<div dir="ltr">
<p class="MsoNormal">Hi all,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I am facing issue in tunnel creation using IKEv 2 of
strongswan 4.5.3 (linux kernel 2.6.38). I am making a tunnel using Oberthur
Authentic IC 3.2 cards. OpenSC installed version is 0.13.</p>
<div style="border-width:medium medium 1pt;border-style:none none solid;border-color:-moz-use-text-color -moz-use-text-color windowtext;padding:0in 0in 1pt">
<p class="MsoNormal" style="border:medium none;padding:0in">SC’s are working fine with IKEv1
configuration. However in IKEv2, I am getting following error in the logs.</p>
</div>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[IKE] received cert request
for "CN=NEXUS" </p>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[IKE] received end entity
cert "CN=DEVICEA" </p>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[CFG] looking for peer
configs matching 192.168.100.1[CN=DEVICEB]...192.168.100.2[CN=DEVICEA] </p>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[CFG] selected peer config
'tunnel' </p>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[CFG]<span style> </span>using certificate "CN=DEVICEA" </p>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[CFG]<span style> </span>using trusted ca certificate
"CN=NEXUS" </p>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[CFG] checking certificate
status of "CN=DEVICEA" </p>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[CFG]<span style> </span>fetching crl from '<a href="http://nexus/crl.crl">http://nexus/crl.crl</a>' ...
</p>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[CFG]<span style> </span>using trusted certificate
"CN=NEXUS" </p>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[CFG]<span style> </span>crl correctly signed by "CN=NEXUS"
</p>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[CFG]<span style> </span>crl is valid: until Sep 15 13:16:14 2024 </p>
<p class="MsoNormal">Sep 18 14:52:23 TEST charon: 15[CFG] certificate status is
good </p>
<p class="MsoNormal"><b style><span style="color:red">Sep 18 14:52:23 TEST charon: 15[CFG]<span style> </span>reached self-signed root ca with a path
length of 0 </span></b></p>
<p class="MsoNormal"><b style><span style="color:red">Sep 18 14:52:23 TEST charon: 15[IKE] signature validation
failed, looking for another key </span></b></p>
<p class="MsoNormal"><b style><span style="color:red">Sep 18 14:52:23 TEST charon: 15[IKE] peer supports MOBIKE </span></b></p>
<p class="MsoNormal"><b style><span style="color:red">Sep 18 14:52:23 TEST charon: 15[ENC] generating IKE_AUTH
response 1 [ N(AUTH_FAILED) ] <span style> </span></span></b></p>
<div style="border-width:medium medium 2.25pt;border-style:none none double;border-color:-moz-use-text-color -moz-use-text-color windowtext;padding:0in 0in 1pt">
<p class="MsoNormal" style="border:medium none;padding:0in"><b style><span style="color:red"> </span></b></p>
</div>
<p class="MsoNormal"><b style>Ipsec.secrets
configuration is following:</b></p>
<p class="MsoNormal"><b style>: PIN %smartcard1:10
"1234"</b></p>
<p class="MsoNormal"><b style>Slot is 1 and id
of<span style> </span>private/public key on smart card is
10. </b></p>
<div style="border-width:medium medium 1pt;border-style:none none solid;border-color:-moz-use-text-color -moz-use-text-color windowtext;padding:0in 0in 1pt">
<p class="MsoNormal" style="border:medium none;padding:0in"><b style>Ipsec.conf is also given below.</b></p>
</div>
<p class="MsoNormal"><b style>config setup</b></p>
<p class="MsoNormal"><b style><span style> </span>#plutodebug="all"</b></p>
<p class="MsoNormal"><b style><span style> </span>plutostart=no</b></p>
<p class="MsoNormal"><b style><span style> </span>charondebug="all"</b></p>
<p class="MsoNormal"><b style><span style> </span>charonstart=yes</b></p>
<p class="MsoNormal"><b style><span style> </span>uniqueids=yes</b></p>
<p class="MsoNormal"><b style><span style> </span>nat_traversal=yes</b></p>
<p class="MsoNormal"><b style><span style> </span></b></p>
<p class="MsoNormal"><b style>conn %default</b></p>
<p class="MsoNormal"><b style> </b></p>
<p class="MsoNormal"><b style>conn tunnel #</b></p>
<p class="MsoNormal"><b style><span style> </span>left=192.168.100.1</b></p>
<p class="MsoNormal"><b style><span style> </span>right=192.168.100.2</b></p>
<p class="MsoNormal"><b style><span style> </span>leftid="CN=DEVICEB"</b></p>
<p class="MsoNormal"><b style><span style> </span>rightid="CN=DEVICEA"</b></p>
<p class="MsoNormal"><b style><span style> </span></b></p>
<p class="MsoNormal"><b style><span style> </span><span style> </span>ike=aes256-sha2_256-modp1024!</b></p>
<p class="MsoNormal"><b style><span style> </span>esp=aes256-sha2_256!</b></p>
<p class="MsoNormal"><b style><span style> </span>pfsgroup=modp1024</b></p>
<p class="MsoNormal"><b style><span style> </span>keyingtries=0</b></p>
<p class="MsoNormal"><b style><span style> </span>ikelifetime=1h</b></p>
<p class="MsoNormal"><b style><span style> </span>lifetime=8h</b></p>
<p class="MsoNormal"><b style><span style> </span>dpddelay=30</b></p>
<p class="MsoNormal"><b style><span style> </span>dpdtimeout=120</b></p>
<p class="MsoNormal"><b style><span style> </span>dpdaction=clear</b></p>
<p class="MsoNormal"><b style><span style> </span>pfs=no</b></p>
<p class="MsoNormal"><b style><span style> </span>#leftcert=%smartcard1:10</b></p>
<p class="MsoNormal"><b style><span style> </span>auto=start</b></p>
<p class="MsoNormal"><b style><span style> </span>keyexchange=ikev2</b></p>
<p class="MsoNormal"><b style><span style> </span>type=tunnel</b></p>
<p class="MsoNormal"><b style> </b></p>
<p class="MsoNormal"><b style> </b></p>
<p class="MsoNormal"><b style> </b></p><p class="MsoNormal"><b style>Please guide me or give me some direction to sort out this issue. <br></b></p><p class="MsoNormal"><br></p><p class="MsoNormal"><b style>regards</b></p><p class="MsoNormal"><b style><br></b></p>
<p class="MsoNormal"><b style> </b></p>
<p class="MsoNormal"><b style> </b></p>
</div>