[strongSwan] Having a problem creating a basic Site-to-Site config !!

Andreas Steffen andreas.steffen at strongswan.org
Fri Aug 26 05:44:24 CEST 2011 

Hello Shashi,

strongSwan does *not* require the keys and certificates to be in
binary DER format. It can handle PEM-encoded keys as well and
even automatically detects the format. What strongSwan cannot handle
are private key files consisting of  a concatenation of a PEM private
key and a PEM certificate, a format that is often used by SSL servers.

Regards

Andreas

On 08/25/2011 10:02 PM, Shashi Yash wrote:
> Thanks Nguyen / Andreas / Martin for you responses !!!
> 
> I took your suggestions and changed the ipsec.conf as follows and it worked !!!
> 
> Also i had an error with ipsec.secrets file, for some reason strong
> swan expects the key to be in DER format. So I had to convert my keys
> to DER format with the below command.
> 
> openssl rsa -in rh1_Key.pem -outform DER -out rh1_Key.der
> 
> RH1:
> --------
> conn net-net
>        left=10.19.61.35
>        leftsubnet=192.168.100.0/24
>        leftcert=rh1_Cert.pem
>        right=10.19.61.67
>        rightsubnet=192.168.200.0/24
>        rightid="C=us, ST=il, O=ics, OU=mp, CN=RH6-2"
>        auto=start
>        keyexchange=ikev2
>        #authby=secret
>        auth=esp
>        ike=3des-sha1-modp2048
>        esp=3des-sha1-modp2048
> 
> RH2:
> ----------
> conn net-net
>   left=10.19.61.67
>   leftsubnet=192.168.200.0/24
>   leftcert=rh2_Cert.pem
>   right=10.19.61.35
>   rightsubnet=192.168.100.0/24
>   rightid="C=us, ST=il, O=ics, OU=mp, CN=RH6-1"
>   auto=start
>   keyexchange=ikev2
>   #authby=secret
>   auth=esp
>   ike=3des-sha1-modp2048
>   esp=3des-sha1-modp2048
> 
> Thanks Again
> -shashi..
> 
> On Wed, Aug 24, 2011 at 5:58 PM, Shashi Yash <shashi007 at gmail.com> wrote:
>> Trying to setup ipsec site to site scenario on two red hat machines. I
>> get the following error: "no acceptable proposal found" on both
>> machines. Can you guys please tell me why I'm getting the following
>> error.
>>
>> I jave pasted the configs and logs from both machines.
>>
>> RH1: ipsec.conf
>> conn net-net
>>       left=10.19.61.35
>>       leftsubnet=192.168.100.0/24
>>       leftcert=rh1_Cert.pem
>>       right=10.19.61.67
>>       rightsubnet=192.168.200.0/24
>>       leftid="C=us, ST=il, O=ics, OU=mp, CN=RH6-1"
>>       auto=start
>>       ike=3des
>>       esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048
>>
>>
>>
>> RH2:ipsec.conf
>> conn net-net
>>  left=10.19.61.67
>>  leftsubnet=192.168.200.0/24
>>  leftcert=rh2_Cert.pem
>>  right=10.19.61.35
>>  rightsubnet=192.168.100.0/24
>>  rightid="C=us, ST=il, O=ics, OU=mp, CN=RH6-2"
>>  auto=start
>>  ike=3des
>>  esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048
>>
>>
>> RH1 Log:
>> -------------------
>> 13[NET] received packet: from 10.19.61.67[500] to 10.19.61.35[500]
>> 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> 13[IKE] 10.19.61.67 is initiating an IKE_SA
>> 13[IKE] no acceptable proposal found
>> 13[ENC] generating IKE_SA_INIT response 0 [ ]
>> 13[NET] sending packet: from 10.19.61.35[500] to 10.19.61.67[500]
>> 14[NET] received packet: from 10.19.61.67[500] to 10.19.61.35[500]
>> 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> 14[IKE] 10.19.61.67 is initiating an IKE_SA
>> 14[IKE] no acceptable proposal found
>>
>>
>> RH2 Log:
>> ---------------------
>>
>> 10[IKE] initiating IKE_SA net-net[1] to 10.19.61.35
>> 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> 10[NET] sending packet: from 10.19.61.67[500] to 10.19.61.35[500]
>> 11[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500]
>> 11[ENC] payload of type SECURITY_ASSOCIATION not occurred 1 times (0)
>> 11[IKE] IKE_SA_INIT response with message ID 0 processing failed
>> 12[IKE] retransmit 1 of request with message ID 0
>> 12[NET] sending packet: from 10.19.61.67[500] to 10.19.61.35[500]
>> 13[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500]
>> 13[ENC] payload of type SECURITY_ASSOCIATION not occurred 1 times (0)
>> 13[IKE] IKE_SA_INIT response with message ID 0 processing failed
>> 14[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500]
>> 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> 14[IKE] 10.19.61.35 is initiating an IKE_SA
>> 14[IKE] no acceptable proposal found
>>
>> Thanks in Advance
>> -shashi..

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list