[strongSwan] Can't connect with chained certificates

Ygor Amadeo Sartori Regados ygor.regados at yahoo.com.br
Sun Apr 11 17:21:27 CEST 2010 

Hi.

I did as you suggested, but the problem persists.

*New configuration file (client):*
config setup
    nat_traversal = yes
    plutostart = yes
    charonstart = yes
    plutostderrlog = /var/log/pluto.log

conn %default
    leftfirewall=yes
    mobike=yes
    compress=yes
    auto=start

conn rw-zanardo
    keyexchange=ikev2
    left = %defaultroute
    leftcert = client.pem
    right = 200.178.219.170
    rightid = "C=BR, ST=SP, 
O=5a:61:6e:61:72:64:6f:20:49:6e:73:74:72:75:6d:65:6e:74:61:e7:e3:6f:20:49:6e:64:75:73:74:72:69:61:6c:20:4c:74:64:61:2e, 
OU=44:70:74:6f:2e:20:64:65:20
:49:6e:66:6f:72:6d:e1:74:69:63:61:20:28:41:63:65:73:73:6f:20:72:65:6d:6f:74:6f:29, 
CN=interno.zanardo.com.br, E=sysadm at zanardo.info.tm"
    rightsubnet = 192.168.0.0/24


*Log on server:*
Apr 11 12:15:02 mailproxy charon: 12[NET] received packet: from 
189.62.157.236[49748] to 200.178.219.170[500] 
Apr 11 12:15:02 mailproxy charon: 12[ENC] parsed IKE_SA_INIT request 0 
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
Apr 11 12:15:02 mailproxy charon: 12[IKE] 189.62.157.236 is initiating an 
IKE_SA 
Apr 11 12:15:02 mailproxy charon: 12[IKE] remote host is behind NAT 
Apr 11 12:15:02 mailproxy charon: 12[IKE] sending cert request for 
"O=5a:61:6e:61:72:64:6f:20:49:6e:73:74:72:75:6d:65:6e:74:61:e7:e3:6f:20:49:6e:64:75:73:74:72:69:61:6c:20:4c:74:64:61:2e, 
OU=44:70:74:6f:2e:20:64:65:20:49:6e:66:6f:72:6d:e1:74:69:63:61, 
E=sysadm at zanardo.info.tm, L=41:72:61:e7:61:74:75:62:61, ST=SP, C=BR, 
CN=AC Raiz" 
Apr 11 12:15:02 mailproxy charon: 12[IKE] sending cert request for "C=BR, 
ST=SP, 
O=5a:61:6e:61:72:64:6f:20:49:6e:73:74:72:75:6d:65:6e:74:61:e7:e3:6f:20:49:6e:64:75:73:74:72:69:61:6c:20:4c:74:64:61:2e, 
OU=44:70:74:6f:2e:20:64:65:20:49:6e:66:6f:72:6d:e1:74:69:63:61, CN=AC 
para VPNs, E=sysadm at zanardo.info.tm" 
Apr 11 12:15:02 mailproxy charon: 12[ENC] generating IKE_SA_INIT response 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 
Apr 11 12:15:02 mailproxy charon: 12[NET] sending packet: from 
200.178.219.170[500] to 189.62.157.236[49748] 
Apr 11 12:15:03 mailproxy charon: 13[NET] received packet: from 
189.62.157.236[49750] to 200.178.219.170[4500] 
Apr 11 12:15:03 mailproxy charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi 
CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N
(MULT_AUTH) ] 
Apr 11 12:15:03 mailproxy charon: 13[IKE] received cert request for 
"C=BR, ST=SP, 
O=5a:61:6e:61:72:64:6f:20:49:6e:73:74:72:75:6d:65:6e:74:61:e7:e3:6f:20:49:6e:64:75:73:74:72:69:61:6c:20:4c:74:64:61:2e, 
OU=44:70:74:6f:2e:20:64:65:20:49:6e:66:6f:72:6d:e1:74:69:63:61, CN=AC 
para VPNs, E=sysadm at zanardo.info.tm" 
Apr 11 12:15:03 mailproxy charon: 13[IKE] received cert request for 
"O=5a:61:6e:61:72:64:6f:20:49:6e:73:74:72:75:6d:65:6e:74:61:e7:e3:6f:20:49:6e:64:75:73:74:72:69:61:6c:20:4c:74:64:61:2e, 
OU=44:70:74:6f:2e:20:64:65:20:49:6e:66:6f:72:6d:e1:74:69:63:61, 
E=sysadm at zanardo.info.tm, L=41:72:61:e7:61:74:75:62:61, ST=SP, C=BR, 
CN=AC Raiz" 
Apr 11 12:15:03 mailproxy charon: 13[IKE] received end entity cert "C=BR, 
ST=SP, 
O=5a:61:6e:61:72:64:6f:20:49:6e:73:74:72:75:6d:65:6e:74:61:e7:e3:6f:20:49:6e:64:75:73:74:72:69:61:6c:20:4c:74:64:61:2e, 
OU=44:70:74:6f:2e:20:64:65:20:49:6e:66:6f:72:6d:e1:74:69:63:61:20:28:41:63:65:73:73:6f:20:72:65:6d:6f:74:6f:29, 
CN=Ygor A. S. Regados (PC), E=ygor.regados at yahoo.com.br" 
Apr 11 12:15:03 mailproxy charon: 13[CFG] looking for peer configs 
matching 200.178.219.170[C=BR, ST=SP, 
O=5a:61:6e:61:72:64:6f:20:49:6e:73:74:72:75:6d:65:6e:74:61:e7:e3:6f:20:49:6e:64:75:73:74:72:69:61:6c:20:4c:74:64:61:2e, 
OU=44:70:74:6f:2e:20:64:65:20:49:6e:66:6f:72:6d:e1:74:69:63:61:20:28:41:63:65:73:73:6f:20:72:65:6d:6f:74:6f:29, 
CN=interno.zanardo.com.br, 
60:86:48:86:f7:0d:01:09:01=sysadm at zanardo.info.tm]...189.62.157.236[C=BR, 
ST=SP, 
O=5a:61:6e:61:72:64:6f:20:49:6e:73:74:72:75:6d:65:6e:74:61:e7:e3:6f:20:49:6e:64:75:73:74:72:69:61:6c:20:4c:74:64:61:2e, 
OU=44:70:74:6f:2e:20:64:65:20:49:6e:66:6f:72:6d:e1:74:69:63:61:20:28:41:63:65:73:73:6f:20:72:65:6d:6f:74:6f:29, 
CN=Ygor A. S. Regados (PC), E=ygor.regados at yahoo.com.br] 
Apr 11 12:15:03 mailproxy charon: 13[CFG] no matching peer config found 
Apr 11 12:15:03 mailproxy charon: 13[IKE] peer supports MOBIKE 
Apr 11 12:15:03 mailproxy charon: 13[ENC] generating IKE_AUTH response 1 
[ N(AUTH_FAILED) ] 
Apr 11 12:15:03 mailproxy charon: 13[NET] sending packet: from 
200.178.219.170[4500] to 189.62.157.236[49750] 


Andreas Steffen wrote:
> Hi Ygor,
> 
> is right = ***.***.***.*** contained as a subjectAltName in the rw.pem
> certificate? If not then you must define rightid=<subject DN of rw.pem>
> on the client side.
> 
> Regards
> 
> Andreas

-- 
Ygor Amadeo Sartori Regados

More information about the Users mailing list