[strongSwan] no matching peer config found

Terry Hennessy trense at us.ibm.com
Sun Apr 3 06:00:18 CEST 2011 


Hello,

I'm trying to setup IPSec with strongswan 4.5.1 between a Blade Server and
a KVM on my laptop, both with RHEL6.  I'm running into a problem where I
see "no matching peer config found" in the charon.log.  I've seen the
previous posts on this error.  But I don't see what I'm doing wrong.
(should point out that I'm both a linux and IPSec newbie).

I'd like to set it up to IKEv2 with RSA authentication.  I have Node A and
Node B.  Node A will be the gateway.  Node A certificate has a DN of
CN=Node A, ST=Minnesota, C=US and a altSubjectName of "Node A" while Node B
has a DN of "CN=Node B, ST=Minnesota, C=US" with a altSubjectName of "Node
B"

ipsec.conf for Node A
------------------------------------------------------------------------------------------
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
	strictcrlpolicy=no
	plutostart=no
        charonstart=yes
        charondebug="lib 3,cfg 3, net 3, ike 3, enc 3, chd 3, mgr 3, dmn 3"

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
        leftauth=pubkey

conn gateway
	right=%any
        rightid="Node B"                    // Also tried %any
	auto=add
        left=9.5.46.51
	leftfirewall=no
        leftcert=nodeACert.pem
	keyexchange=ikev2


ipsec.conf for Node B
---------------------------------------------------
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        strictcrlpolicy=no
	charonstart=yes
	plutostart=no
        charondebug="lib 3,cfg 3,net 3,ike 3, enc 3, chd 3, mgr 3, dmn 3"


# Add connections here.

conn %default
      ikelifetime=60m
      keylife=20m
      rekeymargin=3m
      keyingtries=1

conn home
       right=9.5.46.51
       rightid="CN=Node B, ST=Minnesota, C=US"
       keyexchange=ikev2
       left=%defaultroute
       leftid="Node B"
       leftcert=nodeBCert.pem
       leftfirewall=yes
       auto=start


When I run  ipsec statusall on the  Node B, I get this:
-------------------------------------------
Status of IKEv2 charon daemon (strongSwan 4.5.1):
  uptime: 49 minutes, since Apr 02 23:00:10 2011
  malloc: sbrk 262144, mmap 0, used 111488, free 150656
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 1
  loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints
pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
socket-raw stroke updown
Listening IP addresses:
  192.168.122.203
Connections:
        home:  192.168.122.203...9.5.46.51
        home:   local:  [Node B] uses public key authentication
        home:    cert:  "CN=Node B, ST=Minnesota, C=US"
        home:   remote: [CN=Node B, ST=Minnesota, C=US] uses any
authentication
        home:   child:  dynamic === dynamic
Security Associations:
  none

And when I run ipsec up home I get this:
------------------------------------------------------------------
initiating IKE_SA home[3] to 9.5.46.51
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.122.203[500] to 9.5.46.51[500]
received packet: from 9.5.46.51[500] to 192.168.122.203[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
received cert request for "CN=TKH CA, ST=Minnesota, C=US"
sending cert request for "CN=TKH CA, ST=Minnesota, C=US"
authentication of 'Node B' (myself) with RSA signature successful
sending end entity cert "CN=Node B, ST=Minnesota, C=US"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH
SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.122.203[4500] to 9.5.46.51[4500]
received packet: from 9.5.46.51[4500] to 192.168.122.203[4500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error



On Node A, ipsec statusall shows:
---------------------------------------------
Status of IKEv2 charon daemon (strongSwan 4.5.1):
  uptime: 49 minutes, since Apr 02 19:06:04 2011
  malloc: sbrk 135168, mmap 0, used 103680, free 31488
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation hmac xcbc stroke kernel-netlink socket-default updown
Listening IP addresses:
  192.168.122.1
  9.5.46.51
  9.5.48.51
Connections:
     gateway:  9.5.46.51...%any
     gateway:   local:  [CN=Node A, ST=Minnesota, C=US] uses public key
authentication
     gateway:    cert:  "CN=Node A, ST=Minnesota, C=US"
     gateway:   remote: [Node B] uses any authentication
     gateway:   child:  dynamic === dynamic
Security Associations:
  none


The charon.log snippet shows:
--------------------------------------------------
Apr  2 19:06:13 10[IKE] received end entity cert "CN=Node B, ST=Minnesota,
C=US"
Apr  2 19:06:13 10[CFG] looking for peer configs matching 9.5.46.51[CN=Node
B, ST=Minnesota, C=US]...9.10.109.23[Node B]
Apr  2 19:06:13 10[CFG] no matching peer config found
Apr  2 19:06:13 10[IKE] peer supports MOBIKE
Apr  2 19:06:13 10[ENC] added payload of type NOTIFY to message
Apr  2 19:06:13 10[ENC] added payload of type NOTIFY to message
Apr  2 19:06:13 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]



What did I do wrong?  thanks.


Terry Hennessy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110402/5a5378fb/attachment.html>

More information about the Users mailing list