<div>Hi Andreas,</div>
<div> </div>
<div>This problem was solved by the solution provided in <a href="http://www.mail-archive.com/users@lists.strongswan.org/msg02152.html" target="_blank"><font color="#0000cc">http://www.mail-archive.com/users@lists.strongswan.org/msg02152.html</font></a>. I now have a new problem for which I cannot find a solution. It would be great if you could help me understand the problem, and hopefully provide a solution too.</div>
<div> </div>
<div>I generated the private key and certificate for my machines (the initiator and the receiver) by executing the following command on each of them:</div>
<div> </div>
<div><font color="#000099">openssl req -x509 -days 1460 -newkey rsa:2048 \<br>> -keyout strongswanKey.pem -out strongswanCert.pem</font></div>
<div> </div>
<div>I then placed the file strongswanKey.pem in the path /etc/ipsec.d/private/, and the file strongswanCert.pem in the path /etc/ipsec.d/certs. So now, the line " : RSA strongswanKey.pem "xxxx" " is added to the file ipsec.secrets, and the line "leftcert=strongswanCert.pem" is added to the file ipsec.conf. </div>
<div> </div>
<div>After starting strongswan, the following was seen in the log file:</div>
<div> </div>
<div>Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/strongswanKey.pem'<br>
<strong><font color="#000099">Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed<br></font></strong>Mar 17 18:35:32 cip-Latitude-D520 charon: 00[DMN] loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl fips-prf xcbc hmac agent gmp attr kernel-netlink socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve<br>
</div>
<div> </div>
<div>Later on in the logs, I see that CHILD_SA was established, but IKE authentication failed. I am not sure if this is connected to the above problem. Please find a part of the logfile here:</div>
<div> </div>
<div><strong><font color="#000099">Mar 17 18:35:44 cip-Latitude-D520 charon: 12[IKE] establishing CHILD_SA sample-with-ca-cert<br></font></strong>Mar 17 18:35:44 cip-Latitude-D520 charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
Mar 17 18:35:44 cip-Latitude-D520 charon: 12[NET] sending packet: from 10.58.114.215[4500] to 10.58.112.139[4500]<br>Mar 17 18:35:44 cip-Latitude-D520 charon: 13[NET] received packet: from 10.58.112.139[4500] to 10.58.114.215[4500]<br>
Mar 17 18:35:44 cip-Latitude-D520 charon: 13[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br><strong><font color="#000099">Mar 17 18:35:44 cip-Latitude-D520 charon: 13[IKE] received AUTHENTICATION_FAILED notify error<br>
</font></strong></div>
<div> </div>
<div>Could you please help me sort this out?</div>
<div> </div>
<div>Thanks in advance,</div>
<div> </div>
<div>Meera </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div><br><br> </div>
<div class="gmail_quote">On Wed, Mar 9, 2011 at 11:26 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">The log entry:
<div class="im"><br><br>: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br></div>
<div class="im">: 06[NET] sending packet: from 10.58.114.215[500] to 10.58.112.139[500]<br></div>
<div class="im">: 14[IKE] retransmit 1 of request with message ID 0<br><br></div>just means that your peer either does not receive the IKE_SA_INIT<br>request or that the IKE_SA_INIT reply gets lost on the way back.<br>You should check the log on the peer side.<br>
<br>Regards<br><br>Andreas
<div class="im"><br><br>On 03/09/2011 08:08 AM, Meera Sudhakar wrote:<br></div>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="im">Hi,<br>I am new to strongswan, and would really appreciate some help in setting<br>up the SAs. For some reason, packets being sent are not being received<br>by the other machine. After retries, it says "peer not responding, try<br>
