<div><font face="'courier new', monospace">Andreas, Greetings !</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">Yes, the log from remote host have a message "no trusted R</font><span style="font-family:'courier new',monospace">SA public key found"</span></div>
<div><font face="'courier new', monospace">but, how can I load the CA cert ?</font></div><div><font face="'courier new', monospace">I copied the certficate generated at the remote host to local in the directory /etc/ipsec.d/cacert but what I have put in the ipsec.conf ?</font></div>
<div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">In the machine opensuse-vm I did the reference for the certificate for remote host, but doesn't work.</font></div>
<div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"><div>Ipsec.conf session:</div><div>ca opensuse2-vm</div><div> cacert=198cert.pem</div><div> auto=add</div>
<div><br></div><div><div>list of files:</div><div>opensuse-vm:/etc/ipsec.d # ls -R</div></div><div><br></div><div>./aacerts:</div><div><div><br></div><div>./acerts:</div><div><br></div><div>./cacerts:</div><div>198cert.pem</div>
<div><br></div><div>./certs:</div><div>197cert.pem 198cert.pem</div><div><br></div><div>./crls:</div><div><br></div><div>./ocspcerts:</div><div><br></div><div>./private:</div><div>197key.pem 198key.pem</div><div><br></div>
<div>./reqs:</div><div>197req.pem 198req.pem</div></div></font></div><div><br></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">Sorry, it's maybe basic configuration ...</font></div>
<div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">Thank you.</font></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><br>
<div class="gmail_quote">Em 7 de março de 2012 13:10, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>></span> escreveu:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
<div class="im"><br>
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
received AUTHENTICATION_FAILED notify error<br>
<br>
</div>means that the authentication error occurred on the remote end.<br>
Do you have the log from the other endpoint. I see that you don't<br>
load any CA certificate on you end. If this is also the case<br>
on the remote end then it is clear that the authentication must<br>
fail since no trust anchor is present.<br>
<br>
Regards<br>
<br>
Andreas<br>
<div class="im"><br>
On 07.03.2012 14:14, Leandro . wrote:<br>
> Hi everybody, Hi Andreas.<br>
><br>
> In my last e-mail, my problem was a certificate generated with openSSL<br>
> 1.0 and sontrgSwan 4.5.3.<br>
> I 've downloaded the 4.6.2 version and did the instalation.<br>
><br>
> Now, I have other error (I think the certificates are OK now), I don't<br>
> know if error it's configuration files (probably).<br>
><br>
><br>
> Here are my scenario:<br>
><br>
</div>> *opensuse-vm*:~ # ipsec up net-net<br>
<div class="im">> initiating IKE_SA net-net[1] to 192.168.10.198<br>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> sending packet: from 192.168.10.197[500] to 192.168.10.198[500]<br>
> received packet: from 192.168.10.198[500] to 192.168.10.197[500]<br>
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)<br>
> N(MULT_AUTH) ]<br>
> authentication of 'C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm,<br>
> E=197' (myself) with RSA signature successful<br>
> establishing CHILD_SA net-net<br>
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr<br>
> N(MULT_AUTH) N(EAP_ONLY) ]<br>
> sending packet: from 192.168.10.197[500] to 192.168.10.198[500]<br>
> received packet: from 192.168.10.198[500] to 192.168.10.197[500]<br>
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
> received AUTHENTICATION_FAILED notify error<br>
><br>
</div>> *opensuse-vm*:~ # cat /etc/ipsec.conf<br>
<div class="im">> # ipsec.conf - strongSwan IPsec configuration file<br>
> # basic configuration<br>
> config setup<br>
> # plutodebug=all<br>
> crlcheckinterval=600<br>
> strictcrlpolicy=yes<br>
> # cachecrls=yes<br>
> # nat_traversal=yes<br>
> # charonstart=no<br>
> plutostart=no<br>
><br>
> conn %default<br>
> ikelifetime=60m<br>
> keylife=20m<br>
> rekeymargin=3m<br>
> keyingtries=1<br>
> keyexchange=ikev2<br>
> mobike=no<br>
><br>
> conn net-net<br>
> left=192.168.10.197<br>
</div>> leftsubnet=<a href="http://192.168.9.0/24" target="_blank">192.168.9.0/24</a> <<a href="http://192.168.9.0/24" target="_blank">http://192.168.9.0/24</a>><br>
<div class="im">> leftcert=197cert.pem<br>
> leftid="C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197"<br>
> leftfirewall=yes<br>
> right=192.168.10.198<br>
</div>> rightsubnet=<a href="http://192.168.8.0/24" target="_blank">192.168.8.0/24</a> <<a href="http://192.168.8.0/24" target="_blank">http://192.168.8.0/24</a>><br>
> rightid=@opensuse2-vm<br>
> auto=add<br>
> *opensuse-vm*:~ # cat /etc/ipsec.secrets<br>
<div class="im">> #<br>
> # ipsec.secrets<br>
> #<br>
> # This file holds the RSA private keys or the PSK preshared secrets for<br>
> # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.<br>
> #<br>
> : RSA 197key.pem "197chave"<br>
