[strongSwan] "no matching config found", strongSwan to strongSwan w/IKEv2 setup

Jaime Vargas jaivarsa at gmail.com
Tue Oct 19 09:25:49 CEST 2010 

Hello,

I'm doing tests to add IKEv2 functionality to our VPN gateway, since
we would like to use it for Windows 7 users and solve the problem of
several people not being able to connect behind the same NAT box (at
least for this OS). My first lab tests are being done on two virtual
machineswhich are on the same network segment (so no NAT) and once I
can verify that the SAs are done and the IPsec connection is
established, I'll do another test with physical machines.

First test is strongSwan to strongSwan, IKEv2 only. When I make it
work I'll move on to mix IKEv2 and IKEv1 clients.

However I'm having problems with the server not authorizing the
connection with the log message "no matching config found"

This is the configuration on the roadwarrior client (Ubuntu Hardy):

version 2.0
config setup
	interfaces=%defaultroute
	plutostart=no

conn %default
	ikelifetime=660m
	keylife=360m
	rekeymargin=360m
	keyingtries=1
	keyexchange=ikev2
conn roadwarrior
    left=%defaultroute
    leftsourceip=%config
    leftcert=cert.pem
    right=192.168.182.200
    rightid="C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org,
E=test at vpntest.org"
    rightsubnet=10.0.0.0/8
    auto=start


And this is the configuration on the gateway moon (Debian Lenny):

version 2.0
config setup
	charondebug="mgr 3, ike 3, knl 3"
	crlcheckinterval=3600
	cachecrls=yes
	interfaces=%defaultroute
	uniqueids=yes
	charonstart=yes
	plutostart=no

conn %default
	ike=aes-sha,3des-sha
	esp=aes-sha1,3des-sha1
	ikelifetime=360m
	keylife=8h
	rekey=no
	rekeymargin=9m
	rekeyfuzz=0%
	keyingtries=1
	left=192.168.182.200
	leftcert=cert.pem
	leftfirewall=no
	
ca RootCA
	auto=add
	cacert=caroot.pem
ca SubCA
	auto=add
	cacert=cacert.pem

conn roadwarrior
	type=tunnel
	leftsourceip=10.1.0.1
	leftsubnet=10.0.0.0/8
	right=%any
	rightca="C=ES, O=VPN Test, OU=PKI, CN=Root CA, E=ca at vpntest.org"
	rightid="C=ES, O=VPN Test, OU=Test, CN=roadwarrior"
	rightsourceip=10.20.253.253
	keyexchange=ikev2
	auto=add


This is the relevant part of daemon.log:

Oct 18 12:39:44 vpn-gateway charon: 15[NET] received packet: from
192.168.182.138[500] to 192.168.182.200[500]
Oct 18 12:39:44 vpn-gateway charon: 15[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_D_IP) N(NATD_S_IP) ]
Oct 18 12:39:44 vpn-gateway charon: 15[AUD] 192.168.182.138 is
initiating an IKE_SA
Oct 18 12:39:44 vpn-gateway charon: 15[IKE] IKE_SA '(unnamed)' state
change: CREATED => CONNECTING
Oct 18 12:39:44 vpn-gateway charon: 15[IKE] received
NAT_DETECTION_DESTINATION_IP notify
Oct 18 12:39:44 vpn-gateway charon: 15[IKE] received
NAT_DETECTION_SOURCE_IP notify
Oct 18 12:39:44 vpn-gateway charon: 15[IKE] sending cert request for
"C=ES, O=VPN Test, OU=PKI, CN=Root CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 15[IKE] sending cert request for
"C=ES, O=VPN Test, OU=PKI, CN=Sub CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 15[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Oct 18 12:39:44 vpn-gateway charon: 15[NET] sending packet: from
192.168.182.200[500] to 192.168.182.138[500]
Oct 18 12:39:44 vpn-gateway charon: 15[MGR] checkin IKE_SA
Oct 18 12:39:44 vpn-gateway charon: 15[MGR] found entry by pointer
Oct 18 12:39:44 vpn-gateway charon: 15[MGR] check-in of IKE_SA successful.
Oct 18 12:39:44 vpn-gateway charon: 15[MGR] 1 IKE_SAs in manager now
Oct 18 12:39:44 vpn-gateway charon: 16[MGR] checkout IKE_SA by
message, 1 IKE_SAs in manager
Oct 18 12:39:44 vpn-gateway charon: 16[MGR] found entry by both SPIs
Oct 18 12:39:44 vpn-gateway charon: 16[MGR] IKE_SA successfully checked out
Oct 18 12:39:44 vpn-gateway charon: 16[NET] received packet: from
192.168.182.138[4500] to 192.168.182.200[4500]
Oct 18 12:39:44 vpn-gateway charon: 16[ENC] parsed IKE_AUTH request 1
[ IDi CERTREQ CERT IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
]
Oct 18 12:39:44 vpn-gateway charon: 16[IKE] received cert request for
"C=ES, O=VPN Test, OU=PKI, CN=Sub CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 16[IKE] received cert request for
"C=ES, O=VPN Test, OU=PKI, CN=Root CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 16[IKE] received end entity cert
"C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG]   using certificate "C=ES,
O=VPN Test, OU=Test, CN=usuario-ikev2"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG]   using trusted
intermediate ca certificate "C=ES, O=VPN Test, OU=PKI, CN=Sub CA,
E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG] checking certificate
status of "C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG] certificate status is not available
Oct 18 12:39:44 vpn-gateway charon: 16[CFG]   using trusted ca
certificate "C=ES, O=VPN Test, OU=PKI, CN=Root CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG] checking certificate
status of "C=ES, O=VPN Test, OU=PKI, CN=Sub CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG] certificate status is not available
Oct 18 12:39:44 vpn-gateway charon: 16[IKE] authentication of 'C=ES,
O=VPN Test, OU=Test, CN=usuario-ikev2' with RSA signature successful
Oct 18 12:39:44 vpn-gateway charon: 16[IKE] peer supports MOBIKE
Oct 18 12:39:44 vpn-gateway charon: 16[AUD] no matching config found
for 'C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org,
E=test at vpntest.org'...'C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2'
Oct 18 12:39:44 vpn-gateway charon: 16[ENC] generating IKE_AUTH
response 1 [ N(AUTH_FAILED) ]

What am I missing?

More information about the Users mailing list