09[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, [email protected]<mailto:[email protected]>" 08[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, [email protected]<mailto:[email protected]>" 08[CFG] looking for peer configs matching (vr2)30.0.0.1[(vr*)%any]...(vr2)14.0.0.2[(vr*)14.0.0.2] 08[CFG] selected peer config 'r1~v1' 08[IKE] no shared key found for '(vr*)%any' - '(vr*)14.0.0.2' 11[IKE] 13.0.0.2 is initiating an IKE_SA 11[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, [email protected]<mailto:[email protected]>" 10[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, [email protected]<mailto:[email protected]>" 10[CFG] looking for peer configs matching 20.0.0.1[(vr*)%any]...13.0.0.2[(vr*)13.0.0.2] 10[CFG] selected peer config 'r2~v2' 10[IKE] no shared key found for '(vr*)%any' - '(vr*)13.0.0.2' As far as my understanding goes, %any identity is looked for in ipsec.secrets file of HOST1, which is not available and hence the error. But then for certificates too, %any is not mentioned in ipsec.secrets file, then how does the authentication goes through fine for both the connections with the respective private keys at HOST1. Can someone explain this. Thanks Sumit
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
