I am attempting to setup a RHEL 7 based Strongswan server, with Macintosh based clients, using ipsec (the built in OS X Cisco client), and I am unable to get this to behave so far.
It appears to be issue with the certs? I have regenerated them on both sides several times and that does not seem to be resolving my issue here. Any insights into what I am missing in my setup, my hope is that this is just some simple newbie mistake I am doing. My ipsec.conf file: config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret leftauth=psk rightauth=psk rightauth2=xauth leftid=10.0.11.200 rightid=10.0.11.160 conn rw-carol also=rw right=10.0.11.0/24 auto=add conn rw-dave also=rw right=10.0.11.0/24 auto=add conn rw left=10.0.11.200 leftsubnet=10.11.0.0/16 leftfirewall=yes This is my ipsec.secrets file: : RSA RH7Standard.vpnHostPrivateKey.der : PSK “Password" judeo %any : EAP "Password" judeo %any : XAUTH "Password" judeo %any : PSK "Password" This is the error I am seeing in the logs: Apr 18 09:45:41 RH7Standard charon: 10[IKE] 10.0.11.160 is initiating a Main Mode IKE_SA Apr 18 09:45:41 RH7Standard charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ] Apr 18 09:45:41 RH7Standard charon: 10[NET] sending packet: from 10.0.11.200[500] to 10.0.11.160[500] (136 bytes) Apr 18 09:45:41 RH7Standard strongswan: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.0-327.4.5.el7.x86_64, x86_64) Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] openssl FIPS mode(2) - enabled Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] created TUN device: ipsec0 Apr 18 09:45:41 RH7Standard strongswan: 00[NET] could not open socket: Address family not supported by protocol Apr 18 09:45:41 RH7Standard strongswan: 00[NET] could not open IPv6 socket, IPv6 disabled Apr 18 09:45:41 RH7Standard strongswan: 00[KNL] received netlink error: Address family not supported by protocol (97) Apr 18 09:45:41 RH7Standard strongswan: 00[KNL] unable to create IPv6 routing table rule Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts' Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded ca certificate "C=US, O=BSI, CN=RH7Standard.blansys.com" from '/etc/strongswan/ipsec.d/cacerts/RH7Standard.SelfSigned.CA.cert.strongswanCert.der' Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded ca certificate "C=US, O=BSI, CN=RH7Standard.blansys.com" from '/etc/strongswan/ipsec.d/cacerts/RH7Standard.Converted.SelfSigned.CA.cert.pem' Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts' Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/aacerts' failed: No such file or directory Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts' Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/ocspcerts' failed: No such file or directory Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts' Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/acerts' failed: No such file or directory Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls' Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/crls' failed: No such file or directory Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets' Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/RH7Standard.vpnHostPrivateKey.der' Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded IKE secret for %any Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded EAP secret for judeo %any Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded EAP secret for judeo %any Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded IKE secret for judeo %any Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded 0 RADIUS server configurations Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] MAP server certificate not defined Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] TNC recommendation policy is 'default' Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] loading IMVs from '/etc/tnc_config' Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] missing PDP server name, PDP disabled Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] loading IMCs from '/etc/tnc_config' Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac ctr ccm curl sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp Apr 18 09:45:41 RH7Standard strongswan: 00[JOB] spawning 16 worker threads Apr 18 09:45:41 RH7Standard strongswan: 11[CFG] received stroke: add connection 'rw-carol' Apr 18 09:45:41 RH7Standard strongswan: 11[CFG] added configuration 'rw-carol' Apr 18 09:45:41 RH7Standard strongswan: 13[CFG] received stroke: add connection 'rw-dave' Apr 18 09:45:41 RH7Standard strongswan: 13[CFG] added child to existing configuration 'rw-carol' Apr 18 09:45:41 RH7Standard strongswan: 10[NET] received packet: from 10.0.11.160[500] to 10.0.11.200[500] (668 bytes) Apr 18 09:45:41 RH7Standard strongswan: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ] Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received NAT-T (RFC 3947) vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received XAuth vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received Cisco Unity vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received FRAGMENTATION vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received DPD vendor ID Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] 10.0.11.160 is initiating a Main Mode IKE_SA Apr 18 09:45:41 RH7Standard strongswan: 10[ENC] generating ID_PROT response 0 [ SA V V V ] Apr 18 09:45:41 RH7Standard charon: 11[NET] received packet: from 10.0.11.160[500] to 10.0.11.200[500] (292 bytes) Apr 18 09:45:41 RH7Standard charon: 11[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Apr 18 09:45:41 RH7Standard charon: 11[IKE] faking NAT situation to enforce UDP encapsulation Apr 18 09:45:41 RH7Standard charon: 11[IKE] sending cert request for "C=US, O=BSI, CN=RH7Standard.blansys.com" Apr 18 09:45:41 RH7Standard charon: 11[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] Apr 18 09:45:41 RH7Standard charon: 11[NET] sending packet: from 10.0.11.200[500] to 10.0.11.160[500] (376 bytes) Apr 18 09:45:42 RH7Standard charon: 12[NET] received packet: from 10.0.11.160[4500] to 10.0.11.200[4500] (1500 bytes) Apr 18 09:45:42 RH7Standard charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ] Apr 18 09:45:42 RH7Standard charon: 12[IKE] ignoring certificate request without data Apr 18 09:45:42 RH7Standard charon: 12[IKE] received end entity cert "C=US, O=BSI, [email protected]" Apr 18 09:45:42 RH7Standard charon: 12[CFG] looking for XAuthInitRSA peer configs matching 10.0.11.200...10.0.11.160[C=US, O=BSI, [email protected]] Apr 18 09:45:42 RH7Standard charon: 12[IKE] no peer config found Apr 18 09:45:42 RH7Standard charon: 12[ENC] generating INFORMATIONAL_V1 request 2365044413 [ HASH N(AUTH_FAILED) ] Apr 18 09:45:42 RH7Standard charon: 12[NET] sending packet: from 10.0.11.200[4500] to 10.0.11.160[4500] (92 bytes) ________________________________ Jude Oliver Support 1100 Poydras St. Suite 1230 New Orleans, LA 70163 Main Office: 504-529-8869 [email protected] www.blanchardsystems.com<http://www.blanchardsystems.com/> ----------------------------------------------------- Join Blanchard Systems 2016 Tips and Tricks Training Webinars Check out the Blanchard Systems 2015 FREE monthly Tips & Tricks training webinars. Click Here<http://www.blanchardsystems.com/events/> to view the schedule and register for one of our upcoming events.
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
