<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><P>Here is the complete (with lines commented out) ipsec.secrets file:</P>
<P># ipsec.secrets<BR>#<BR># This file holds the RSA private keys or the PSK preshared secrets for<BR># the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.<BR>#<BR>: RSA elcKey.pem<BR>#: RSA akimmo-key.pem<BR>#: RSA server_priv.pem<BR>#kimmo : EAP "test"<BR>#: RSA elcKey.pem ----->commented out to see if this was the issue<BR>#username : XAUTH "" --->commented out to see if this was the issue</P>
<DIV><BR></DIV>
<HR id=zwchr>
<DIV style="FONT-STYLE: normal; FONT-FAMILY: Helvetica,Arial,sans-serif; COLOR: #000; FONT-SIZE: 12pt; FONT-WEIGHT: normal; TEXT-DECORATION: none"><B>From: </B>"Chris Arnold" <carnold@electrichendrix.com><BR><B>To: </B>users@lists.strongswan.org<BR><B>Sent: </B>Monday, December 31, 2012 4:42:00 PM<BR><B>Subject: </B>Re: [strongSwan] Auth Failed<BR>
<DIV><BR></DIV>
<DIV style="FONT-FAMILY: times new roman, new york, times, serif; COLOR: #000000; FONT-SIZE: 12pt">
<DIV><SPAN style="FONT-FAMILY: arial,sans-serif; FONT-SIZE: 13px">>Chris,</SPAN></DIV>
<DIV style="FONT-STYLE: normal; FONT-FAMILY: Helvetica,Arial,sans-serif; COLOR: #000; FONT-SIZE: 12pt; FONT-WEIGHT: normal; TEXT-DECORATION: none">
<DIV dir=ltr>
<DIV style="FONT-FAMILY: arial,sans-serif; FONT-SIZE: 13px"><BR></DIV>
<DIV style="FONT-FAMILY: arial,sans-serif; FONT-SIZE: 13px">>Assuming elcKey.pem is the private key associated with the certificate elcCert.pem (used for conn teknerds), shouldn't there be another private key associated with server_cert.crt used in conn rclientscerts? Just >wondering since you are using separate (left) certificates for the connections...</DIV>
<DIV style="FONT-FAMILY: arial,sans-serif; FONT-SIZE: 13px"><BR>Nothing has been changed in the ipsec.secret file except ios secret commented out. This worked for months without any issues. Kimmo, a user here on the list, configured it and tested it and it was working. The last thing that was done was SLES strongSwan update from 4.3 to 4.4. The other conn, teknerds, works fine.</DIV>
<DIV style="FONT-FAMILY: arial,sans-serif; FONT-SIZE: 13px"> </DIV>
<DIV style="FONT-FAMILY: arial,sans-serif; FONT-SIZE: 13px">>The ipsec.secrets should be more like</DIV>
<DIV style="FONT-FAMILY: arial,sans-serif; FONT-SIZE: 13px">> : RSA eleKey.pem</DIV>
<DIV style="FONT-FAMILY: arial,sans-serif; FONT-SIZE: 13px">> : RSA server_Key.pem <"my-passphrase"></DIV>
<DIV style="FONT-FAMILY: arial,sans-serif; FONT-SIZE: 13px">><BR></DIV>
<DIV style="FONT-FAMILY: arial,sans-serif; FONT-SIZE: 13px">>Where the passphrase is needed only if the private key is password protected.</DIV>
<DIV style="FONT-FAMILY: arial,sans-serif; FONT-SIZE: 13px"><BR> </DIV>
<DIV class=gmail_extra>
<DIV><BR></DIV>
<DIV class=gmail_quote>
<BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote>
<DIV class=HOEnZb>
<DIV class=h5>
<DIV class=gmail_extra>
<DIV class=gmail_quote>On Mon, Dec 31, 2012 at 10:55 AM, Chris Arnold <SPAN dir=ltr><<A href="mailto:carnold@electrichendrix.com" target=_blank>carnold@electrichendrix.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote>strongSwan 4.4.06 on SLES 11 SP2. This use to work, i am working on adding users with ios to strongSwan but have commented that out of ipsec.conf and ipsec.secret to verify this is not the problem. User with Windows 7 with client cert connects and receives:<BR>Error 13801: IKE Authentication Credentials are unacceptable<BR>
<DIV><BR></DIV>All other VPN connections work (like the conn teknerds which is strongSwan to sonicwall).<BR>
