Hi ,<br> I have tried to form a site-site tunnel using RSA authentication with DN identification. But I am getting <br>the below error messages . Please help me to solve this problem.<br><br>rom 'LeftGty-sha1-2048_fqdn.crt'<br>
Oct 1 14:34:53 localhost charon: 11[CFG] added configuration 'site-site'<br>Oct 1 14:42:24 localhost charon: 12[NET] received packet: from 35.0.0.1[500] to 35.0.0.2[500]<br>Oct 1 14:42:24 localhost charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
Oct 1 14:42:24 localhost charon: 12[IKE] 35.0.0.1 is initiating an IKE_SA<br>Oct 1 14:42:24 localhost charon: 12[IKE] sending cert request for "C=CA, ST=CA, L=CA, O=CA, OU=CA, CN=CA, E=<a href="mailto:CA@ca.com">CA@ca.com</a>"<br>
Oct 1 14:42:24 localhost charon: 12[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"<br>Oct 1 14:42:24 localhost charon: 12[IKE] sending cert request for "C=IN, ST=TN, L=CH, O=CAS, E=<a href="mailto:saravanan@strongswan.org">saravanan@strongswan.org</a>"<br>
Oct 1 14:42:24 localhost charon: 12[IKE] sending cert request for "C=CH, ST=CH, L=CH, O=strongswan, OU=strongswan, CN=strongswan, E=<a href="mailto:ca@strongswan.org">ca@strongswan.org</a>"<br>Oct 1 14:42:24 localhost charon: 12[IKE] sending cert request for "C=in, ST=ar, L=ar, O=ar, OU=ar, CN=ar, E=<a href="mailto:ca@strongswan.org">ca@strongswan.org</a>"<br>
Oct 1 14:42:24 localhost charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>Oct 1 14:42:24 localhost charon: 12[NET] sending packet: from 35.0.0.2[500] to 35.0.0.1[500]<br>
Oct 1 14:42:26 localhost charon: 13[NET] received packet: from 35.0.0.1[500] to 35.0.0.2[500]<br><span style="color:rgb(255,0,0)">Oct 1 14:42:26 localhost charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr ]</span><br style="color:rgb(255,0,0)">
<span style="color:rgb(255,0,0)">Oct 1 14:42:26 localhost charon: 13[IKE] received cert request for "C=CH, ST=CH, L=CH, O=strongswan, OU=strongswan, CN=strongswan, E=<a href="mailto:ca@strongswan.org">ca@strongswan.org</a>"</span><br style="color:rgb(255,0,0)">
<span style="color:rgb(255,0,0)">Oct 1 14:42:26 localhost charon: 13[IKE] received end entity cert "C=CH, O=strongswan, OU=strongswan, CN=iss"</span><br style="color:rgb(255,0,0)"><span style="color:rgb(255,0,0)">Oct 1 14:42:26 localhost charon: 13[CFG] looking for peer configs matching 35.0.0.2[%any]...35.0.0.1[]</span><br style="color:rgb(255,0,0)">
<span style="color:rgb(255,0,0)">Oct 1 14:42:26 localhost charon: 13[CFG] no matching peer config found</span><br style="color:rgb(255,0,0)"><span style="color:rgb(255,0,0)">Oct 1 14:42:26 localhost charon: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</span><br style="color:rgb(255,0,0)">
<span style="color:rgb(255,0,0)">Oct 1 14:42:26 localhost charon: 13[NET] sending packet: from 35.0.0.2[500] to 35.0.0.1[500]</span><br><br>Please correct me , if my configurations are not proper.<br><br>Configuration<br>
_____________<br>ipsec.conf<br>___________<br>ca vpnca<br> cacert=ikeca-sha1-2048-fqdn.crt<br> auto=add<br><br>config setup<br> plutostart=yes<br> plutodebug=all<br> charonstart=yes<br>
charondebug=all<br> nat_traversal=yes<br> crlcheckinterval=10m<br> strictcrlpolicy=no<br><br>conn %default<br> ikelifetime=8h<br> lifetime = 8h<br> rekeyfuzz = 100%<br>
keyingtries=1<br><br>conn site-site<br> keyexchange=ikev2<br> left=35.0.0.2<br> leftcert=LeftGty-sha1-2048_fqdn.crt<br> ike=aes256-sha1-sha256-modp1536!<br> esp=aes256-sha1-sha256!<br> leftid="C=CH, O=strongswan, CN=strongswan1"<br>
rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> leftfirewall=yes<br> right=%any<br> rightid="C=CH, O=strongswan, CN=iss"<br> auto=add<br>ipsec.secrets<br>++++++++++<br>: RSA LeftGty-sha1-2048_fqdn.key<br>
<br>I could not suspect the certificates, because the same certificates are working fine for fqdn identification.<br>I just changed the identification from fqdn to dn , as i have configured dn parameters properly while generating<br>
certificates.<br><br>Regards,<br>Saravanan N <br>