
Hi Andreas,<br><br> Thanks for the response and this works.  <br><br>Also, how can we assign identity info from cert files to  leftid/rightid ?  instead of explicitly defining them.<br><br>Example:  I am looking something like leftid=%fromcert<br>

<br>leftid=%fromcert and leftid=%leftcert -->  I tried both these options on responder side instead of   leftid=<a href="http://cla.atca.nsn.com/" target="_blank">cla.atca.nsn.com</a>, but it doesn't work.  <br><br>

Could you please comment what should be the wild card entries on both sides to acheive this assignments using certs?<br><br>Thanks,<br>Reshma<br><br><br><br><div class="gmail_quote">On Mon, Apr 2, 2012 at 12:30 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Reshma,<br>

<br>

if you want to use FQDNs as IDs then you must set rightid and<br>

leftid accordingly:<br>

<br>

On the initiator <a href="http://10.0.0.2" target="_blank">10.0.0.2</a>:<br>

<br>

  left=10.0.0.2<br>

  leftcert="/etc/ipsec/certs/<u></u>ipsec.d//certs/ib-cert.pem"<br>

  leftid=<a href="http://ib.atca.nsn.com" target="_blank">ib.atca.nsn.com</a><br>

  right=10.0.0.1<br>

  rightid=<a href="http://cla.atca.nsn.com" target="_blank">cla.atca.nsn.com</a><br>

<br>

On the responder <a href="http://10.0.0.1" target="_blank">10.0.0.1</a>:<br>

<br>

  left=10.0.0.1<br>

  leftcert="/etc/ipsec/certs/<u></u>ipsec.d//certs/cla-cert.pem"<br>

  leftid=<a href="http://cla.atca.nsn.com" target="_blank">cla.atca.nsn.com</a><br>

  right=%any<br>

<br>

Regards<br>

<br>

Andreas<div class="im"><br>

<br>

On 04/02/2012 08:07 AM, Reshma Begam wrote:<br>

</div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">

Hi,<br>

<br>

I am trying to establish ikev2 connection between peers<br>

10.0.0.2(initiator)<==========<u></u>=>10.0.0.1(responder).<br>

<br>

Generated and distributed (FQDN as identity) based certificates on both<br>

sides. Identity comes as subjAltNmae in Certificates .<br>

<br>

I made rightid as %any on responder side to handle any identity of<br>

initiator.<br>

<br>

Then I tried ping from  initiator and on responder side i get  below error.<br>

<br>

Could you please let me know  what should be the leftid/rightid and<br>

left/right values on both the ends  for succesful connection.<br>

<br>

<br></div>

*Error Logs on responder:<br>

=====================*<div class="im"><br>

Apr  1 16:00:00.384479 info CLA-0 charon: 03[IKE] received end entity<br>

cert "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,<br></div>

CN=ATCA_ib, E=<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.com</a> <mailto:<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.<u></u>com</a>>"<div class="im">

<br>

Apr  1 16:00:00.384892 info CLA-0 charon: 03[CFG] looking for peer<br>

configs matching 10.0.0.1[10.0.0.1]...10.0.0.2[<u></u>C=de, ST=Bayern,<br>

L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_ib,<br></div>

E=<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.com</a> <mailto:<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.<u></u>com</a>>]<div class="im"><br>

Apr  1 16:00:00.385188 info CLA-0 charon: 03[CFG] no matching peer<br>

config found<br>

<br>

*<br>

<br>

  Following are the certificates and ipsec.conf file  on<br>

10.0.0.2(Initiator):<br></div>

==============================<u></u>=========================*<div class="im"><br>

