[strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue
shyamsundar.purkayastha at wipro.com
shyamsundar.purkayastha at wipro.com
Mon Apr 19 17:57:44 CEST 2010
Hi All
I have started using strongswan 4.3.6 and just tried the basic peer to
peer setup using two linux machines. I am unable to get the
connection up and it always displays a private key not found error for
DN name. I have browsed through several related posts in this list but
some how could not find the solution to it. So I really apologize if
this is a duplicate post .
I have two linux machines 211 (Ip Address 10.201.114.211) & 178 ( IP
address 10.201.114.178)
Between which I am trying to create the ipsec connection.
Here is the debugging data for both the machines
211
Ipsec.conf
------------------------------------------------------------------------
-----------------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
charondebug="ike 4, knl 4, cfg 4"
# Add connections here.
# Sample VPN connections
conn 211TO178Tunnel
left=10.201.114.211
leftcert=211Cert.pem
right=10.201.114.178
#rightid="C=IN, O=WT, CN=10.201.114.178"
keyexchange=ikev2
#type=tunnel
auto=add
ipsec.secrets
------------------------------------------------------------------------
--------------------
: RSA 211Key.pem "2111"
ipsec up 211TO178Tunnel
------------------------------------------------------------------------
-----------------------
initiating IKE_SA 211TO178Tunnel[1] to 10.201.114.178
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.201.114.211[500] to 10.201.114.178[500]
received packet: from 10.201.114.178[500] to 10.201.114.211[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
received cert request for "C=IN, ST=KAR, L=EC, O=WT, OU=TEV,
CN=10.201.114.211, E=info at wt.com"
sending cert request for "C=IN, ST=KAR, L=EC, O=WT, OU=TEV,
CN=10.201.114.211, E=info at wt.com"
no private key found for 'C=IN, ST=KAR, O=WT, OU=TEV, CN=10.201.114.211,
E=info at s2-wt.com'
When I do a ipsec start I get the following log in syslog at the end
getting interface name for 10.201.114.178
Apr 20 02:31:11 localhost charon: 14[KNL] 10.201.114.178 is not a local
address
Apr 20 02:31:11 localhost charon: 14[KNL] getting interface name for
10.201.114.211
Apr 20 02:31:11 localhost charon: 14[KNL] 10.201.114.211 is on interface
eth0
Apr 20 02:31:11 localhost charon: 14[CFG] loaded certificate "C=IN,
ST=KAR, O=WT, OU=TEV, CN=211, E=info at s2-wt.com" from '211Cert.pem'
Apr 20 02:31:11 localhost charon: 14[CFG] id '10.201.114.211' not
confirmed by certificate, defaulting to 'C=IN, ST=KAR, O=WT, OU=TEV,
CN=211, E=info at s2-wt.com'
Apr 20 02:31:11 localhost charon: 14[CFG] added configuration
'211TO178Tunnel'
I feel that the message : id '10.201.114.211' not confirmed by
certificate, defaulting to 'C=IN, ST=KAR, O=WT, OU=TEV, CN=211,
E=info at s2-wt.com' could be the culprit but unable to figure out the
reason.
ipsec listcerts
List of X.509 End Entity Certificates:
subject: "C=IN, ST=KAR, O=WT, OU=TEV, CN=10.201.114.211,
E=info at s2-wt.com"
issuer: "C=IN, ST=KAR, L=EC, O=WT, OU=TEV, CN=10.201.114.211,
E=info at wt.com"
serial: 01:22
validity: not before Apr 20 00:35:20 2010, ok
not after Apr 19 00:35:20 2012, ok
pubkey: RSA 1024 bits
keyid: de:70:04:d4:76:ef:23:10:b2:98:88:20:d3:ab:78:8c:54:4c:3b:54
subjkey: 34:b8:59:19:d5:2a:a9:f9:48:76:ff:8d:f1:79:ab:3f:71:d6:4b:86
authkey: 09:57:1b:cc:fa:28:3d:fe:0e:ac:fb:97:fe:89:6f:53:9d:4b:8f:0d
178
Ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
crlcheckinterval=600
strictcrlpolicy=no
charondebug="ike 4, knl 4, cfg 4"
plutostart=no
# Add connections here.
# Sample VPN connections
conn 211TO178Tunnel
right=10.201.114.211
left=10.201.114.178
leftcert=178Cert.pem
#rightid="C=IN, O=WT, CN=10.201.114.211"
keyexchange=ikev2
#type=tunnel
auto=add
ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA 178Key.pem "1788"
ipsec listcerts
List of X.509 End Entity Certificates:
subject: "C=IN, ST=KAR, O=WT, OU=TEV, CN=178, E=info at sjp-wt.com"
issuer: "C=IN, ST=KAR, L=EC, O=WT, OU=TEV, CN=10.201.114.211,
E=info at wt.com"
serial: 01:25
validity: not before Apr 20 02:13:03 2010, ok
not after Apr 19 02:13:03 2012, ok
pubkey: RSA 1024 bits
keyid: 5c:ff:4f:12:27:37:95:38:7f:3c:13:e6:c5:43:49:c4:0d:13:10:44
subjkey: 6a:de:d5:87:6f:d6:e5:61:e6:42:f7:84:1f:1c:35:e3:96:1a:92:96
authkey: 09:57:1b:cc:fa:28:3d:fe:0e:ac:fb:97:fe:89:6f:53:9d:4b:8f:0d
When I do a ipsec start in 178 I get the same not confirmed by
certificate message.
I have verified and reverified and recreated the keys several times with
different CN values also but no success.
Regards
Shyam
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100419/9a2c894c/attachment.html>
More information about the Users
mailing list