[strongSwan] IKEv1 not working

Andreas Steffen andreas.steffen at strongswan.org
Wed Aug 24 12:40:14 CEST 2011


Hello Kavitha,

ipsec listcerts shows

- an end entity certificate for the local peer
   CN=169.254.1.70  without a matching private key

- an end entity certificate for the remote peer
   CN=169.254.0.70 with a matching private key

Why do you reference the private key of the remote peer
instead of the private key of the local peer?

Please check which private keys you are using.

Regards

Andreas

On 08/24/2011 12:19 PM, Lm, Kavitha (NSN - IN/Bangalore) wrote:
> Hi Andreas,
>
> Thanks a lot for the logginginfo.
>
> I have increased the log level as mentionedto‘control’and have been
> observing the auth.log.
>
> It seems like there is some authentication problem.
>
> Could you please let us know if there is any particular way in which the
> certificates have to be handled for IKEv1?
>
>
> The certificates seems to work fine withIKEv2.
>
> Please find below certificate listing forIKEv2:
>
> *# ipsec listcerts*
>
> List of X.509 End Entity Certificates:
>
> subject: "C=CH, O=strongSwan, CN=169.254.1.70"
>
> issuer: "C=CH, O=strongSwan, CN=strongSwan CA"
>
> serial: 00:ed:ae:f9:52:c4:3b:a8:70
>
> validity: not before Aug 24 11:52:27 2011, ok
>
> not after Aug 23 11:52:27 2014, ok
>
> pubkey: RSA 2048 bits
>
> keyid: cc:42:17:bb:4d:ce:86:1d:6c:62:5c:03:65:aa:e8:5a:97:df:41:44
>
> subjkey: 9a:f9:a4:1e:0f:71:54:78:8a:af:c6:2f:ae:24:20:71:c0:71:8d:43
>
> authkey: 1e:fc:6e:71:5e:90:8f:7a:7d:3e:44:6b:32:10:03:a6:13:8d:9f:fa
>
> subject: "C=CH, O=strongSwan, CN=169.254.0.70"
>
> issuer: "C=CH, O=strongSwan, CN=strongSwan CA"
>
> serial: 00:9f:bd:99:62:c2:a9:4e:b7
>
> validity: not before Aug 24 11:51:14 2011, ok
>
> not after Aug 23 11:51:14 2014, ok
>
> pubkey: *RSA 2048 bits, has private key*
>
> keyid: 3b:2a:c5:a1:c5:67:a9:39:5e:5b:2a:18:d4:05:73:b9:83:43:7d:ee
>
> subjkey: 26:9d:23:b0:57:d7:47:31:91:5f:aa:e6:cc:89:20:65:e4:c4:8a:0f
>
> authkey: 1e:fc:6e:71:5e:90:8f:7a:7d:3e:44:6b:32:10:03:a6:13:8d:9f:fa
>
> When the ipsec.conf fileis changed to IKEv1 configuration(with the same
> setup for certs),theyare somehow not getting exchanged..:
>
> Please find below certificate listing forIKEv1:
>
> # ***ipsec listcerts*
>
> 000
>
> 000 List of X.509End Entity Certificates:
>
> 000
>
> 000 subject: "C=CH, O=strongSwan, CN=169.254.0.70"
>
> 000 issuer: "C=CH, O=strongSwan, CN=strongSwan CA"
>
> 000 serial: 00:9f:bd:99:62:c2:a9:4e:b7
>
> 000 validity: not before Aug 24 11:51:14 2011 ok
>
> 000 not after Aug 23 11:51:14 2014 ok
>
> 000 pubkey: RSA 2048 bits
>
> 000 keyid: 3b:2a:c5:a1:c5:67:a9:39:5e:5b:2a:18:d4:05:73:b9:83:43:7d:ee
>
> 000 subjkey: 26:9d:23:b0:57:d7:47:31:91:5f:aa:e6:cc:89:20:65:e4:c4:8a:0f
>
> 000 authkey: 1e:fc:6e:71:5e:90:8f:7a:7d:3e:44:6b:32:10:03:a6:13:8d:9f:fa
>
> The following lines were also seen in the auth.log:
>
>
> Aug 24 15:03:40 vc2_TPC1 pluto[8747]: "kay2" #1: we have a cert and are
> sending it upon request
>
> Aug 24 15:03:40 vc2_TPC1 pluto[8747]: "kay2" #1: unable to locate my
> private key for signature
>
> Aug 24 15:03:40 vc2_TPC1 pluto[8747]: "kay2" #1: sending encrypted
> notification AUTHENTICATION_FAILED to 169.254.0.70:500
>
> Aug 24 15:03:40 vc2_TPC1 pluto[8747]: | state transition function for
> STATE_MAIN_I2 failed: AUTHENTICATION_FAILED
>
> Can you please let us know where we are going wrong?
>
> Alsopleasefindtheattachedlogswhich might help in better understanding.:
>
> <<authlog_src.txt>> <<ipsec_dst.conf>> <<ipsec_src.conf>>
> <<tcpdump_dst.txt>> <<tcpdump_src.txt>> <<authlog_dst.txt>>
>
