<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Good afternoon, all!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I've been working on getting a Strongswan installation running on a VMware Workstation test platform. The server is Ubuntu Server 12.04 with Strongswan 4.5.2 from the Ubuntu repository.<o:p></o:p></p><p class=MsoNormal>I've been able to get a net-net test config to work, but have had trouble with a roadwarrior config. I think it's a problem with certificates because I get "Error 13801: IKE authentication credentials are unacceptable", so I know the client is reaching the server and trying to get in.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I followed the examples listed here, working on an X.509 machine certificate to start: http://wiki.strongswan.org/projects/strongswan/wiki/Windows7 I used the multiple client configs and the instructions on importing certificates into Win7.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>All certs were generated and signed on the strongswan server and are in the proper directories under /etc/ipsec.d. Content of ipsec.conf and greps from auth.log and syslog also.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I confess to being at a loss as to why I am still getting the Error 13801 after several hours troubleshooting.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks in advance!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Gregg<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal># ipsec.conf - strongSwan1 IPsec configuration file<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal># basic configuration<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>config setup<o:p></o:p></p><p class=MsoNormal> # plutodebug=all<o:p></o:p></p><p class=MsoNormal> # crlcheckinterval=180<o:p></o:p></p><p class=MsoNormal> # strictcrlpolicy=no<o:p></o:p></p><p class=MsoNormal> # cachecrls=yes<o:p></o:p></p><p class=MsoNormal> # nat_traversal=yes<o:p></o:p></p><p class=MsoNormal> charonstart=yes<o:p></o:p></p><p class=MsoNormal> plutostart=no<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal># Add connections here.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>conn %default<o:p></o:p></p><p class=MsoNormal> ikelifetime=60m<o:p></o:p></p><p class=MsoNormal> keylife=20m<o:p></o:p></p><p class=MsoNormal> rekeymargin=3m<o:p></o:p></p><p class=MsoNormal> keyingtries=1<o:p></o:p></p><p class=MsoNormal> # authby=secret<o:p></o:p></p><p class=MsoNormal> keyexchange=ikev2<o:p></o:p></p><p class=MsoNormal> # mobike=no<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>conn net-net<o:p></o:p></p><p class=MsoNormal> left=192.168.91.163<o:p></o:p></p><p class=MsoNormal> leftsubnet=10.1.0.0/16<o:p></o:p></p><p class=MsoNormal> leftid=@strongswan1<o:p></o:p></p><p class=MsoNormal> leftfirewall=yes<o:p></o:p></p><p class=MsoNormal> right=192.168.91.160<o:p></o:p></p><p class=MsoNormal> rightsubnet=10.2.0.0/16<o:p></o:p></p><p class=MsoNormal> rightid=@strongswan2<o:p></o:p></p><p class=MsoNormal> auto=add<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>conn Win7<o:p></o:p></p><p class=MsoNormal> left=%defaultroute<o:p></o:p></p><p class=MsoNormal> # leftcert=cacert.pem<o:p></o:p></p><p class=MsoNormal> leftsubnet=10.1.0.0/16<o:p></o:p></p><p class=MsoNormal> leftid=strongswan1<o:p></o:p></p><p class=MsoNormal> right=%any<o:p></o:p></p><p class=MsoNormal> rightsourceip=192.168.93.0/24<o:p></o:p></p><p class=MsoNormal> # rightauth=eap-mschapv2<o:p></o:p></p><p class=MsoNormal> # rightsendcert=never<o:p></o:p></p><p class=MsoNormal> # eap_identity=%any<o:p></o:p></p><p class=MsoNormal> # rightcert=client1cert.pem<o:p></o:p></p><p class=MsoNormal> # keyexchange=ikev2<o:p></o:p></p><p class=MsoNormal> auto=add<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>include /var/lib/strongswan/ipsec.conf.inc<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>----------------------------------------<o:p></o:p></p><p class=MsoNormal>auth.log cuts<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Jul 10 15:20:28 strongswan1 charon: 03[IKE] 192.168.91.166 is initiating an IKE_SA<o:p></o:p></p><p class=MsoNormal>Jul 10 15:21:51 strongswan1 ipsec_starter[1606]: charon stopped after 200 ms<o:p></o:p></p><p class=MsoNormal>Jul 10 15:21:54 strongswan1 ipsec_starter[1641]: charon (1667) started after 60 ms<o:p></o:p></p><p class=MsoNormal>Jul 10 15:23:02 strongswan1 ipsec_starter[1641]: charon stopped after 200 ms<o:p></o:p></p><p class=MsoNormal>Jul 10 15:23:25 strongswan1 ipsec_starter[931]: charon (939) started after 1120 ms<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 ipsec_starter[999]: charon (1003) started after 1060 ms<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 13[IKE] 192.168.91.166 is initiating an IKE_SA<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>--------------------------------------------<o:p></o:p></p><p class=MsoNormal>syslog cuts<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Jul 10 15:32:20 strongswan1 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[KNL] listening on interfaces:<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[KNL] eth0<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[KNL] 192.168.91.163<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c6b<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[KNL] eth1<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[KNL] 10.1.0.1<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c75<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded ca certificate "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com" from '/etc/ipsec.d/cacerts/cacert.pem'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/cakey.pem'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] sql plugin: database URI not set<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded 0 RADIUS server configurations<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] mediation client database URI not defined, skipped<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'nm' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[CFG] HA config misses local/remote address<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock <o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 00[JOB] spawning 16 worker threads<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 05[CFG] received stroke: add connection 'net-net'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 05[CFG] added configuration 'net-net'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 10[CFG] received stroke: add connection 'Win7'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 10[CFG] added configuration 'Win7'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:19 strongswan1 charon: 10[CFG] adding virtual IP address pool 'Win7': 192.168.93.0/24<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 13[NET] received packet: from 192.168.91.166[500] to 192.168.91.163[500]<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 13[IKE] 192.168.91.166 is initiating an IKE_SA<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 13[IKE] sending cert request for "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com"<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 13[NET] sending packet: from 192.168.91.163[500] to 192.168.91.166[500]<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[NET] received packet: from 192.168.91.166[4500] to 192.168.91.163[4500]<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[ENC] unknown attribute type INTERNAL_IP4_SERVER<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[ENC] unknown attribute type INTERNAL_IP6_SERVER<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[IKE] received cert request for "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com"<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[IKE] received 8 cert requests for an unknown ca<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[IKE] received end entity cert "C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com"<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[CFG] looking for peer configs matching 192.168.91.163[%any]...192.168.91.166[C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com]<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[CFG] selected peer config 'Win7'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[CFG] using certificate "C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com"<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[CFG] using trusted ca certificate "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com"<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[CFG] checking certificate status of "C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com"<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[CFG] certificate status is not available<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[CFG] reached self-signed root ca with a path length of 0<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[IKE] authentication of 'C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com' with RSA signature successful<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[IKE] peer supports MOBIKE<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[IKE] no private key found for 'strongswan1'<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]<o:p></o:p></p><p class=MsoNormal>Jul 10 15:32:43 strongswan1 charon: 14[NET] sending packet: from 192.168.91.163[4500] to 192.168.91.166[4500]<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><table class=MsoTableGrid border=0 cellspacing=0 cellpadding=0 style='border-collapse:collapse;border:none'><tr><td width=319 valign=top style='width:239.4pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><b><span style='color:black'>Gregg Hughes</span></b><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>IT Administrator<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>www.iscinternational.com<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>414.721.0301 phone<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>262.313.3106 fax<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></td><td width=319 valign=top style='width:239.4pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><o:p> </o:p></p></td></tr></table><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>