# cat /etc/ipsec.conf<br>

# ipsec.conf<br>

# FlexiPlatform: IPsec configuration file<br>

<br>

config setup<br>

     charonstart=yes<br>

     plutostart=no<br>

     charondebug="knl 0,enc 0,net 0"<br>

conn %default<br>

     auto=route<br>

     keyexchange=ikev2<br>

ca r1~v1<br>

     cacert="/etc/ipsec/certs/<u></u>ipsec.d//cacerts/cacert.pem"<br>

conn r1~v1<br>

     rekeymargin=200<br>

     rekeyfuzz=100%<br>

     left=10.0.0.2<br>

     right=10.0.0.1<br></div>

     leftsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><br>

     rightsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><div class="im"><br>

     leftprotoport=1<br>

     rightprotoport=1<br>

     authby=rsasig<br>

     leftcert="/etc/ipsec/certs/<u></u>ipsec.d//certs/ib-cert.pem"<br>

     leftid=10.0.0.2<br>

     rightid=10.0.0.1<br>

     ike=3des-md5-modp1536!<br>

     esp=3des-md5<br>

     type=tunnel<br>

     ikelifetime=3000s<br>

     keylife=2000s<br>

     mobike=no<br>

     auto=route<br>

     encapdscp=yes<br>

*<br>

Certificates:<br></div>

# /usr/local/6bin/ipsec stroke listall *<div class="im"><br>

<br>

List of X.509 End Entity Certificates:<br>

<br></div>

   altNames: <a href="http://ib.atca.nsn.com" target="_blank">ib.atca.nsn.com</a> <<a href="http://ib.atca.nsn.com" target="_blank">http://ib.atca.nsn.com</a>><div class="im"><br>

   subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,<br>

OU=RTP, CN=ATCA_ib, E=<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.com</a><br></div>

<mailto:<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.<u></u>com</a>>"<div class="im"><br>

   issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,<br></div>

CN=<a href="http://www.nokiasiemensnetworks.com" target="_blank">www.nokiasiemensnetworks.<u></u>com</a> <<a href="http://www.nokiasiemensnetworks.com" target="_blank">http://www.<u></u>nokiasiemensnetworks.com</a>>,<br>


E=<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.com</a> <mailto:<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.<u></u>com</a>>"<div class="im"><br>


   serial:    03<br>

   validity:  not before Mar 31 09:14:01 2012, ok<br>

              not after  Apr 30 09:14:01 2012, ok (expires in 28 days)<br>

   pubkey:    RSA 1024 bits, has private key<br>

   keyid:     64:a5:3b:a4:42:18:b6:16:e9:47:<u></u>84:7e:72:e2:0d:ff:52:0b:81:e5<br>

   subjkey:   6f:50:38:73:27:e7:36:93:d8:62:<u></u>d5:d0:e0:83:df:f8:aa:f1:b9:ed<br>

<br>

List of X.509 CA Certificates:<br>

<br>

   subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,<br>

OU=RTP, CN=<a href="http://www.nokiasiemensnetworks.com" target="_blank">www.nokiasiemensnetworks.<u></u>com</a><br></div>

<<a href="http://www.nokiasiemensnetworks.com" target="_blank">http://www.<u></u>nokiasiemensnetworks.com</a>>, E=<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.com</a><br>

<mailto:<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.<u></u>com</a>>"<div class="im"><br>

   issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,<br></div>

CN=<a href="http://www.nokiasiemensnetworks.com" target="_blank">www.nokiasiemensnetworks.<u></u>com</a> <<a href="http://www.nokiasiemensnetworks.com" target="_blank">http://www.<u></u>nokiasiemensnetworks.com</a>>,<br>


E=<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.com</a> <mailto:<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.<u></u>com</a>>"<div class="im"><br>


   serial:    00:a9:d9:3d:5e:b8:7b:a3:4d<br>

   validity:  not before Mar 31 09:14:01 2012, ok<br>

              not after  Apr 30 09:14:01 2012, ok (expires in 28 days)<br>

   pubkey:    RSA 1024 bits<br>

   keyid:     b0:de:5e:b4:0d:d3:1c:4d:25:e7:<u></u>cf:4c:bc:f3:31:d1:47:03:1e:d5<br>

   subjkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:<u></u>6d:56:f6:bf:5d:c8:41:1f:44:6f<br>

   authkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:<u></u>6d:56:f6:bf:5d:c8:41:1f:44:6f<br>

