[strongSwan] no matching peer config found
Terry Hennessy
trense at us.ibm.com
Sun Apr 3 06:00:18 CEST 2011
Hello,
I'm trying to setup IPSec with strongswan 4.5.1 between a Blade Server and
a KVM on my laptop, both with RHEL6. I'm running into a problem where I
see "no matching peer config found" in the charon.log. I've seen the
previous posts on this error. But I don't see what I'm doing wrong.
(should point out that I'm both a linux and IPSec newbie).
I'd like to set it up to IKEv2 with RSA authentication. I have Node A and
Node B. Node A will be the gateway. Node A certificate has a DN of
CN=Node A, ST=Minnesota, C=US and a altSubjectName of "Node A" while Node B
has a DN of "CN=Node B, ST=Minnesota, C=US" with a altSubjectName of "Node
B"
ipsec.conf for Node A
------------------------------------------------------------------------------------------
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
charonstart=yes
charondebug="lib 3,cfg 3, net 3, ike 3, enc 3, chd 3, mgr 3, dmn 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
leftauth=pubkey
conn gateway
right=%any
rightid="Node B" // Also tried %any
auto=add
left=9.5.46.51
leftfirewall=no
leftcert=nodeACert.pem
keyexchange=ikev2
ipsec.conf for Node B
---------------------------------------------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
charonstart=yes
plutostart=no
charondebug="lib 3,cfg 3,net 3,ike 3, enc 3, chd 3, mgr 3, dmn 3"
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn home
right=9.5.46.51
rightid="CN=Node B, ST=Minnesota, C=US"
keyexchange=ikev2
left=%defaultroute
leftid="Node B"
leftcert=nodeBCert.pem
leftfirewall=yes
auto=start
When I run ipsec statusall on the Node B, I get this:
-------------------------------------------
Status of IKEv2 charon daemon (strongSwan 4.5.1):
uptime: 49 minutes, since Apr 02 23:00:10 2011
malloc: sbrk 262144, mmap 0, used 111488, free 150656
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 1
loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints
pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
socket-raw stroke updown
Listening IP addresses:
192.168.122.203
Connections:
home: 192.168.122.203...9.5.46.51
home: local: [Node B] uses public key authentication
home: cert: "CN=Node B, ST=Minnesota, C=US"
home: remote: [CN=Node B, ST=Minnesota, C=US] uses any
authentication
home: child: dynamic === dynamic
Security Associations:
none
And when I run ipsec up home I get this:
------------------------------------------------------------------
initiating IKE_SA home[3] to 9.5.46.51
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.122.203[500] to 9.5.46.51[500]
received packet: from 9.5.46.51[500] to 192.168.122.203[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
received cert request for "CN=TKH CA, ST=Minnesota, C=US"
sending cert request for "CN=TKH CA, ST=Minnesota, C=US"
authentication of 'Node B' (myself) with RSA signature successful
sending end entity cert "CN=Node B, ST=Minnesota, C=US"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH
SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.122.203[4500] to 9.5.46.51[4500]
received packet: from 9.5.46.51[4500] to 192.168.122.203[4500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
On Node A, ipsec statusall shows:
---------------------------------------------
Status of IKEv2 charon daemon (strongSwan 4.5.1):
uptime: 49 minutes, since Apr 02 19:06:04 2011
malloc: sbrk 135168, mmap 0, used 103680, free 31488
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation hmac xcbc stroke kernel-netlink socket-default updown
Listening IP addresses:
192.168.122.1
9.5.46.51
9.5.48.51
Connections:
gateway: 9.5.46.51...%any
gateway: local: [CN=Node A, ST=Minnesota, C=US] uses public key
authentication
gateway: cert: "CN=Node A, ST=Minnesota, C=US"
gateway: remote: [Node B] uses any authentication
gateway: child: dynamic === dynamic
Security Associations:
none
The charon.log snippet shows:
--------------------------------------------------
Apr 2 19:06:13 10[IKE] received end entity cert "CN=Node B, ST=Minnesota,
C=US"
Apr 2 19:06:13 10[CFG] looking for peer configs matching 9.5.46.51[CN=Node
B, ST=Minnesota, C=US]...9.10.109.23[Node B]
Apr 2 19:06:13 10[CFG] no matching peer config found
Apr 2 19:06:13 10[IKE] peer supports MOBIKE
Apr 2 19:06:13 10[ENC] added payload of type NOTIFY to message
Apr 2 19:06:13 10[ENC] added payload of type NOTIFY to message
Apr 2 19:06:13 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
What did I do wrong? thanks.
Terry Hennessy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110402/5a5378fb/attachment.html>
More information about the Users
mailing list