> Thanks & Regards,
>
> Kavitha
>
> -----Original Message-----
> From:ext Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent:Friday, August 19, 2011 4:23 PM
> To:Lm, Kavitha (NSN - IN/Bangalore)
> Cc:Users at lists.strongswan.org; Sudhakar, Meera (NSN - IN/Bangalore)
> Subject:Re: [strongSwan] IKEv1 not working
>
> Hello Kavitha,
>
> the IKEv1 pluto daemon is logging to the authpriv syslog facility
>
> and not to the daemon facility. Just grep for pluto in /var/log/
>
> in order to find the correct log file.
>
> The status information shows that the first IKEv1 Main Mode
>
> exchange has been successful but that the other endpoint
>
> does not send an answer. In order to generate a helpful log
>
> please increase the loglevel in ipsec.conf to
>
> plutodebug="control"
>
> and post the generated log output.
>
> Best regards
>
> Andreas
>
> On 19.08.2011 09:22, Lm, Kavitha (NSN - IN/Bangalore) wrote:
>
>>  Hi,
>
>>
>
>>  This is regardingan issue that we are facing with IKEv1.
>
>>
>
>>  We are able to setup an IPSEC tunnel with IKEv2 but the same is failing
>
>>  with IKEv1.
>
>>
>
>>  *Ipsec.conf file**for IKEv2**:***
>
>>
>
>>  config setup
>
>>
>
>>  # plutodebug=all
>
>>
>
>>  strictcrlpolicy=no
>
>>
>
>>  charonstart=yes
>
>>
>
>>  plutostart=no
>
>>
>
>>  charondebug=all
>
>>
>
>>
>
>>  ca strongswan
>
>>
>
>>  cacert=caCert.der
>
>>
>
>>  auto=add
>
>>
>
>>  conn sample-with-ca-cert
>
>>
>
>>  left=169.254.1.70
>
>>
>
>>  leftsubnet=169.254.1.0/24
>
>>
>
>>  leftcert=VC2Cert.der
>
>>
>
>>  right=169.254.0.70
>
>>
>
>>  rightsubnet=169.254.0.0/24
>
>>
>
>>  rightid="C=CH, O=strongSwan, CN=169.254.0.70"
>
>>
>
>>  keyexchange=ikev2
>
>>
>
>>  auto=start
>
>>
>
>>  This configuration works fine for IKEv2 tunnels:
>
>>
>
>>  *# ipsec status*
>
>>
>
>>  Security Associations:
>
>>
>
>>  sample-with-ca-cert[1]: ESTABLISHED 18 seconds ago, 169.254.0.70[C=CH,
>
>>  O=strongSwan, CN=169.254.0.70]...169.254.1.70[C=CH, O=strongSwan,
>
>>  CN=169.254.1.70]
>
>>
>
>>  sample-with-ca-cert{1}: INSTALLED, TUNNEL, ESP SPIs: cb854b6d_i cd9ac880_o
>
>>
>
>>  sample-with-ca-cert{1}: 169.254.0.0/24 === 169.254.1.0/24
>
>>
>
>>  The instant we try this for IKEv1(keyexchange=ikev1, charonstart=no,
>
>>  plutostart=yes), it fails and the tunnel is not getting established.
>
>>
>
>>  *# ipsec status*
>
>>
>
>>  000 "sample-with-ca-cert": 169.254.1.0/24===169.254.1.70[C=CH,
>
>>  O=strongSwan, CN=169.254.1.70]...169.254.0.70[C=CH, O=strongSwan,
>
>>  CN=169.254.0.70]===169.254.0.0/24; unrouted; eroute owner: #0
>
>>
>
>>  000 "sample-with-ca-cert": newest ISAKMP SA: #0; newest IPsec SA: #0;
>
>>
>
>>  000
>
>>
>
>>  000 #1: "sample-with-ca-cert" STATE_MAIN_I2 (sent MI2, expecting MR2);
>
>>  EVENT_RETRANSMIT in 8s
>
>>
>
>>  000 #1: pending Phase 2 for"sample-with-ca-cert" replacing #0
>
>>
>
>>  000
>
>>
>
>>  No loggingwas observedat all for IKEv1. Could you please let us knowhow
>
>>  to solve this issue??
>
>>
>
>>  Please find some of the detailsof our environmentbelow:
>
>>
>
>>  *Server:* Ubuntu–linux-2.6.35
>
>>
>
>>  *Strongswan**IKEv1**version:*
>
>>
>
>>  # apt-cache policy strongswan-ikev1
>
>>
>
>>  strongswan-ikev1:
>
>>
>
>>  Installed: 4.5.2-1.1
>
>>
>
>>  Candidate: 4.5.2-1.1
>
>>
>
>>  Version table:
>
>>
>
>>  *** 4.5.2-1.1 0
>
>>
>
>>  100 /var/lib/dpkg/status
>
>>
>
>>  We assume that IKEv1 is already installed from the above status.
>
>>
>
>>  Can you let us know of any other way to checkifIKEv1is supported?
>
>>
>
>>  /////Thanks & Regards,/
>
>>  /////Kavitha/
>
>>

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list