[strongSwan] getting error "expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed"

Meera Sudhakar mira.sudhakar at gmail.com
Thu Mar 17 12:33:21 CET 2011 

Hi Andreas,

This problem was solved by the solution provided in
http://www.mail-archive.com/users@lists.strongswan.org/msg02152.html. I now
have a new problem for which I cannot find a solution. It would be great if
you could help me understand the problem, and hopefully provide a solution
too.

I generated the private key and certificate for my machines (the initiator
and the receiver) by executing the following command on each of them:

openssl req -x509 -days 1460 -newkey rsa:2048 \
>             -keyout strongswanKey.pem -out strongswanCert.pem

I then placed the file strongswanKey.pem in the path /etc/ipsec.d/private/,
and the file strongswanCert.pem in the path /etc/ipsec.d/certs. So now, the
line " : RSA strongswanKey.pem "xxxx" " is added to the file ipsec.secrets,
and the line "leftcert=strongswanCert.pem" is added to the file ipsec.conf.

After starting strongswan, the following was seen in the log file:

Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG]   loaded RSA private key
from '/etc/ipsec.d/private/strongswanKey.pem'
*Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
*Mar 17 18:35:32 cip-Latitude-D520 charon: 00[DMN] loaded plugins: curl ldap
aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl
fips-prf xcbc hmac agent gmp attr kernel-netlink socket-default farp stroke
updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve

Later on in the logs, I see that CHILD_SA was established, but IKE
authentication failed. I am not sure if this is connected to the above
problem. Please find a part of the logfile here:

*Mar 17 18:35:44 cip-Latitude-D520 charon: 12[IKE] establishing CHILD_SA
sample-with-ca-cert
*Mar 17 18:35:44 cip-Latitude-D520 charon: 12[ENC] generating IKE_AUTH
request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Mar 17 18:35:44 cip-Latitude-D520 charon: 12[NET] sending packet: from
10.58.114.215[4500] to 10.58.112.139[4500]
Mar 17 18:35:44 cip-Latitude-D520 charon: 13[NET] received packet: from
10.58.112.139[4500] to 10.58.114.215[4500]
Mar 17 18:35:44 cip-Latitude-D520 charon: 13[ENC] parsed IKE_AUTH response 1
[ N(AUTH_FAILED) ]
*Mar 17 18:35:44 cip-Latitude-D520 charon: 13[IKE] received
AUTHENTICATION_FAILED notify error
*

Could you please help me sort this out?

Thanks in advance,

Meera







On Wed, Mar 9, 2011 at 11:26 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> The log entry:
>
>
> : 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> : 06[NET] sending packet: from 10.58.114.215[500] to 10.58.112.139[500]
> : 14[IKE] retransmit 1 of request with message ID 0
>
> just means that your peer either does not receive the IKE_SA_INIT
> request or that the IKE_SA_INIT reply gets lost on the way back.
> You should check the log on the peer side.
>
> Regards
>
> Andreas
>
>
> On 03/09/2011 08:08 AM, Meera Sudhakar wrote:
>
>> Hi,
>> I am new to strongswan, and would really appreciate some help in setting
>> up the SAs. For some reason, packets being sent are not being received
>> by the other machine. After retries, it says "peer not responding, try
>> again". Please fine below an excerpt of my log file:
>> Mar  9 13:25:59 cip-Latitude-D520 charon: 06[CFG] received stroke: add
>> connection 'sample-with-ca-cert'
>> Mar  9 13:25:59 cip-Latitude-D520 charon: 06[CFG]   loaded certificate
>> "C=CH, O=Linux strongSwan, OU=Sales, CN=alice at strongswan.org
>> <mailto:CN=alice at strongswan.org>" from 'myCert.pem'
>>
>> Mar  9 13:25:59 cip-Latitude-D520 charon: 06[CFG]   id '10.58.114.215'
>> not confirmed by certificate, defaulting to 'C=CH, O=Linux strongSwan,
>> OU=Sales, CN=alice at strongswan.org' <mailto:CN=alice at strongswan.org'>
>>
>> Mar  9 13:25:59 cip-Latitude-D520 charon: 06[CFG] added configuration
>> 'sample-with-ca-cert'
>> Mar  9 13:25:59 cip-Latitude-D520 charon: 06[CFG] received stroke:
>> initiate 'sample-with-ca-cert'
>> Mar  9 13:25:59 cip-Latitude-D520 charon: 06[IKE] initiating IKE_SA
>> sample-with-ca-cert[1] to 10.58.112.139
>> Mar  9 13:25:59 cip-Latitude-D520 charon: 06[ENC] generating IKE_SA_INIT
>> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Mar  9 13:25:59 cip-Latitude-D520 charon: 06[NET] sending packet: from
>> 10.58.114.215[500] to 10.58.112.139[500]
>> Mar  9 13:26:03 cip-Latitude-D520 charon: 14[IKE] retransmit 1 of
>> request with message ID 0
>> Mar  9 13:26:03 cip-Latitude-D520 charon: 14[NET] sending packet: from
>> 10.58.114.215[500] to 10.58.112.139[500]
>> Mar  9 13:26:04 cip-Latitude-D520 charon: 10[CFG] received stroke: add
>> connection 'sample-with-ca-cert'
>> Also, please find below my ipsec.conf file:
>>  ipsec.conf - strongSwan IPsec configuration file
>> # basic configuration
>> config setup
>>         charondebug=all
>>         # plutodebug=all
>>         # crlcheckinterval=600
>>         strictcrlpolicy=yes
>>         # cachecrls=yes - only for ikev1
>>         # nat_traversal=yes
>>         charonstart=yes
>>         # plutostart=yes - only for ikev1
>> # Add connections here.
>> # Sample VPN connections
>> #conn sample-self-signed
>> #      left=10.58.112.170
>> #      leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
>>
>> #      leftcert=selfCert.der
>> #      leftsendcert=never
>> #      right=10.58.112.235
>> #      rightsubnet=10.2.0.0/16 <http://10.2.0.0/16>
>>
>> #      rightcert=peerCert.der
>> #      auto=start
>> conn sample-with-ca-cert
>>       left=10.58.114.215
>>       leftsubnet=10.58.114.0/24 <http://10.58.114.0/24>
>>
>>       leftcert=myCert.pem
>>       right=10.58.112.139
>>       rightsubnet=10.58.112.0/24 <http://10.58.112.0/24>
>>
>>       rightid="C=CH, O=Linux strongSwan CN=peer name"
>>       keyexchange=ikev2
>>       auto=start
>> include /var/lib/strongswan/ipsec.conf.inc
>> Can someone help me out?
>> Thanks,
>> Mira
>>
>> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110317/116b4b2a/attachment.html>

More information about the Users mailing list