Still no love here, no private key for my left server? Did I mess up my cert creation?
Apr 26 10:05:14 RH7Standard charon: 11[IKE] faking NAT situation to enforce UDP encapsulation Apr 26 10:05:14 RH7Standard charon: 11[IKE] sending cert request for "C=US, O=BSI, CN=RH7Standard.blansys.com" Apr 26 10:05:14 RH7Standard charon: 11[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] Apr 26 10:05:14 RH7Standard charon: 11[NET] sending packet: from 10.0.11.200[500] to 10.0.11.160[500] (376 bytes) Apr 26 10:05:14 RH7Standard strongswan: 10[NET] sending packet: from 10.0.11.200[500] to 10.0.11.160[500] (136 bytes) Apr 26 10:05:14 RH7Standard charon: 12[NET] received packet: from 10.0.11.160[4500] to 10.0.11.200[4500] (1500 bytes) Apr 26 10:05:14 RH7Standard charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ] Apr 26 10:05:14 RH7Standard charon: 12[IKE] ignoring certificate request without data Apr 26 10:05:14 RH7Standard charon: 12[IKE] received end entity cert "C=US, O=BSI, [email protected]" Apr 26 10:05:14 RH7Standard charon: 12[CFG] looking for XAuthInitRSA peer configs matching 10.0.11.200...10.0.11.160[C=US, O=BSI, [email protected]] Apr 26 10:05:14 RH7Standard charon: 12[CFG] selected peer config "%Mac" Apr 26 10:05:14 RH7Standard charon: 12[CFG] using certificate "C=US, O=BSI, [email protected]" Apr 26 10:05:14 RH7Standard charon: 12[CFG] using trusted ca certificate "C=US, O=BSI, CN=RH7Standard.blansys.com" Apr 26 10:05:14 RH7Standard charon: 12[CFG] checking certificate status of "C=US, O=BSI, [email protected]" Apr 26 10:05:14 RH7Standard charon: 12[CFG] certificate status is not available Apr 26 10:05:14 RH7Standard charon: 12[CFG] reached self-signed root ca with a path length of 0 Apr 26 10:05:14 RH7Standard charon: 12[IKE] authentication of 'C=US, O=BSI, [email protected]' with RSA successful Apr 26 10:05:14 RH7Standard charon: 12[IKE] no RSA private key found for '10.0.11.200' Apr 26 10:05:14 RH7Standard charon: 12[ENC] generating INFORMATIONAL_V1 request 860305567 [ HASH N(AUTH_FAILED) ] Apr 26 10:05:14 RH7Standard charon: 12[NET] sending packet: from 10.0.11.200[4500] to 10.0.11.160[4500] (92 bytes) Please verify I have not made any mistakes in my ipsec.conf file: config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 conn %Mac auto=add rightid="C=US, O=BSI, [email protected]" leftauth=pubkey rightauth=pubkey rightauth2=xauth And my list of certs. strongswan listcerts List of X.509 End Entity Certificates: altNames: [email protected], [email protected] subject: "C=US, O=BSI, [email protected]" issuer: "C=US, O=BSI, CN=RH7Standard.blansys.com" serial: 25:74:fe:8b:a9:5f:aa:02 validity: not before Apr 08 13:25:55 2016, ok not after Apr 08 13:25:55 2018, ok pubkey: RSA 2048 bits keyid: a0:7a:df:22:55:da:02:f6:9d:3e:ac:ae:7d:e1:31:ee:ea:6e:1e:33 subjkey: 72:88:65:dc:71:f5:20:5d:80:d4:1a:6b:a7:88:c3:f8:b4:1f:cb:6f authkey: 9a:f2:13:b8:bb:85:97:4a:fc:48:ad:a2:4a:80:82:5a:ee:75:49:39 ________________________________________ Jude Oliver Support 1100 Poydras St. Suite 1230 New Orleans, LA 70163 Main Office: 504-529-8869 [email protected] www.blanchardsystems.com <http://www.blanchardsystems.com/> ----------------------------------------------------- Join Blanchard Systems 2016 Tips and Tricks Training Webinars Check out the Blanchard Systems 2015 FREE monthly Tips & Tricks training webinars. Click Here <http://www.blanchardsystems.com/events/> to view the schedule and register for one of our upcoming events. On 4/26/16, 8:16 AM, "Tobias Brunner" <[email protected]> wrote: >Hi Jude, > >> Apr 25 11:20:44 RH7Standard charon: 09[IKE] found 1 matching config, but >> none allows XAuthInitRSA authentication using Main Mode > >Seems your left|rightauth settings are still wrong. As I wrote before >you need > > leftauth=pubkey > rightauth=pubkey > rightauth2=xauth > >> I have tried a few variations with out success, like >> authby=xauthrsasig >> authby=xauthpsk > >authby has no effect if you configure left|rightauth. > >> I presume this is the configuration example I should be looking at to >>get >> this to behave: >> >>https://www.strongswan.org/testing/testresults/ikev1/xauth-id-rsa-hybrid/ > >No, as the name indicates and the description explains this uses XAuth >in Hybrid Mode (where the client is only authenticated with XAuth not >PSK or RSA). While the Apple clients support this mode it's not their >default setting. > >Regards, >Tobias > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
