<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Hi all,</div>
<div> </div>
<div>I have configured Ikev2 in strongswan version 4.3.6 as below.</div>
<div> </div>
<div> </div>
<div>ipsec.conf on Host1</div>
<div> </div>
<div> </div>
<div>Ipsec.secrets on host1</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>Ipsec.conf on host2</div>
<div> </div>
<div> </div>
<div>Ipsec.secrets on host2</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>The Certificates are IP addresses based.</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>Host1 is made to act as responder alone. Ipsec connections are initiated from Host2 always.</div>
<div> </div>
<div>With above configuration, both connections r1~v1 and r2~v2 gets established (Initiated from Host2).</div>
<div> </div>
<div>Logs at Host1(Responder)</div>
<div> </div>
<div>10[IKE] (vr2)14.0.0.2 is initiating an IKE_SA</div>
<div>10[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro@nsn.com"</div>
<div>09[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro@nsn.com"</div>
<div>09[IKE] received end entity cert "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, E=gianluigi.ongaro@nsn.com"</div>
<div>09[CFG] <font color="red">looking for peer configs matching (vr2)30.0.0.1[(vr*)%any]...(vr2)14.0.0.2[(vr*)14.0.0.2]</font></div>
<div>09[CFG] selected peer config 'r1~v1'</div>
<div><font color="#00B050">09[CFG] using certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, E=gianluigi.ongaro@nsn.com"</font></div>
<div><font color="#00B050">09[CFG] using trusted ca certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro@nsn.com"</font></div>
<div><font color="#00B050">09[CFG] checking certificate status of "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, E=gianluigi.ongaro@nsn.com"</font></div>
<div><font color="#00B050">09[CFG] certificate status is not available</font></div>
<div><font color="#00B050">09[CFG] reached self-signed root ca with a path length of 0</font></div>
<div><font color="#00B050">09[IKE] authentication of '(vr*)14.0.0.2' with RSA signature successful</font></div>
<div><font color="#00B050">09[IKE] authentication of '(vr*)30.0.0.1' (myself) with RSA signature successful</font></div>
<div> </div>
<div>10[IKE] 13.0.0.2 is initiating an IKE_SA</div>
<div>10[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro@nsn.com"</div>
<div>12[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro@nsn.com"</div>
<div>12[IKE] received end entity cert "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, E=gianluigi.ongaro@nsn.com"</div>
<div>12[CFG] <font color="red">looking for peer configs matching 20.0.0.1[(vr*)%any]...13.0.0.2[(vr*)13.0.0.2]</font></div>
<div>12[CFG] selected peer config 'r2~v2'</div>
<div><font color="#00B050">12[CFG] using certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, E=gianluigi.ongaro@nsn.com"</font></div>
<div><font color="#00B050">12[CFG] using trusted ca certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro@nsn.com"</font></div>
<div><font color="#00B050">12[CFG] checking certificate status of "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, E=gianluigi.ongaro@nsn.com"</font></div>
<div><font color="#00B050">12[CFG] certificate status is not available</font></div>
<div><font color="#00B050">12[CFG] reached self-signed root ca with a path length of 0</font></div>
<div><font color="#00B050">12[IKE] authentication of '(vr*)13.0.0.2' with RSA signature successful</font></div>
<div><font color="#00B050">12[IKE] authentication of '(vr*)20.0.0.1' (myself) with RSA signature successful</font></div>
<div> </div>
<div> </div>
<div>But same configuration with secrets does not go through fine.</div>
<div> </div>
<div>Host1 ipsec.conf, ipsec.secrets</div>
<div> </div>
<div> </div>
<div> </div>
<div>Host 2 ipsec.conf, ipsec.secrets</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>When r1~v1, r2~v2 are initiated from Host2, Host1 fails the authentication with below error :-</div>
<div> </div>
<div>09[IKE] (vr2)14.0.0.2 is initiating an IKE_SA</div>
<div>09[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro@nsn.com"</div>
<div>08[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro@nsn.com"</div>
<div>08[CFG] <font color="red">looking for peer configs matching (vr2)30.0.0.1[(vr*)%any]...(vr2)14.0.0.2[(vr*)14.0.0.2]</font></div>
<div>08[CFG] selected peer config 'r1~v1'</div>
<div>08[IKE] <font color="red">no shared key found for '(vr*)%any' - '(vr*)14.0.0.2'</font></div>
<div><font color="red"> </font></div>
<div> </div>
<div>11[IKE] 13.0.0.2 is initiating an IKE_SA</div>
<div>11[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro@nsn.com"</div>
<div>10[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro@nsn.com"</div>
<div>10[CFG] <font color="red">looking for peer configs matching 20.0.0.1[(vr*)%any]...13.0.0.2[(vr*)13.0.0.2]</font></div>
<div>10[CFG] selected peer config 'r2~v2'</div>
<div>10[IKE] <font color="red">no shared key found for '(vr*)%any' - '(vr*)13.0.0.2'</font></div>
<div> </div>
<div> </div>
<div> </div>
<div>As far as my understanding goes, %any identity is looked for in ipsec.secrets file of HOST1, which is not available and hence the error.</div>
<div> </div>
<div>But then for certificates too, %any is not mentioned in ipsec.secrets file, then how does the authentication goes through fine for both the connections with the respective private keys at HOST1.</div>
<div> </div>
<div>Can someone explain this.</div>
<div> </div>
<div>Thanks</div>
<div>Sumit</div>
<div> </div>
</span></font>
</body>
</html>