Hi everybody, Hi Andreas.<div><br></div><div>In my last e-mail, my problem was a certificate generated with openSSL 1.0 and sontrgSwan 4.5.3.</div><div>I 've downloaded the 4.6.2 version and did the instalation. </div>
<div><br></div><div>Now, I have other error (I think the certificates are OK now), I don't know if error it's configuration files (probably). </div><div><br></div><div><br></div><div>Here are my scenario:</div><div>
<br></div><div><div><font face="'courier new', monospace"><b>opensuse-vm</b>:~ # ipsec up net-net</font></div><div><font face="'courier new', monospace">initiating IKE_SA net-net[1] to 192.168.10.198</font></div>
<div><font face="'courier new', monospace">generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</font></div><div><font face="'courier new', monospace">sending packet: from 192.168.10.197[500] to 192.168.10.198[500]</font></div>
<div><font face="'courier new', monospace">received packet: from 192.168.10.198[500] to 192.168.10.197[500]</font></div><div><font face="'courier new', monospace">parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]</font></div>
<div><font face="'courier new', monospace">authentication of 'C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197' (myself) with RSA signature successful</font></div><div><font face="'courier new', monospace">establishing CHILD_SA net-net</font></div>
<div><font face="'courier new', monospace">generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]</font></div><div><font face="'courier new', monospace">sending packet: from 192.168.10.197[500] to 192.168.10.198[500]</font></div>
<div><font face="'courier new', monospace">received packet: from 192.168.10.198[500] to 192.168.10.197[500]</font></div><div><font face="'courier new', monospace">parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]</font></div>
<div><font face="'courier new', monospace">received <span style="background-color:rgb(255,255,0)">AUTHENTICATION_FAILED notify error</span></font></div><div><font face="'courier new', monospace"><span style="background-color:rgb(255,255,0)"><br>
</span></font></div><div><font face="'courier new', monospace"><b>opensuse-vm</b>:~ # cat /etc/ipsec.conf</font></div><div><font face="'courier new', monospace"># ipsec.conf - strongSwan IPsec configuration file</font></div>
<div><span style="font-family:'courier new',monospace"># basic configuration</span></div><div><span style="font-family:'courier new',monospace">config setup</span></div><div><font face="'courier new', monospace"> # plutodebug=all</font></div>
<div><font face="'courier new', monospace"> crlcheckinterval=600</font></div><div><font face="'courier new', monospace"> strictcrlpolicy=yes</font></div><div><font face="'courier new', monospace"> # cachecrls=yes</font></div>
<div><font face="'courier new', monospace"> # nat_traversal=yes</font></div><div><font face="'courier new', monospace"> # charonstart=no</font></div><div><font face="'courier new', monospace"> plutostart=no</font></div>
<div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">conn %default</font></div><div><font face="'courier new', monospace"> ikelifetime=60m</font></div>
<div><font face="'courier new', monospace"> keylife=20m</font></div><div><font face="'courier new', monospace"> rekeymargin=3m</font></div><div><font face="'courier new', monospace"> keyingtries=1</font></div>
<div><font face="'courier new', monospace"> keyexchange=ikev2</font></div><div><font face="'courier new', monospace"> mobike=no</font></div><div><font face="'courier new', monospace"><br>
</font></div><div><font face="'courier new', monospace">conn net-net</font></div><div><font face="'courier new', monospace"> left=192.168.10.197</font></div><div><font face="'courier new', monospace"> leftsubnet=<a href="http://192.168.9.0/24">192.168.9.0/24</a></font></div>
<div><font face="'courier new', monospace"> leftcert=197cert.pem</font></div><div><font face="'courier new', monospace"> leftid="C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197"</font></div>
<div><font face="'courier new', monospace"> leftfirewall=yes</font></div><div><font face="'courier new', monospace"> right=192.168.10.198</font></div><div><font face="'courier new', monospace"> rightsubnet=<a href="http://192.168.8.0/24">192.168.8.0/24</a></font></div>
<div><font face="'courier new', monospace"> rightid=@opensuse2-vm</font></div><div><font face="'courier new', monospace"> auto=add</font></div><div><font face="'courier new', monospace"><b>opensuse-vm</b>:~ # cat /etc/ipsec.secrets</font></div>
<div><font face="'courier new', monospace">#</font></div><div><font face="'courier new', monospace"># ipsec.secrets</font></div><div><font face="'courier new', monospace">#</font></div><div><font face="'courier new', monospace"># This file holds the RSA private keys or the PSK preshared secrets for</font></div>
<div><font face="'courier new', monospace"># the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.</font></div><div><font face="'courier new', monospace">#</font></div><div><font face="'courier new', monospace">: RSA 197key.pem "197chave"</font></div>
<div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"><b>opensuse-vm</b>:~ # cat /etc/strongswan.conf</font></div><div><font face="'courier new', monospace"># strongswan.conf - strongSwan configuration file</font></div>
<div><span style="font-family:'courier new',monospace">charon {</span></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"> # number of worker threads in charon</font></div>
<div><font face="'courier new', monospace"> threads = 16</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"> # send strongswan vendor ID?</font></div>