<br></div>

*Following are the certificates & ipsec.conf files on 10.0.0.1(Initiator):<br>

==============================<u></u>======================*<div class="im"><br>

# cat /etc/ipsec.conf<br>

# ipsec.conf<br>

# FlexiPlatform: IPsec configuration file<br>

<br>

config setup<br>

     charonstart=yes<br>

     plutostart=no<br>

     charondebug="knl 0,enc 0,net 0"<br>

conn %default<br>

     auto=route<br>

     keyexchange=ikev2<br>

ca r1~v1<br>

     cacert="/etc/ipsec/certs/<u></u>ipsec.d//cacerts/cacert.pem"<br>

conn r1~v1<br>

     rekeymargin=200<br>

     rekeyfuzz=100%<br>

     left=10.0.0.1<br>

     right=10.0.0.2<br></div>

     leftsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><br>

     rightsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><div class="im"><br>

     leftprotoport=1<br>

     rightprotoport=1<br>

     authby=rsasig<br>

     leftcert="/etc/ipsec/certs/<u></u>ipsec.d//certs/cla-cert.pem"<br>

     leftid=10.0.0.1<br>

     rightid=%any<br>

     ike=3des-md5-modp1536!<br>

     esp=3des-md5<br>

     type=tunnel<br>

     ikelifetime=3000s<br>

     keylife=2000s<br>

     mobike=no<br>

     auto=route<br>

     encapdscp=yes<br>

<br></div>

*Certificates *:<br>

*# /usr/local/6bin/ipsec stroke listall*<div class="im"><br>

List of X.509 End Entity Certificates:<br>

<br></div>

   altNames: <a href="http://cla.atca.nsn.com" target="_blank">cla.atca.nsn.com</a> <<a href="http://cla.atca.nsn.com" target="_blank">http://cla.atca.nsn.com</a>><div class="im"><br>

   subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,<br>

OU=RTP, CN=ATCA_cla, E=<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.com</a><br></div>

<mailto:<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.<u></u>com</a>>"<div class="im"><br>

   issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,<br></div>

CN=<a href="http://www.nokiasiemensnetworks.com" target="_blank">www.nokiasiemensnetworks.<u></u>com</a> <<a href="http://www.nokiasiemensnetworks.com" target="_blank">http://www.<u></u>nokiasiemensnetworks.com</a>>,<br>


E=<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.com</a> <mailto:<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.<u></u>com</a>>"<div class="im"><br>


   serial:    03<br>

   validity:  not before Mar 31 09:14:01 2012, ok<br>

              not after  Apr 30 09:14:01 2012, ok (expires in 28 days)<br>

   pubkey:    RSA 1024 bits, has private key<br>

   keyid:     82:8e:cf:f7:a0:81:9e:00:77:0b:<u></u>d7:ee:6f:f7:43:8a:d2:73:e4:af<br>

   subjkey:   5f:ed:01:a0:a6:18:fd:12:dd:18:<u></u>e1:fe:d4:76:a2:ea:4c:8f:e2:74<br>

<br>

List of X.509 CA Certificates:<br>

<br>

   subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,<br>

OU=RTP, CN=<a href="http://www.nokiasiemensnetworks.com" target="_blank">www.nokiasiemensnetworks.<u></u>com</a><br></div>

<<a href="http://www.nokiasiemensnetworks.com" target="_blank">http://www.<u></u>nokiasiemensnetworks.com</a>>, E=<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.com</a><br>

<mailto:<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.<u></u>com</a>>"<div class="im"><br>

   issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,<br></div>

CN=<a href="http://www.nokiasiemensnetworks.com" target="_blank">www.nokiasiemensnetworks.<u></u>com</a> <<a href="http://www.nokiasiemensnetworks.com" target="_blank">http://www.<u></u>nokiasiemensnetworks.com</a>>,<br>


E=<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.com</a> <mailto:<a href="mailto:gianluigi.ongaro@nsn.com" target="_blank">gianluigi.ongaro@nsn.<u></u>com</a>>"<div class="im"><br>


   serial:    00:a9:d9:3d:5e:b8:7b:a3:4d<br>

   validity:  not before Mar 31 09:14:01 2012, ok<br>

              not after  Apr 30 09:14:01 2012, ok (expires in 28 days)<br>

   pubkey:    RSA 1024 bits<br>

   keyid:     b0:de:5e:b4:0d:d3:1c:4d:25:e7:<u></u>cf:4c:bc:f3:31:d1:47:03:1e:d5<br>

   subjkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:<u></u>6d:56:f6:bf:5d:c8:41:1f:44:6f<br>

   authkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:<u></u>6d:56:f6:bf:5d:c8:41:1f:44:6f<br>

<br>

<br>

--<br>

Regards,<br>

Reshma<br>

</div></blockquote>

<br>

==============================<u></u>==============================<u></u>==========<span class="HOEnZb"><font color="#888888"><br>

Andreas Steffen                         <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>

strongSwan - the Linux VPN Solution!                <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>

Institute for Internet Technologies and Applications<br>

University of Applied Sciences Rapperswil<br>

CH-8640 Rapperswil (Switzerland)<br>

==============================<u></u>=============================[<u></u>ITA-HSR]==<br>

</font></span></blockquote></div><br><br clear="all"><br>-- <br><div> </div>

<div>Regards,</div>

<div>Reshma</div><br>