again". Please fine below an excerpt of my log file:<br>Mar 9 13:25:59 cip-Latitude-D520 charon: 06[CFG] received stroke: add<br>connection 'sample-with-ca-cert'<br>Mar 9 13:25:59 cip-Latitude-D520 charon: 06[CFG] loaded certificate<br>
"C=CH, O=Linux strongSwan, OU=Sales, CN=<a href="mailto:alice@strongswan.org" target="_blank">alice@strongswan.org</a><br></div><mailto:<a href="mailto:CN" target="_blank">CN</a>=<a href="mailto:alice@strongswan.org" target="_blank">alice@strongswan.org</a>>" from 'myCert.pem'
<div class="im"><br>Mar 9 13:25:59 cip-Latitude-D520 charon: 06[CFG] id '10.58.114.215'<br>not confirmed by certificate, defaulting to 'C=CH, O=Linux strongSwan,<br></div>OU=Sales, CN=<a href="mailto:alice@strongswan.org" target="_blank">alice@strongswan.org</a>' <mailto:<a href="mailto:CN" target="_blank">CN</a>=<a href="mailto:alice@strongswan.org" target="_blank">alice@strongswan.org</a>'>
<div>
<div></div>
<div class="h5"><br>Mar 9 13:25:59 cip-Latitude-D520 charon: 06[CFG] added configuration<br>'sample-with-ca-cert'<br>Mar 9 13:25:59 cip-Latitude-D520 charon: 06[CFG] received stroke:<br>initiate 'sample-with-ca-cert'<br>
Mar 9 13:25:59 cip-Latitude-D520 charon: 06[IKE] initiating IKE_SA<br>sample-with-ca-cert[1] to 10.58.112.139<br>Mar 9 13:25:59 cip-Latitude-D520 charon: 06[ENC] generating IKE_SA_INIT<br>request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
Mar 9 13:25:59 cip-Latitude-D520 charon: 06[NET] sending packet: from<br>10.58.114.215[500] to 10.58.112.139[500]<br>Mar 9 13:26:03 cip-Latitude-D520 charon: 14[IKE] retransmit 1 of<br>request with message ID 0<br>Mar 9 13:26:03 cip-Latitude-D520 charon: 14[NET] sending packet: from<br>
10.58.114.215[500] to 10.58.112.139[500]<br>Mar 9 13:26:04 cip-Latitude-D520 charon: 10[CFG] received stroke: add<br>connection 'sample-with-ca-cert'<br>Also, please find below my ipsec.conf file:<br> ipsec.conf - strongSwan IPsec configuration file<br>
# basic configuration<br>config setup<br> charondebug=all<br> # plutodebug=all<br> # crlcheckinterval=600<br> strictcrlpolicy=yes<br> # cachecrls=yes - only for ikev1<br> # nat_traversal=yes<br>
charonstart=yes<br> # plutostart=yes - only for ikev1<br># Add connections here.<br># Sample VPN connections<br>#conn sample-self-signed<br># left=10.58.112.170<br></div></div># leftsubnet=<a href="http://10.1.0.0/16" target="_blank">10.1.0.0/16</a> <<a href="http://10.1.0.0/16" target="_blank">http://10.1.0.0/16</a>>
<div class="im"><br># leftcert=selfCert.der<br># leftsendcert=never<br># right=10.58.112.235<br></div># rightsubnet=<a href="http://10.2.0.0/16" target="_blank">10.2.0.0/16</a> <<a href="http://10.2.0.0/16" target="_blank">http://10.2.0.0/16</a>>
<div class="im"><br># rightcert=peerCert.der<br># auto=start<br>conn sample-with-ca-cert<br> left=10.58.114.215<br></div> leftsubnet=<a href="http://10.58.114.0/24" target="_blank">10.58.114.0/24</a> <<a href="http://10.58.114.0/24" target="_blank">http://10.58.114.0/24</a>>
<div class="im"><br> leftcert=myCert.pem<br> right=10.58.112.139<br></div> rightsubnet=<a href="http://10.58.112.0/24" target="_blank">10.58.112.0/24</a> <<a href="http://10.58.112.0/24" target="_blank">http://10.58.112.0/24</a>>
<div class="im"><br> rightid="C=CH, O=Linux strongSwan CN=peer name"<br> keyexchange=ikev2<br> auto=start<br>include /var/lib/strongswan/ipsec.conf.inc<br>Can someone help me out?<br>Thanks,<br>Mira<br>
<br></div></blockquote>======================================================================<br><font color="#888888">Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org/" target="_blank">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></font></blockquote></div><br>