<html><body>
<p><font size="2" face="sans-serif">Hello,</font><br>
<br>
<font size="2" face="sans-serif">I'm trying to setup IPSec with strongswan 4.5.1 between a Blade Server and a KVM on my laptop, both with RHEL6. I'm running into a problem where I see "no matching peer config found" in the charon.log. I've seen the previous posts on this error. But I don't see what I'm doing wrong. (should point out that I'm both a linux and IPSec newbie).</font><br>
<br>
<font size="2" face="sans-serif">I'd like to set it up to IKEv2 with RSA authentication. I have Node A and Node B. Node A will be the gateway. Node A certificate has a DN of CN=Node A, ST=Minnesota, C=US and a altSubjectName of "Node A" while Node B has a DN of "CN=Node B, ST=Minnesota, C=US" with a altSubjectName of "Node B"</font><br>
<br>
<font size="2" face="sans-serif">ipsec.conf for Node A</font><br>
<font size="2" face="sans-serif">------------------------------------------------------------------------------------------</font><br>
<font size="2" face="sans-serif"># /etc/ipsec.conf - strongSwan IPsec configuration file</font><br>
<br>
<font size="2" face="sans-serif">config setup</font><br>
<font size="2" face="sans-serif"> strictcrlpolicy=no</font><br>
<font size="2" face="sans-serif"> plutostart=no</font><br>
<font size="2" face="sans-serif"> charonstart=yes</font><br>
<font size="2" face="sans-serif"> charondebug="lib 3,cfg 3, net 3, ike 3, enc 3, chd 3, mgr 3, dmn 3"</font><br>
<font size="2" face="sans-serif"> </font><br>
<font size="2" face="sans-serif">conn %default</font><br>
<font size="2" face="sans-serif"> ikelifetime=60m</font><br>
<font size="2" face="sans-serif"> keylife=20m</font><br>
<font size="2" face="sans-serif"> rekeymargin=3m</font><br>
<font size="2" face="sans-serif"> keyingtries=1</font><br>
<font size="2" face="sans-serif"> leftauth=pubkey</font><br>
<br>
<font size="2" face="sans-serif">conn gateway</font><br>
<font size="2" face="sans-serif"> right=%any</font><br>
<font size="2" face="sans-serif"> rightid="Node B" // Also tried %any</font><br>
<font size="2" face="sans-serif"> auto=add</font><br>
<font size="2" face="sans-serif"> left=9.5.46.51</font><br>
<font size="2" face="sans-serif"> leftfirewall=no</font><br>
<font size="2" face="sans-serif"> leftcert=nodeACert.pem</font><br>
<font size="2" face="sans-serif"> keyexchange=ikev2</font><br>
<br>
<br>
<font size="2" face="sans-serif">ipsec.conf for Node B</font><br>
<font size="2" face="sans-serif">---------------------------------------------------</font><br>
<font size="2" face="sans-serif"># ipsec.conf - strongSwan IPsec configuration file</font><br>
<br>
<font size="2" face="sans-serif"># basic configuration</font><br>
<br>
<font size="2" face="sans-serif">config setup</font><br>
<font size="2" face="sans-serif"> strictcrlpolicy=no</font><br>
<font size="2" face="sans-serif"> charonstart=yes</font><br>
<font size="2" face="sans-serif"> plutostart=no</font><br>
<font size="2" face="sans-serif"> charondebug="lib 3,cfg 3,net 3,ike 3, enc 3, chd 3, mgr 3, dmn 3"</font><br>
<br>
<br>
<font size="2" face="sans-serif"># Add connections here.</font><br>
<br>
<font size="2" face="sans-serif">conn %default</font><br>
<font size="2" face="sans-serif"> ikelifetime=60m</font><br>
<font size="2" face="sans-serif"> keylife=20m</font><br>
<font size="2" face="sans-serif"> rekeymargin=3m</font><br>
<font size="2" face="sans-serif"> keyingtries=1</font><br>
<br>
<font size="2" face="sans-serif">conn home</font><br>
<font size="2" face="sans-serif"> right=9.5.46.51</font><br>
<font size="2" face="sans-serif"> rightid="CN=Node B, ST=Minnesota, C=US"</font><br>
<font size="2" face="sans-serif"> keyexchange=ikev2</font><br>
<font size="2" face="sans-serif"> left=%defaultroute</font><br>
<font size="2" face="sans-serif"> leftid="Node B"</font><br>
<font size="2" face="sans-serif"> leftcert=nodeBCert.pem</font><br>
<font size="2" face="sans-serif"> leftfirewall=yes</font><br>
<font size="2" face="sans-serif"> auto=start</font><br>
<br>
<br>
<font size="2" face="sans-serif">When I run ipsec statusall on the Node B, I get this:</font><br>
<font size="2" face="sans-serif">-------------------------------------------</font><br>
<font size="2" face="sans-serif">Status of IKEv2 charon daemon (strongSwan 4.5.1):</font><br>
<font size="2" face="sans-serif"> uptime: 49 minutes, since Apr 02 23:00:10 2011</font><br>
<font size="2" face="sans-serif"> malloc: sbrk 262144, mmap 0, used 111488, free 150656</font><br>
<font size="2" face="sans-serif"> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 1</font><br>
<font size="2" face="sans-serif"> loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown </font><br>
<font size="2" face="sans-serif">Listening IP addresses:</font><br>
<font size="2" face="sans-serif"> 192.168.122.203</font><br>
<font size="2" face="sans-serif">Connections:</font><br>
<font size="2" face="sans-serif"> home: 192.168.122.203...9.5.46.51</font><br>
