[strongSwan] Host-To-Host IKEV2 - no matching peer config found

Anthony Moon amoon at ezp.net
Wed Nov 10 19:21:18 CET 2010 

I'm trying to connect server nnmain to server tony1 but I get this error
"11[CFG] looking for peer configs matching
173.45.168.24[nnmain.ezprovider.net]...66.199.171.245[C=US, ST=CA,
L=SanFrancisco, O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain]

11[CFG] no matching peer config found"

 

Here's my configuration files (ipsec.conf)

 

Tony1:

 

config setup

    plutostart=no

    interfaces=%defaultroute

 

conn %default

    keyexchange=ikev2

    ike=aes256-sha1-modp1024!

    esp=aes256-sha1!

    dpdaction=clear

    dpddelay=300s

    rekey=no

 

conn net-to-net

        left=66.199.171.245

        leftcert=vpnCert.pem

        leftid=@tony1.ezp.net

        leftfirewall=yes

        right=173.45.168.24

        rightid=@nnmain.ezprovider.net

        auto=add

 

nnmain:

 

 

config setup

        crlcheckinterval=180

        strictcrlpolicy=no

        plutostart=no

 

conn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=1

        keyexchange=ikev2

        mobike=no

 

conn net-net

        left=173.45.168.24

        leftcert=nnmain.pem

        leftid=@nnmain.ezprovider.net

        leftfirewall=yes

        right=66.199.171.245

        rightid=@tony1.ezp.net

        auto=add

 

 

And here's the connection logs:

 

Tony1:

 

01[CFG] received stroke: initiate 'net-to-net'

10[IKE] initiating IKE_SA net-to-net[1] to 173.45.168.24

10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]

10[NET] sending packet: from 66.199.171.245[500] to 173.45.168.24[500]

12[NET] received packet: from 173.45.168.24[500] to 66.199.171.245[500]

12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]

12[IKE] received cert request for "C=US, ST=CA, L=SanFrancisco,
O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"

12[IKE] sending cert request for "C=US, ST=CA, L=SanFrancisco,
O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"

12[IKE] authentication of 'C=US, ST=CA, L=SanFrancisco, O=Fort-Funston,
CN=tony1.ezp.net, E=me at myhost.mydomain' (myself) with RSA signature
successful

12[IKE] sending end entity cert "C=US, ST=CA, L=SanFrancisco,
O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"

12[IKE] establishing CHILD_SA net-to-net

12[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]

12[NET] sending packet: from 66.199.171.245[4500] to 173.45.168.24[4500]

05[NET] received packet: from 173.45.168.24[4500] to 66.199.171.245[4500]

05[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

05[IKE] received AUTHENTICATION_FAILED notify error

 

Nnmain:

 

 

charon (14675) started after 120 ms

05[CFG] received stroke: add connection 'net-net'

05[CFG]   loaded certificate "C=US, ST=CA, L=SanFrancisco, O=Fort-Funston,
CN=nnmain.ezprovider.net, E=hello at yeah.ca" from 'nnmain.pem'

05[CFG]   id 'nnmain.ezprovider.net' not confirmed by certificate,
defaulting to 'C=US, ST=CA, L=SanFrancisco, O=Fort-Funston,
CN=nnmain.ezprovider.net, E=hello at yeah.ca'

05[CFG] added configuration 'net-net'

10[NET] received packet: from 66.199.171.245[500] to 173.45.168.24[500]

10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

10[IKE] 66.199.171.245 is initiating an IKE_SA

10[IKE] sending cert request for "C=US, ST=CA, L=SanFrancisco,
O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"

10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]

10[NET] sending packet: from 173.45.168.24[500] to 66.199.171.245[500]

11[NET] received packet: from 66.199.171.245[4500] to 173.45.168.24[4500]

11[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]

11[IKE] received cert request for "C=US, ST=CA, L=SanFrancisco,
O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"

11[IKE] received end entity cert "C=US, ST=CA, L=SanFrancisco,
O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"

11[CFG] looking for peer configs matching
173.45.168.24[nnmain.ezprovider.net]...66.199.171.245[C=US, ST=CA,
L=SanFrancisco, O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain]

11[CFG] no matching peer config found

11[IKE] peer supports MOBIKE

11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

11[NET] sending packet: from 173.45.168.24[4500] to 66.199.171.245[4500]

 

 

What am I doing wrong?

-- 

Anthony Moon

EZProvider Networks, Inc.

http://ezp.net

1.888.397.7853 x203

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101110/4084d6b9/attachment.html>

More information about the Users mailing list