hi guys, I've had this working, the config which is now failing, I can easily blame strongswan update my distro sent down.
I've had my certs okey but now (I admit I've not used this tunnel in long time) this connection fails and it seems due to some cert issues. But am I right to blame some change in my strongswan package? What can be the problem? Here is some log: .. 13[MGR] checkin of IKE_SA successful 13[MGR] checkout IKEv2 SA by message with SPIs 82396af750960ac0_i 17f4b42410718369_r 13[MGR] IKE_SA (unnamed)[1] successfully checked out 13[NET] received packet: from 172.24.46.236[4500] to 172.24.154.202[4500] (708 bytes) 13[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ] 13[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1872 bytes) 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 13[IKE] received cert request for "C=shire, O=xx. CN=priv.xx.xx.priv.xx.xx.x" 13[IKE] received end entity cert "C=shire, O=xx. CN=suc...@priv.xx.xx.priv.xx.xx.x" 13[CFG] looking for peer configs matching 172.24.154.202[%any]...172.24.46.236[C=shire, O=xx. CN=suc...@priv.xx.xx.priv.xx.xx.x] 13[CFG] candidate "IPSec-IKEv2", match: 1/1/28 (me/other/ike) 13[CFG] candidate "IPSec-IKEv2-EAP", match: 1/1/28 (me/other/ike) 13[CFG] selected peer config 'IPSec-IKEv2' 13[CFG] using certificate "C=shire, O=xx. CN=suc...@priv.xx.xx.priv.xx.xx.x" 13[CFG] certificate "C=shire, O=xx. CN=suc...@priv.xx.xx.priv.xx.xx.x" key: 2048 bit RSA 13[CFG] using trusted ca certificate "C=shire, O=xx. CN=priv.xx.xx.priv.xx.xx.x" 13[CFG] checking certificate status of "C=shire, O=xx. CN=suc...@priv.xx.xx.priv.xx.xx.x" 13[CFG] ocsp check skipped, no ocsp found 13[CFG] certificate status is not available 13[CFG] certificate "C=shire, O=xx. CN=priv.xx.xx.priv.xx.xx.x" key: 4096 bit RSA 13[CFG] reached self-signed root ca with a path length of 0 13[IKE] authentication of 'C=shire, O=xx. CN=suc...@priv.xx.xx.priv.xx.xx.x' with RSA_EMSA_PKCS1_SHA2_256 successful 13[IKE] processing INTERNAL_IP4_ADDRESS attribute 13[IKE] processing INTERNAL_IP4_DNS attribute 13[IKE] peer supports MOBIKE 13[IKE] got additional MOBIKE peer address: 10.0.16.8 13[IKE] got additional MOBIKE peer address: 10.5.10.49 13[CFG] no IDr configured, fall back on IP address 13[IKE] no priv key found for '172.24.154.202' 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 13[NET] sending packet: from 172.24.154.202[4500] to 172.24.46.236[4500] (80 bytes) 13[MGR] checkin and destroy IKE_SA IPSec-IKEv2[1] 13[IKE] IKE_SA IPSec-IKEv2[1] state change: CONNECTING => DESTROYING 13[MGR] checkin and destroy of IKE_SA successful many thanks, L.
pEpkey.asc
Description: application/pgp-keys