Dear all, I am getting the error message mentioned above when trying to connect to a client's site. Of course, I have tried to research if there already has been a similar problem, and have found exactly one appropriate thread:
https://lists.strongswan.org/pipermail/users/2018-March/012351.html Unfortunately, my situation is different; in my case, something else seems to cause the problem. Having said this: - It happened after the upgrade from Debian jessie (Debian 8) to Debian stretch (Debian 9), i.e. after the upgrade from StrongSwan 5.2.1 to StrongSwan 5.5.1) - I definitely have copied the whole configuration (including certificates and so on) from the old system to the new one (AFTER having installed the new StrongSwan version in the new system). I have double checked multiple times (applying different methods) that nothing is missing. - With the old system, I definitely could connect to the client's site without any problem with exact that configuration. If it matters, the VPN Gateway at the client's side is a Lancom router (I don't know the exact type, but it is newer one, and I am absolutely sure that they didn't any changes to it while I was upgrading my system, and to stress it again, the old system / StrongSwan version could connect to that device without problems). This is my /etc/ipsec.conf (sensitive data has been changed, and lines which are commented out have been left away): config setup conn %default mobike=no conn myclient ikelifetime=10800s keylife=3600s rekeymargin=9m keyingtries=1 type=tunnel keyexchange=ikev2 mobike=no ike=aes256-sha512-modp4096! esp=aes256-sha512-modp4096! left=xxxxxxxxxxxxxxxx.hopto.org leftauth=rsa-4096-sha512 leftid="/CN=xxxxxxxxxxxxxxxx.hopto.org" leftsubnet=192.168.20.0/24 leftfirewall=no leftcert=mycompany-client.crt right=yyyyyyyyyyyyyyyy.zapto.org rightauth=rsa-4096-sha512 rightid="/CN=yyyyyyyyyyyyyyyy.zapto.org" rightsubnet=192.168.0.0/24 auto=add This is the error message (sensitive data changed in the same way as with ipsec.conf): root@charon:/etc# /etc/init.d/ipsec restart [ ok ] Restarting ipsec (via systemctl): ipsec.service. root@charon:/etc# ipsec up myclient initiating IKE_SA myclient[3] to 79.192.42.125 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 87.185.83.87[500] to 79.192.42.125[500] (714 bytes) received packet: from 79.192.42.125[500] to 87.185.83.87[500] (713 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] received 1 cert requests for an unknown ca sending cert request for "CN=ca.clientsite.local" authentication of 'CN=xxxxxxxxxxxxxxxx.hopto.org' (myself) with RSA signature successful sending end entity cert "CN=xxxxxxxxxxxxxxxx.hopto.org" establishing CHILD_SA myclient generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ] sending packet: from 87.185.83.87[500] to 79.192.42.125[500] (2048 bytes) received packet: from 79.192.42.125[500] to 87.185.83.87[500] (1984 bytes) parsed IKE_AUTH response 1 [ IDr CERT AUTH TSi TSr N(INIT_CONTACT) SA ] received end entity cert "CN=yyyyyyyyyyyyyyyy.zapto.org" using certificate "CN=yyyyyyyyyyyyyyyy.zapto.org" using trusted ca certificate "CN=ca.clientsite.local" checking certificate status of "CN=yyyyyyyyyyyyyyyy.zapto.org" certificate status is not available reached self-signed root ca with a path length of 0 authentication of 'CN=yyyyyyyyyyyyyyyy.zapto.org' with RSA signature successful IKE signature scheme RSA_EMSA_PKCS1_SHA1 not acceptable selected peer config 'myclient' inacceptable: constraint checking failed no alternative config found generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] sending packet: from 87.185.83.87[500] to 79.192.42.125[500] (96 bytes) establishing connection 'myclient' failed root@charon:/etc# Does anybody have an idea? Thank you very much in advance, Binarus
