[strongSwan] received AUTHENTICATION_FAILED notify error
Andreas Steffen
andreas.steffen at strongswan.org
Wed Mar 31 13:32:50 CEST 2010
It probably doesn't have an influence when using PSKs
but you shouldn't set
strictcrlpolicy=yes
which requires a valid CRL.
BTW - could this be the reason your certificate-based
authentication failed???
Regards
Andreas
On 31.03.2010 11:44, Abbhishek Misra wrote:
> Hello listreaders,
>
> (started a new thread as these are fresh settings)
>
> I moved on to a shared key with both ends instead of certificates.
>
> Its still not comming up due to AUTHENTICATION_FAILED notify error
>
> below are my new settings
>
> plm56:~/abhishek # cat /etc/ipsec.conf
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> crlcheckinterval=600
> strictcrlpolicy=yes
> plutostart=no
> charondebug=all
> cachecrls=yes
> nat_traversal=yes
>
> conn charontest
> left=9.182.176.61
> right=9.182.176.56
> type=transport
> keyexchange=ikev2
> mobike=no
> auto=add
> authby=secret
> ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
>
> plm56:~/abhishek # cat /etc/ipsec.secrets
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
> 9.182.176.61 9.182.176.56 : PSK "abcdefg12345"
> plm56:~/abhishek #
>
>
> plm61:~/abhishek # rm /etc/ipsec.conf
> plm61:~/abhishek # rm /etc/ipsec.secrets
> plm61:~/abhishek #
> plm61:~/abhishek # scp plm56:/etc/ipsec.conf /etc/ipsec.conf
> ipsec.conf
> 100% 449 0.4KB/s 00:00
> plm61:~/abhishek # scp plm56:/etc/ipsec.secrets /etc/ipsec.secrets
> ipsec.secrets
> 100% 101 0.1KB/s 00:00
> plm61:~/abhishek #
>
> started ipsec on both ends
>
> plm61:~/abhishek # ipsec restart
> Stopping strongSwan IPsec...
> Starting strongSwan 4.3.4 IPsec [starter]...
> plm61:~/abhishek #
> plm61:~/abhishek #
> plm61:~/abhishek # ipsec up charontest
> initiating IKE_SA charontest[1] to 9.182.176.56
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 9.182.176.61[500] to 9.182.176.56[500]
> received packet: from 9.182.176.56[500] to 9.182.176.61[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH)
> ]
> authentication of '9.182.176.61' (myself) with pre-shared key
> establishing CHILD_SA charontest
> generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr
> N(MULT_AUTH) ]
> sending packet: from 9.182.176.61[500] to 9.182.176.56[500]
> received packet: from 9.182.176.56[500] to 9.182.176.61[500]
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> plm61:~/abhishek #
> plm61:~/abhishek #
>
> plm61:~/abhishek # ipsec statusall
> Status of IKEv2 charon daemon (strongSwan 4.3.4):
> uptime: 5 minutes, since Mar 31 20:17:24 2010
> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
> loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 hmac xcbc
> stroke kernel-netlink updown
> Listening IP addresses:
> 9.182.176.61
> Connections:
> charontest: 9.182.176.61...9.182.176.56
> charontest: local: [9.182.176.61] uses pre-shared key authentication
> charontest: remote: [9.182.176.56] uses any authentication
> charontest: crl: status must be GOOD
> charontest: child: dynamic === dynamic
> Security Associations:
> none
> plm61:~/abhishek #
>
> log messages also do not have any additional info
>
> let me knows your views on this.
>
> reagrds
> Abhishek
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list