<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>This is our configuration –<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>SEG <IPSEC TUNNEL> ENodeB<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The eNodeB is the initiator.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>The eNodeB must know in advance the attributes that it will receive in the certificate of the SEG in the name of the SEG.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I have been able to get the authentication working only by specifying rightid="O=*, CN=*" (attributes in the certificate of the SEG) on the eNodeB<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>If we set the rightid as "C=*, O=*, OU=*, CN=*"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>initiating IKE_SA 30[3] to 172.21.11.181<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>sending packet: from 172.21.11.21[500] to 172.21.11.181[500]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>received packet: from 172.21.11.181[500] to 172.21.11.21[500]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>received cert request for "O=Alcatel, CN=CMS"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>sending cert request for "O=Alcatel, CN=CMS"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>authentication of 'O=Alcatel, CN=123456.CMS1' (myself) with RSA signature successful<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>sending end entity cert "O=Alcatel, CN=123456.CMS1"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>sending issuer cert "O=Alcatel, CN=CMS1"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>establishing CHILD_SA 30<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>generating IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>sending packet: from 172.21.11.21[500] to 172.21.11.181[500]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>received packet: from 172.21.11.181[500] to 172.21.11.21[500]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr ]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>received end entity cert "O=Alcatel, <a href="mailto:CN=654321@alcatel-lucent.com">CN=654321@alcatel-lucent.com</a>"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> using certificate "O=Alcatel, <a href="mailto:CN=654321@alcatel-lucent.com">CN=654321@alcatel-lucent.com</a>"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> using trusted ca certificate "O=Alcatel, CN=CMS"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>checking certificate status of "O=Alcatel, <a href="mailto:CN=654321@alcatel-lucent.com">CN=654321@alcatel-lucent.com</a>"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>certificate status is not available<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> reached self-signed root ca with a path length of 0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>authentication of 'O=Alcatel, <a href="mailto:CN=654321@alcatel-lucent.com">CN=654321@alcatel-lucent.com</a>' with RSA signature successful<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>constraint check failed: identity 'C=*, O=*, OU=*, CN=*' required <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>selected peer config '30' inacceptable<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>no alternative config found<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Without specifying the righid, I get authentication failure<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>initiating IKE_SA 30[8] to 172.21.11.181<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>sending packet: from 172.21.11.21[500] to 172.21.11.181[500]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>received packet: from 172.21.11.181[500] to 172.21.11.21[500]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>received cert request for "O=Alcatel, CN=CMS"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>sending cert request for "O=Alcatel, CN=CMS"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>authentication of 'O=Alcatel, CN=123456.CMS1' (myself) with RSA signature successful<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>sending end entity cert "O=Alcatel, CN=123456.CMS1"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>sending issuer cert "O=Alcatel, CN=CMS1"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>establishing CHILD_SA 30<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>generating IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>sending packet: from 172.21.11.21[500] to 172.21.11.181[500]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>received packet: from 172.21.11.181[500] to 172.21.11.21[500]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>received AUTHENTICATION_FAILED notify error</span><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>I would like to understand the purpose of leftid and rightid. Why do we need to specify them?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>Regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Lakshmi<o:p></o:p></span></p></div></body></html>