[strongSwan] strongswan client configuration

Alexandre Chapellon a.chapellon at horoa.net
Mon Jun 13 10:50:51 CEST 2011

OK, finally got my policy problem: I didn't new I had to do ipsec 
route... After doing ipsec route I can see my poolicies correctly setup.

Unfortunately it still don't work, I have the following error message on 
the client side:

initiating IKE_SA horoa[1] to
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from[500] to[500]
received packet: from[500] to[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
local host is behind NAT, sending keep alives
received cert request for unknown ca with keyid 
authentication of 'C=FR, O=customer1, CN=elronde' (myself) with RSA 
signature successful
sending end entity cert "C=FR, O=customer1, CN=elronde"
establishing CHILD_SA horoa
generating IKE_AUTH request 1 [ IDi CERT IDr AUTH CP(ADDR DNS DNS NBNS) 
sending packet: from[4500] to[4500]
received packet: from[4500] to[4500]
parsed IKE_AUTH response 1 [ IDr AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) 
no trusted RSA public key found for 'vpn.domain.tld'

Any idea where my config is wrong, or how to further debug it?

Le 12/06/2011 16:50, Alexandre Chapellon a écrit :
> Hello,
> I new to strongswan, and not so familiar with ipsec. I want to setup an
> ipsec VPN gateway for site to site and roadwarriors.
> I have installed strongswan on a debian 6 system. I have generated x509
> certificates and rsa keys as described here:
> http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
> On the client side I have installed the strongswan network-manager
> plugin. I can succesfully establish vpn connections and route packet
> from and to the roadwarrior client.
> I'd like to do the same but without using the network-manager gui... and
> here it fails.
> I guess my certs are ok as connections works just fine with gui. Here is
> my ipsec.conf on the rw side:
> config setup
>       strictcrlpolicy=no
>       charonstart=yes
>       plutostart=yes
> ca horoa
>       cacert=/home/some1/ssl/pki/ca.crt
> conn %default
>       ikelifetime=60m
>       keylife=20m
>       rekeymargin=3m
>       keyingtries=1
>       keyexchange=ikev2
> conn strongswan
>       left=%defaultroute
>       leftcert=/home/some1/ssl/pki/elronde.crt
>       leftrsasigkey=/home/some1/ssl/pki/elronde.key
>       leftsourceip=%config
>       right=
>       rightid=vpn.domain.tld
>       rightsubnet=
>       auto=add
> when I type sudo ipsec up strongswan, connection seems to come up, but
> routing does not work and looking ip xfrm policy I can see there is
> none. Does any know where is my issue?
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list