<font size="2" face="sans-serif"> home: local: [Node B] uses public key authentication</font><br>
<font size="2" face="sans-serif"> home: cert: "CN=Node B, ST=Minnesota, C=US"</font><br>
<font size="2" face="sans-serif"> home: remote: [CN=Node B, ST=Minnesota, C=US] uses any authentication</font><br>
<font size="2" face="sans-serif"> home: child: dynamic === dynamic </font><br>
<font size="2" face="sans-serif">Security Associations:</font><br>
<font size="2" face="sans-serif"> none</font><br>
<br>
<font size="2" face="sans-serif">And when I run ipsec up home I get this:</font><br>
<font size="2" face="sans-serif">------------------------------------------------------------------</font><br>
<font size="2" face="sans-serif">initiating IKE_SA home[3] to 9.5.46.51</font><br>
<font size="2" face="sans-serif">generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</font><br>
<font size="2" face="sans-serif">sending packet: from 192.168.122.203[500] to 9.5.46.51[500]</font><br>
<font size="2" face="sans-serif">received packet: from 9.5.46.51[500] to 192.168.122.203[500]</font><br>
<font size="2" face="sans-serif">parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]</font><br>
<font size="2" face="sans-serif">local host is behind NAT, sending keep alives</font><br>
<font size="2" face="sans-serif">received cert request for "CN=TKH CA, ST=Minnesota, C=US"</font><br>
<font size="2" face="sans-serif">sending cert request for "CN=TKH CA, ST=Minnesota, C=US"</font><br>
<font size="2" face="sans-serif">authentication of 'Node B' (myself) with RSA signature successful</font><br>
<font size="2" face="sans-serif">sending end entity cert "CN=Node B, ST=Minnesota, C=US"</font><br>
<font size="2" face="sans-serif">establishing CHILD_SA home</font><br>
<font size="2" face="sans-serif">generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]</font><br>
<font size="2" face="sans-serif">sending packet: from 192.168.122.203[4500] to 9.5.46.51[4500]</font><br>
<font size="2" face="sans-serif">received packet: from 9.5.46.51[4500] to 192.168.122.203[4500]</font><br>
<font size="2" face="sans-serif">parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]</font><br>
<font size="2" face="sans-serif">received AUTHENTICATION_FAILED notify error</font><br>
<br>
<br>
<br>
<font size="2" face="sans-serif">On Node A, ipsec statusall shows:</font><br>
<font size="2" face="sans-serif">---------------------------------------------</font><br>
<font size="2" face="sans-serif">Status of IKEv2 charon daemon (strongSwan 4.5.1):</font><br>
<font size="2" face="sans-serif"> uptime: 49 minutes, since Apr 02 19:06:04 2011</font><br>
<font size="2" face="sans-serif"> malloc: sbrk 135168, mmap 0, used 103680, free 31488</font><br>
<font size="2" face="sans-serif"> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0</font><br>
<font size="2" face="sans-serif"> loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown </font><br>
<font size="2" face="sans-serif">Listening IP addresses:</font><br>
<font size="2" face="sans-serif"> 192.168.122.1</font><br>
<font size="2" face="sans-serif"> 9.5.46.51</font><br>
<font size="2" face="sans-serif"> 9.5.48.51</font><br>
<font size="2" face="sans-serif">Connections:</font><br>
<font size="2" face="sans-serif"> gateway: 9.5.46.51...%any</font><br>
<font size="2" face="sans-serif"> gateway: local: [CN=Node A, ST=Minnesota, C=US] uses public key authentication</font><br>
<font size="2" face="sans-serif"> gateway: cert: "CN=Node A, ST=Minnesota, C=US"</font><br>
<font size="2" face="sans-serif"> gateway: remote: [Node B] uses any authentication</font><br>
<font size="2" face="sans-serif"> gateway: child: dynamic === dynamic </font><br>
<font size="2" face="sans-serif">Security Associations:</font><br>
<font size="2" face="sans-serif"> none</font><br>
<br>
<br>
<font size="2" face="sans-serif">The charon.log snippet shows:</font><br>
<font size="2" face="sans-serif">--------------------------------------------------</font><br>
<font size="2" face="sans-serif">Apr 2 19:06:13 10[IKE] received end entity cert "CN=Node B, ST=Minnesota, C=US"</font><br>
<font size="2" face="sans-serif">Apr 2 19:06:13 10[CFG] looking for peer configs matching 9.5.46.51[CN=Node B, ST=Minnesota, C=US]...9.10.109.23[Node B]</font><br>
<font size="2" face="sans-serif">Apr 2 19:06:13 10[CFG] no matching peer config found</font><br>
<font size="2" face="sans-serif">Apr 2 19:06:13 10[IKE] peer supports MOBIKE</font><br>
<font size="2" face="sans-serif">Apr 2 19:06:13 10[ENC] added payload of type NOTIFY to message</font><br>
<font size="2" face="sans-serif">Apr 2 19:06:13 10[ENC] added payload of type NOTIFY to message</font><br>
<font size="2" face="sans-serif">Apr 2 19:06:13 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</font><br>
<br>
<br>
<br>
<font size="2" face="sans-serif">What did I do wrong? thanks.</font><br>
<br>
<font size="2" face="sans-serif"><br>
Terry Hennessy<br>
<br>
</font></body></html>