><br>
</div>> *opensuse-vm*:~ # cat /etc/strongswan.conf<br>
<div class="im">> # strongswan.conf - strongSwan configuration file<br>
> charon {<br>
><br>
> # number of worker threads in charon<br>
> threads = 16<br>
><br>
> # send strongswan vendor ID?<br>
> # send_vendor_id = yes<br>
><br>
> plugins {<br>
><br>
> sql {<br>
> # loglevel to log into sql database<br>
> loglevel = -1<br>
><br>
> # URI to the database<br>
> # database = sqlite:///path/to/file.db<br>
> # database =<br>
> mysql://user:password@localhost/database<br>
> }<br>
> }<br>
><br>
> # ...<br>
> }<br>
><br>
> pluto {<br>
><br>
> }<br>
><br>
> libstrongswan {<br>
><br>
> # set to no, the DH exponent size is optimized<br>
> # dh_exponent_ansi_x9_42 = no<br>
> }<br>
</div>> *opensuse-vm*:~ # tail -f /var/log/messages -n 35<br>
<div><div class="h5">> Mar 7 09:50:10 opensuse-vm charon: 00[DMN] signal of type SIGINT<br>
> received. Shutting down<br>
> Mar 7 09:50:18 opensuse-vm ipsec_starter[5725]: Starting strongSwan<br>
> 4.6.2 IPsec [starter]...<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[DMN] Starting IKEv2 charon daemon<br>
> (strongSwan 4.6.2)<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[KNL] listening on interfaces:<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[KNL] eth0<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[KNL] 192.168.10.197<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[KNL] eth3<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[KNL] 192.168.9.1<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading ca certificates from<br>
> '/etc/ipsec.d/cacerts'<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading aa certificates from<br>
> '/etc/ipsec.d/aacerts'<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading ocsp signer<br>
> certificates from '/etc/ipsec.d/ocspcerts'<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading attribute<br>
> certificates from '/etc/ipsec.d/acerts'<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading crls from<br>
> '/etc/ipsec.d/crls'<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading secrets from<br>
> '/etc/ipsec.secrets'<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loaded RSA private key<br>
> from '/etc/ipsec.d/private/197key.pem'<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[DMN] loaded plugins: aes des sha1<br>
> sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem<br>
> fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown<br>
> Mar 7 09:50:18 opensuse-vm charon: 00[JOB] spawning 16 worker threads<br>
> Mar 7 09:50:18 opensuse-vm charon: 04[CFG] received stroke: add<br>
> connection 'net-net'<br>
> Mar 7 09:50:18 opensuse-vm charon: 04[CFG] loaded certificate "C=BR,<br>
> ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197" from '197cert.pem'<br>
> Mar 7 09:50:18 opensuse-vm charon: 04[CFG] added configuration 'net-net'<br>
> Mar 7 09:50:22 opensuse-vm charon: 13[CFG] received stroke: initiate<br>
> 'net-net'<br>
> Mar 7 09:50:22 opensuse-vm charon: 15[IKE] initiating IKE_SA net-net[1]<br>
> to 192.168.10.198<br>
> Mar 7 09:50:22 opensuse-vm charon: 15[IKE] initiating IKE_SA net-net[1]<br>
> to 192.168.10.198<br>
> Mar 7 09:50:22 opensuse-vm charon: 15[ENC] generating IKE_SA_INIT<br>
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> Mar 7 09:50:22 opensuse-vm charon: 15[NET] sending packet: from<br>
> 192.168.10.197[500] to 192.168.10.198[500]<br>
> Mar 7 09:50:23 opensuse-vm charon: 16[NET] received packet: from<br>
> 192.168.10.198[500] to 192.168.10.197[500]<br>
> Mar 7 09:50:23 opensuse-vm charon: 16[ENC] parsed IKE_SA_INIT response<br>
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
> Mar 7 09:50:23 opensuse-vm charon: 16[IKE] authentication of 'C=BR,<br>
> ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197' (myself) with RSA<br>
> signature successful<br>
> Mar 7 09:50:23 opensuse-vm charon: 16[IKE] establishing CHILD_SA net-net<br>
> Mar 7 09:50:23 opensuse-vm charon: 16[IKE] establishing CHILD_SA net-net<br>
> Mar 7 09:50:23 opensuse-vm charon: 16[ENC] generating IKE_AUTH request<br>
> 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>
> Mar 7 09:50:23 opensuse-vm charon: 16[NET] sending packet: from<br>
> 192.168.10.197[500] to 192.168.10.198[500]<br>
> Mar 7 09:50:23 opensuse-vm charon: 03[NET] received packet: from<br>
> 192.168.10.198[500] to 192.168.10.197[500]<br>
> Mar 7 09:50:23 opensuse-vm charon: 03[ENC] parsed IKE_AUTH response 1 [<br>
> N(AUTH_FAILED) ]<br>
> Mar 7 09:50:23 opensuse-vm charon: 03[IKE] received<br>
> AUTHENTICATION_FAILED notify error<br>
><br>
> --<br>
</div></div>> *Jefferson Leandro*<br>
> *Curitiba - BR*<br>
<br>
======================================================================<br>
<span class="HOEnZb"><font color="#888888">Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><font face="'courier new', monospace"><b>Jefferson Leandro</b></font><div><font face="'courier new', monospace"><b>Curitiba - BR</b></font><br>
<div><div><div><br></div></div></div></div><br>