<div><font face="'courier new', monospace"> # send_vendor_id = yes</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"> plugins {</font></div>
<div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"> sql {</font></div><div><font face="'courier new', monospace"> # loglevel to log into sql database</font></div>
<div><font face="'courier new', monospace"> loglevel = -1</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"> # URI to the database</font></div>
<div><font face="'courier new', monospace"> # database = sqlite:///path/to/file.db</font></div><div><font face="'courier new', monospace"> # database = mysql://user:password@localhost/database</font></div>
<div><font face="'courier new', monospace"> }</font></div><div><font face="'courier new', monospace"> }</font></div><div><font face="'courier new', monospace"><br></font></div>
<div><font face="'courier new', monospace"> # ...</font></div><div><font face="'courier new', monospace">}</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">pluto {</font></div>
<div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">}</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">libstrongswan {</font></div>
<div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"> # set to no, the DH exponent size is optimized</font></div><div><font face="'courier new', monospace"> # dh_exponent_ansi_x9_42 = no</font></div>
<div><font face="'courier new', monospace">}</font></div><div><font face="'courier new', monospace"><b>opensuse-vm</b>:~ # tail -f /var/log/messages -n 35</font></div><div><font face="'courier new', monospace">Mar 7 09:50:10 opensuse-vm charon: 00[DMN] signal of type SIGINT received. Shutting down</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm ipsec_starter[5725]: Starting strongSwan 4.6.2 IPsec [starter]...</font></div><div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2)</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[KNL] listening on interfaces:</font></div><div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[KNL] eth0</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[KNL] 192.168.10.197</font></div><div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[KNL] eth3</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[KNL] 192.168.9.1</font></div><div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'</font></div><div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'</font></div><div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'</font></div><div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/197key.pem'</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 00[JOB] spawning 16 worker threads</font></div><div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 04[CFG] received stroke: add connection 'net-net'</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 04[CFG] loaded certificate "C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197" from '197cert.pem'</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:18 opensuse-vm charon: 04[CFG] added configuration 'net-net'</font></div><div><font face="'courier new', monospace">Mar 7 09:50:22 opensuse-vm charon: 13[CFG] received stroke: initiate 'net-net'</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:22 opensuse-vm charon: 15[IKE] initiating IKE_SA net-net[1] to 192.168.10.198</font></div><div><font face="'courier new', monospace">Mar 7 09:50:22 opensuse-vm charon: 15[IKE] initiating IKE_SA net-net[1] to 192.168.10.198</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:22 opensuse-vm charon: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</font></div><div><font face="'courier new', monospace">Mar 7 09:50:22 opensuse-vm charon: 15[NET] sending packet: from 192.168.10.197[500] to 192.168.10.198[500]</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:23 opensuse-vm charon: 16[NET] received packet: from 192.168.10.198[500] to 192.168.10.197[500]</font></div><div><font face="'courier new', monospace">Mar 7 09:50:23 opensuse-vm charon: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:23 opensuse-vm charon: 16[IKE] authentication of 'C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197' (myself) with RSA signature successful</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:23 opensuse-vm charon: 16[IKE] establishing CHILD_SA net-net</font></div><div><font face="'courier new', monospace">Mar 7 09:50:23 opensuse-vm charon: 16[IKE] establishing CHILD_SA net-net</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:23 opensuse-vm charon: 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]</font></div><div><font face="'courier new', monospace">Mar 7 09:50:23 opensuse-vm charon: 16[NET] sending packet: from 192.168.10.197[500] to 192.168.10.198[500]</font></div>
<div><font face="'courier new', monospace">Mar 7 09:50:23 opensuse-vm charon: 03[NET] received packet: from 192.168.10.198[500] to 192.168.10.197[500]</font></div><div><font face="'courier new', monospace" style="background-color:rgb(255,255,0)">Mar 7 09:50:23 opensuse-vm charon: 03[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]</font></div>
<div><font face="'courier new', monospace" style="background-color:rgb(255,255,0)">Mar 7 09:50:23 opensuse-vm charon: 03[IKE] received AUTHENTICATION_FAILED notify error</font></div></div><div><br></div><div><br>
</div><div><br></div><div><div>-- <br><font face="'courier new', monospace"><b>Jefferson Leandro</b></font><div><font face="'courier new', monospace"><b>Curitiba - BR</b></font><br><div><div><div><br></div>
</div></div></div><br>
</div></div>