<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">Hi Community,</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">I am wonder if here is the right place to ask basic questions regarding Strongswan and ipsec. I have posted some questions but got no reply at all which is kind of disappointing.</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color:
rgb(0, 0, 0); background-color: transparent; font-style: normal;">Hope this time I get an answer or at least someone can tell me where I should post my questions.</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">I am trying to create a ipsec tunnel using strongswan 5.0.4 between two Openwrt Linux base machine running kernel 3.3.8 with a very basic scenario. </div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0);
background-color: transparent; font-style: normal;">Anytime I try to bring up a connection >> ipsec up lmu55 I get the following error:</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent;"><span style="font-style: italic;">no private key found for 'C=CA CN=lmu55'</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent;"><span style="font-style: italic;">configuration uses unsupported authentication</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent;"><span
style="font-style: italic;">tried to check-in and delete nonexisting IKE_SA</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent;"><span style="font-style: italic;">establishing connection 'conn' failed</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: italic;"><span style="font-style: italic;"><br></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent;"><span>I have two linux box called lmu55 and lmu56.</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent;"><span>I am creating the private keys and certificate like this: </span></div><div
style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">ipsec pki --gen --outform pem > caKey.pem</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif; background-color: transparent;">ipsec pki --self --in caKey.pem --dn "C=CA, O=strongswan, CN=lmu55" --outform pem --ca > caCert.pem</span><br></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">for left gateway:</span></div><div style="background-color: transparent;"><span
style="font-family: 'times new roman', 'new york', times, serif;">ipsec pki --gen --outform pem > lmu55Key.pem</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">ipsec pki --pub --in lmu55Key.pem|ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, CN=lmu55" --outform pem > lmu55Cert.pem</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">for right gateway:</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">ipsec pki
--gen --outform pem > lmu56Key.pem</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">ipsec pki --pub --in lmu56Key.pem|ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, CN=lmu56" --outform pem > lmu56Cert.pem</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span>left:</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span>cp lmu55Key.pem
lmu55:/etc/ipsec.d/private/</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span>cp lmu55Cert.pem lmu55:/ipsec.d/certs/</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent;"><span>cp caCert.pem </span> lmu55:/ipsec.d/cacerts/</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: italic;"><span style="font-style: italic;"><br></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: italic;">right:</div><div style="font-size: 16px; font-family: 'times new roman', 'new york', times, serif;
background-color: transparent;"><span>cp lmu55Key.pem lmu55:/etc/ipsec.d/private/</span></div><div style="font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent;"><span>cp lmu55Cert.pem lmu55:/ipsec.d/certs/</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; background-color: transparent; font-style: italic;"><span></span></div><div style="font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent;"><span>cp caCert.pem </span> lmu55:/ipsec.d/cacerts/</div><div style="font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; color: rgb(0, 0, 0); font-style: normal;"><br></div><div style="font-size: 16px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; color: rgb(0, 0,
0);"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent;"><span>Here is the ipsec.conf and ipsec.secret for lmu55:</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"># ipsec.conf - strongSwan IPsec configuration file</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"># basic configuration</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman',
'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">config setup</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">#<span class="Apple-tab-span" style="white-space:pre"> </span> strictcrlpolicy=no</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">#<span class="Apple-tab-span" style="white-space:pre"> </span> uniqueids = no</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">conn %default</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman',
'new york', times, serif;"> ikelifetime=60m</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> keylife=20m</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> rekeymargin=3m</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> keyingtries=1</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> keyexchange=ikev1</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"># authby=xauthrsasig</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times,
serif;"># mobike=no</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"># Add connections here.</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"># Sample VPN connections</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">conn lmu55</span></div><div style="background-color: transparent;"><span style="font-family: 'times
new roman', 'new york', times, serif;"> left=192.168.1.55</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> leftid="C=CA, CN=lmu55"</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> leftcert=lmu55Cert.pem</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> leftfirewall=yes</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> right=192.168.1.56</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> rightid="C=CA, CN=lmu56"</span></div><div
style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> auto=add</span></div><div><br></div><div>and ipsec.secret</div><div><div># generated by /etc/init.d/ipsec</div><div>: RSA lmu55Key.pem </div><div><br></div></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent;">Here is the ipsec.conf and ipsec.secret for lmu56</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent;"><br></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">:<span style="background-color: transparent;"># ipsec.conf - strongSwan
IPsec configuration file</span><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"># basic configuration</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">config setup</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><span class="Apple-tab-span" style="white-space:pre"> </span> strictcrlpolicy=no</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><span class="Apple-tab-span"
style="white-space:pre"> </span> uniqueids = no</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">conn %default</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> ikelifetime=60m </span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> keylife=20m </span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> rekeymargin=3m </span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman',
'new york', times, serif;"> keyingtries=1 </span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> keyexchange=ikev1</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> #authby=xauthprsasig</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> #mobike=no</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"># Add connections here.</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times,
serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"># Sample VPN connections</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"><br></span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;">conn lmu56</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> left=192.168.1.56</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> leftid="C=CA, CN=lmu56"</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> leftcert=lmu56Cert.der</span></div><div
style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> leftfirewall=yes</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> right=192.168.1.55</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> rightid="C=CA, CN=lmu55"</span></div><div style="background-color: transparent;"><span style="font-family: 'times new roman', 'new york', times, serif;"> auto=add</span></div><div><br></div><div><br></div><div>and ipsec.secret</div><div><br></div><div><div># generated by /etc/init.d/ipsec</div><div>: RSA lmu56Key.pem</div><div><br></div><div><br></div><div><br></div></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0,
0); background-color: transparent;"><br></div><pre style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; word-wrap: break-word; white-space: pre-wrap;"><br></pre><pre style="word-wrap: break-word;"><pre style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; white-space: pre-wrap; word-wrap: break-word;">If I use <span style="font-size: 16px; white-space: normal; font-family: 'times new roman', 'new york', times, serif;">authby=xauthprsasig </span><span style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> then I can see the peers start negotiating but eventually fails with the same error. Here is the log data:</span></pre><pre style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; white-space: pre-wrap; word-wrap: break-word;"><span style="font-family: 'times new roman', 'new york', times, serif; font-size:
12pt;"><br></span></pre><pre style="word-wrap: break-word;"><span style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; white-space: pre-wrap;">root@LMU5k:~# ipsec up lmu55
initiating Main Mode IKE_SA lmu55[1] to 192.168.1.56
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (224 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (136 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (372 bytes)
received packet: from 192.168.1.56[500] to 192.168.1.55[500] (372 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
no RSA private key found for 'C=CA, CN=lmu55'
generating INFORMATIONAL_V1 request 1007725697 [ HASH N(AUTH_FAILED) ]
sending packet: from 192.168.1.55[500] to 192.168.1.56[500] (92 bytes)
establishing connection 'lmu55' failed</span><span style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; white-space: pre-wrap;">
</span></pre><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; white-space: pre-wrap;"><span style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; white-space: pre-wrap;"><span style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; white-space: pre-wrap;"><span style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; white-space: pre-wrap;"><span style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">>>ipsec listcerts also returns empty.</span></div><pre style="font-family: 'times new roman',
'new york', times, serif; font-size: 12pt; white-space: pre-wrap; word-wrap: break-word;"><br></pre><pre style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; white-space: pre-wrap; word-wrap: break-word;">what am I missing here?</pre><pre style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; white-space: pre-wrap; word-wrap: break-word;"><br></pre><pre style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; white-space: pre-wrap; word-wrap: break-word;">Thanks for the help.</pre><pre style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; white-space: pre-wrap; word-wrap: break-word;">Farid</pre></pre></div></body></html>