[strongSwan] Cert question

[Andreas Steffen]

The error message

: 15[IKE] received AUTHENTICATION_FAILED notify error

means that the authentication failed on the remote side.
Please check the logs of the peer.

Andreas

On 02/24/2011 06:25 PM, Gary Smith wrote:
>>> I think I'm a little confused as to where the keys need to go. Do I
>>> need to export the cert (without key) and dump it into
>>> /etc/ipsec.d/certs and export the key separately and dump it into
>>> /etc/ipsec.d/private?
>>>
>> Yes, this is correct!
>>
>
> Andreas,
>
> So I exported the cert/key separately and now ipsec certlists shows that the private key is included. The now when I run the ipsec up connname it appears to be doing the negotiation but dies with the error listed below:
>
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
>
> Feb 24 08:52:47 hslinvpn01 charon: 14[IKE] establishing CHILD_SA fre-lin
>
> Feb 24 08:52:47 hslinvpn01 charon: 14[IKE] establishing CHILD_SA fre-lin
>
> Feb 24 08:52:47 hslinvpn01 charon: 14[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(EAP_ONLY) ]
>
> Feb 24 08:52:47 hslinvpn01 charon: 14[NET] sending packet: from
>
> Feb 24 08:52:47 hslinvpn01 charon: 15[NET] received packet: from
>
> Feb 24 08:52:47 hslinvpn01 charon: 15[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
> Feb 24 08:52:47 hslinvpn01 charon: 15[IKE] received AUTHENTICATION_FAILED notify error
>
> Feb 24 08:52:54 hslinvpn01 charon: 10[CFG] received stroke: terminate 'fre-lin'
>
> Feb 24 08:52:54 hslinvpn01 charon: 10[CFG] no IKE_SA named 'fre-lin' found


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==