[strongSwan] no matching peer config found

Andreas Steffen andreas.steffen at strongswan.org
Sun Apr 3 19:26:07 CEST 2011 

Hello Terry, in my opinion the ipsec.conf of Node A and B should be
as follows:

ipsec.conf for Node A

conn gateway
  right=%any
  rightid="Node B"
  left=9.5.46.51
  leftcert=nodeACert.pem
  leftid="Node A"
  keyexchange=ikev2
  auto=add

ipsec.conf for Node B

conn home
  right=9.5.46.51
  rightid="Node A"
  left=%any
  leftcert=nodeBCert.pem
  leftid="Node B"
  leftfirewall=yes
  keyexchange=ikev2
  auto=start

Regards

Andreas

On 04/03/2011 06:00 AM, Terry Hennessy wrote:
> Hello,
> 
> I'm trying to setup IPSec with strongswan 4.5.1 between a Blade Server
> and a KVM on my laptop, both with RHEL6. I'm running into a problem
> where I see "no matching peer config found" in the charon.log. I've seen
> the previous posts on this error. But I don't see what I'm doing wrong.
> (should point out that I'm both a linux and IPSec newbie).
> 
> I'd like to set it up to IKEv2 with RSA authentication. I have Node A
> and Node B. Node A will be the gateway. Node A certificate has a DN of
> CN=Node A, ST=Minnesota, C=US and a altSubjectName of "Node A" while
> Node B has a DN of "CN=Node B, ST=Minnesota, C=US" with a altSubjectName
> of "Node B"
> 
> ipsec.conf for Node A
> ------------------------------------------------------------------------------------------
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> 
> config setup
> strictcrlpolicy=no
> plutostart=no
> charonstart=yes
> charondebug="lib 3,cfg 3, net 3, ike 3, enc 3, chd 3, mgr 3, dmn 3"
> 
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> leftauth=pubkey
> 
> conn gateway
> right=%any
> rightid="Node B" // Also tried %any
> auto=add
> left=9.5.46.51
> leftfirewall=no
> leftcert=nodeACert.pem
> keyexchange=ikev2
> 
> 
> ipsec.conf for Node B
> ---------------------------------------------------
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
> strictcrlpolicy=no
> charonstart=yes
> plutostart=no
> charondebug="lib 3,cfg 3,net 3,ike 3, enc 3, chd 3, mgr 3, dmn 3"
> 
> 
> # Add connections here.
> 
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> 
> conn home
> right=9.5.46.51
> rightid="CN=Node B, ST=Minnesota, C=US"
> keyexchange=ikev2
> left=%defaultroute
> leftid="Node B"
> leftcert=nodeBCert.pem
> leftfirewall=yes
> auto=start
> 
> 
> When I run ipsec statusall on the Node B, I get this:
> -------------------------------------------
> Status of IKEv2 charon daemon (strongSwan 4.5.1):
> uptime: 49 minutes, since Apr 02 23:00:10 2011
> malloc: sbrk 262144, mmap 0, used 111488, free 150656
> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 1
> loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints
> pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
> socket-raw stroke updown
> Listening IP addresses:
> 192.168.122.203
> Connections:
> home: 192.168.122.203...9.5.46.51
> home: local: [Node B] uses public key authentication
> home: cert: "CN=Node B, ST=Minnesota, C=US"
> home: remote: [CN=Node B, ST=Minnesota, C=US] uses any authentication
> home: child: dynamic === dynamic
> Security Associations:
> none
> 
> And when I run ipsec up home I get this:
> ------------------------------------------------------------------
> initiating IKE_SA home[3] to 9.5.46.51
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.122.203[500] to 9.5.46.51[500]
> received packet: from 9.5.46.51[500] to 192.168.122.203[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(MULT_AUTH) ]
> local host is behind NAT, sending keep alives
> received cert request for "CN=TKH CA, ST=Minnesota, C=US"
> sending cert request for "CN=TKH CA, ST=Minnesota, C=US"
> authentication of 'Node B' (myself) with RSA signature successful
> sending end entity cert "CN=Node B, ST=Minnesota, C=US"
> establishing CHILD_SA home
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
> AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 192.168.122.203[4500] to 9.5.46.51[4500]
> received packet: from 9.5.46.51[4500] to 192.168.122.203[4500]
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> 
> 
> 
> On Node A, ipsec statusall shows:
> ---------------------------------------------
> Status of IKEv2 charon daemon (strongSwan 4.5.1):
> uptime: 49 minutes, since Apr 02 19:06:04 2011
> malloc: sbrk 135168, mmap 0, used 103680, free 31488
> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
> loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation hmac xcbc stroke kernel-netlink socket-default updown
> Listening IP addresses:
> 192.168.122.1
> 9.5.46.51
> 9.5.48.51
> Connections:
> gateway: 9.5.46.51...%any
> gateway: local: [CN=Node A, ST=Minnesota, C=US] uses public key
> authentication
> gateway: cert: "CN=Node A, ST=Minnesota, C=US"
> gateway: remote: [Node B] uses any authentication
> gateway: child: dynamic === dynamic
> Security Associations:
> none
> 
> 
> The charon.log snippet shows:
> --------------------------------------------------
> Apr 2 19:06:13 10[IKE] received end entity cert "CN=Node B,
> ST=Minnesota, C=US"
> Apr 2 19:06:13 10[CFG] looking for peer configs matching
> 9.5.46.51[CN=Node B, ST=Minnesota, C=US]...9.10.109.23[Node B]
> Apr 2 19:06:13 10[CFG] no matching peer config found
> Apr 2 19:06:13 10[IKE] peer supports MOBIKE
> Apr 2 19:06:13 10[ENC] added payload of type NOTIFY to message
> Apr 2 19:06:13 10[ENC] added payload of type NOTIFY to message
> Apr 2 19:06:13 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 
> 
> 
> What did I do wrong? thanks.
> 
> 
> Terry Hennessy

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list