[strongSwan] "no matching config found", strongSwan to strongSwan w/IKEv2 setup
Jaime Vargas
jaivarsa at gmail.com
Tue Oct 19 09:25:49 CEST 2010
Hello,
I'm doing tests to add IKEv2 functionality to our VPN gateway, since
we would like to use it for Windows 7 users and solve the problem of
several people not being able to connect behind the same NAT box (at
least for this OS). My first lab tests are being done on two virtual
machineswhich are on the same network segment (so no NAT) and once I
can verify that the SAs are done and the IPsec connection is
established, I'll do another test with physical machines.
First test is strongSwan to strongSwan, IKEv2 only. When I make it
work I'll move on to mix IKEv2 and IKEv1 clients.
However I'm having problems with the server not authorizing the
connection with the log message "no matching config found"
This is the configuration on the roadwarrior client (Ubuntu Hardy):
version 2.0
config setup
interfaces=%defaultroute
plutostart=no
conn %default
ikelifetime=660m
keylife=360m
rekeymargin=360m
keyingtries=1
keyexchange=ikev2
conn roadwarrior
left=%defaultroute
leftsourceip=%config
leftcert=cert.pem
right=192.168.182.200
rightid="C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org,
E=test at vpntest.org"
rightsubnet=10.0.0.0/8
auto=start
And this is the configuration on the gateway moon (Debian Lenny):
version 2.0
config setup
charondebug="mgr 3, ike 3, knl 3"
crlcheckinterval=3600
cachecrls=yes
interfaces=%defaultroute
uniqueids=yes
charonstart=yes
plutostart=no
conn %default
ike=aes-sha,3des-sha
esp=aes-sha1,3des-sha1
ikelifetime=360m
keylife=8h
rekey=no
rekeymargin=9m
rekeyfuzz=0%
keyingtries=1
left=192.168.182.200
leftcert=cert.pem
leftfirewall=no
ca RootCA
auto=add
cacert=caroot.pem
ca SubCA
auto=add
cacert=cacert.pem
conn roadwarrior
type=tunnel
leftsourceip=10.1.0.1
leftsubnet=10.0.0.0/8
right=%any
rightca="C=ES, O=VPN Test, OU=PKI, CN=Root CA, E=ca at vpntest.org"
rightid="C=ES, O=VPN Test, OU=Test, CN=roadwarrior"
rightsourceip=10.20.253.253
keyexchange=ikev2
auto=add
This is the relevant part of daemon.log:
Oct 18 12:39:44 vpn-gateway charon: 15[NET] received packet: from
192.168.182.138[500] to 192.168.182.200[500]
Oct 18 12:39:44 vpn-gateway charon: 15[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_D_IP) N(NATD_S_IP) ]
Oct 18 12:39:44 vpn-gateway charon: 15[AUD] 192.168.182.138 is
initiating an IKE_SA
Oct 18 12:39:44 vpn-gateway charon: 15[IKE] IKE_SA '(unnamed)' state
change: CREATED => CONNECTING
Oct 18 12:39:44 vpn-gateway charon: 15[IKE] received
NAT_DETECTION_DESTINATION_IP notify
Oct 18 12:39:44 vpn-gateway charon: 15[IKE] received
NAT_DETECTION_SOURCE_IP notify
Oct 18 12:39:44 vpn-gateway charon: 15[IKE] sending cert request for
"C=ES, O=VPN Test, OU=PKI, CN=Root CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 15[IKE] sending cert request for
"C=ES, O=VPN Test, OU=PKI, CN=Sub CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 15[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Oct 18 12:39:44 vpn-gateway charon: 15[NET] sending packet: from
192.168.182.200[500] to 192.168.182.138[500]
Oct 18 12:39:44 vpn-gateway charon: 15[MGR] checkin IKE_SA
Oct 18 12:39:44 vpn-gateway charon: 15[MGR] found entry by pointer
Oct 18 12:39:44 vpn-gateway charon: 15[MGR] check-in of IKE_SA successful.
Oct 18 12:39:44 vpn-gateway charon: 15[MGR] 1 IKE_SAs in manager now
Oct 18 12:39:44 vpn-gateway charon: 16[MGR] checkout IKE_SA by
message, 1 IKE_SAs in manager
Oct 18 12:39:44 vpn-gateway charon: 16[MGR] found entry by both SPIs
Oct 18 12:39:44 vpn-gateway charon: 16[MGR] IKE_SA successfully checked out
Oct 18 12:39:44 vpn-gateway charon: 16[NET] received packet: from
192.168.182.138[4500] to 192.168.182.200[4500]
Oct 18 12:39:44 vpn-gateway charon: 16[ENC] parsed IKE_AUTH request 1
[ IDi CERTREQ CERT IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
]
Oct 18 12:39:44 vpn-gateway charon: 16[IKE] received cert request for
"C=ES, O=VPN Test, OU=PKI, CN=Sub CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 16[IKE] received cert request for
"C=ES, O=VPN Test, OU=PKI, CN=Root CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 16[IKE] received end entity cert
"C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG] using certificate "C=ES,
O=VPN Test, OU=Test, CN=usuario-ikev2"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG] using trusted
intermediate ca certificate "C=ES, O=VPN Test, OU=PKI, CN=Sub CA,
E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG] checking certificate
status of "C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG] certificate status is not available
Oct 18 12:39:44 vpn-gateway charon: 16[CFG] using trusted ca
certificate "C=ES, O=VPN Test, OU=PKI, CN=Root CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG] checking certificate
status of "C=ES, O=VPN Test, OU=PKI, CN=Sub CA, E=ca at vpntest.org"
Oct 18 12:39:44 vpn-gateway charon: 16[CFG] certificate status is not available
Oct 18 12:39:44 vpn-gateway charon: 16[IKE] authentication of 'C=ES,
O=VPN Test, OU=Test, CN=usuario-ikev2' with RSA signature successful
Oct 18 12:39:44 vpn-gateway charon: 16[IKE] peer supports MOBIKE
Oct 18 12:39:44 vpn-gateway charon: 16[AUD] no matching config found
for 'C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org,
E=test at vpntest.org'...'C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2'
Oct 18 12:39:44 vpn-gateway charon: 16[ENC] generating IKE_AUTH
response 1 [ N(AUTH_FAILED) ]
What am I missing?
More information about the Users
mailing list