<DIV><BR></DIV>Error in the charon.log:<BR>13[IKE] received end entity cert "O=Chris VPN service, CN=Client2"<BR>13[CFG] looking for peer configs matching 192.168.1.18[%any]...public.ip[O=Chris VPN service, CN=Client2]<BR>13[CFG] selected peer config 'rclientscerts'<BR>13[CFG] using certificate "O=Chris VPN service, CN=Client2"<BR>13[CFG] using trusted ca certificate "C=US, ST=NC, L=Durham, O=Edens Land Corp, OU=ELC, CN=Jarrod, E=email@address"<BR>13[CFG] checking certificate status of "O=Chris VPN service, CN=Client2"<BR>13[CFG] certificate status is not available<BR>13[CFG] reached self-signed root ca with a path length of 0<BR>13[IKE] authentication of 'O=Chris VPN service, CN=Client2' with RSA signature successful<BR>13[IKE] peer supports MOBIKE<BR>13[IKE] no private key found for 'O=Chris VPN service, CN=70.63.136.95'<BR>13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]<BR>
<DIV><BR></DIV>Here is ipsec.conf:<BR>config setup<BR> # plutodebug=all<BR> crlcheckinterval=600<BR> strictcrlpolicy=no<BR> # cachecrls=yes<BR> nat_traversal=yes<BR> # charonstart=no<BR> plutostart=no<BR> #charondebug="cfg 3,lib=3"<BR>
<DIV><BR></DIV># Add connections here.<BR>
<DIV><BR></DIV>conn %default<BR> ikelifetime=28800s<BR> keylife=20m<BR> rekeymargin=3m<BR> keyingtries=1<BR> keyexchange=ikev2<BR> mobike=no<BR>
<DIV><BR></DIV>conn rclientseap<BR> rekey=no<BR> left=%any<BR> leftauth=pubkey<BR> leftcert=server_cert.crt<BR> leftid=@public.ip<BR> leftsubnet=<A href="http://0.0.0.0/0" target=_blank>0.0.0.0/0</A><BR> right=%any<BR> rightsourceip=<A href="http://192.168.2.0/24" target=_blank>192.168.2.0/24</A><BR> rightauth=eap-mschapv2<BR> rightsendcert=never<BR> eap_identity=%any<BR> mobike=yes<BR> auto=ignore<BR>
<DIV><BR></DIV>conn rclientscerts<BR> rekey=no<BR> left=%any<BR> leftauth=pubkey<BR> leftcert=server_cert.crt<BR> leftid=@public.ip<BR> leftsubnet=<A href="http://0.0.0.0/0" target=_blank>0.0.0.0/0</A><BR> right=%any<BR> rightsourceip=<A href="http://192.168.2.0/24" target=_blank>192.168.2.0/24</A><BR> #rightauth=eap-mschapv2<BR> #rightsendcert=never<BR> #eap_identity=%any<BR> mobike=yes<BR> auto=add<BR>
<DIV><BR></DIV><BR>
<DIV><BR></DIV><BR>conn teknerds<BR> left=%defaultroute<BR> leftcert=elcCert.pem<BR> leftsubnet=<A href="http://192.168.1.0/24" target=_blank>192.168.1.0/24</A><BR> #leftid="C=XX, O=X, CN=Edens Land Corp VPN"<BR> #leftfirewall=yes<BR> right=sonicwall.public.ip<BR> rightsubnet=<A href="http://192.168.123.0/24" target=_blank>192.168.123.0/24</A><BR> rightcert=teknerdsCert.pem<BR> rightid="C=XX, O=X, CN=Tek-Nerds VPN"<BR> auto=add<BR>
<DIV><BR></DIV><BR>#conn iOS<BR># keyexchange=ikev1<BR># authby=xauthrsasig<BR># xauth=server<BR># left=%defaultroute<BR># leftsubnet=<A href="http://192.168.1.0/24" target=_blank>192.168.1.0/24</A><BR># leftcert=elcCert.pem<BR># right=%any<BR># rightsourceip=<A href="http://192.168.3.0/24" target=_blank>192.168.3.0/24</A><BR># #rightcert=<BR># pfs=no<BR># auto=add<BR>
<DIV><BR></DIV>Here is ipsec.secret:<BR>: RSA elcKey.pem<BR>
<DIV><BR></DIV>Any help with this is greatly appreciated<BR>
<DIV><BR></DIV>_______________________________________________<BR>Users mailing list<BR><A href="mailto:Users@lists.strongswan.org" target=_blank>Users@lists.strongswan.org</A><BR><A href="https://lists.strongswan.org/mailman/listinfo/users" target=_blank>https://lists.strongswan.org/mailman/listinfo/users</A><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV><BR>_______________________________________________<BR>Users mailing list<BR>Users@lists.strongswan.org<BR>https://lists.strongswan.org/mailman/listinfo/users</DIV>
<DIV><BR></DIV></DIV><BR>_______________________________________________<BR>Users mailing list<BR>Users@lists.strongswan.org<BR>https://lists.strongswan.org/mailman/listinfo/users</DIV><BR></div></body></html>