[strongSwan] Site to site vpn using certificates-no peer config in log files

Edward Cooke edward at frakkingsweet.com
Tue Nov 22 07:59:20 CET 2011 

Hi all,
                I'm trying to get a site to site VPN set up between to strongswan Linux systems. I can't get past the "no matching peer config found" message on Sun (my datacenter). I've tried using the net-net ikev2 config example in the tests as that is closest to what I am trying to do. Does anyone have any suggestions, below is detailed info on the setup's. If anybody could help it would be most appreciated.

Thanks in advance,
-Ed-




The way my setup looks is this:
Moon -> Firewall -> internet <- Sun

Here's the log entries during the connection attempts:
SUN
-------
Nov 21 23:31:55 firewall1 charon: 12[NET] received packet: from ***MOON EXTERNAL IP***[65146] to ***SUN IP***[500]
Nov 21 23:31:55 firewall1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 21 23:31:55 firewall1 charon: 12[IKE] ***MOON EXTERNAL IP*** is initiating an IKE_SA
Nov 21 23:31:55 firewall1 charon: 12[IKE] ***MOON EXTERNAL IP*** is initiating an IKE_SA
Nov 21 23:31:56 firewall1 charon: 12[IKE] remote host is behind NAT
Nov 21 23:31:56 firewall1 charon: 12[IKE] sending cert request for "***"
Nov 21 23:31:56 firewall1 charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 21 23:31:56 firewall1 charon: 12[NET] sending packet: from ***SUN IP***[500] to ***MOON EXTERNAL IP***[65146]
Nov 21 23:31:56 firewall1 charon: 04[NET] received packet: from ***MOON EXTERNAL IP***[11060] to ***SUN IP***[4500]
Nov 21 23:31:56 firewall1 charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Nov 21 23:31:56 firewall1 charon: 04[IKE] received end entity cert "***"
Nov 21 23:31:56 firewall1 charon: 04[CFG] looking for peer configs matching ***SUN IP***[SUN HOSTNAME]...***MOON IP***[***MOON DN ON CERTIFICATE***]
Nov 21 23:31:56 firewall1 charon: 04[CFG] no matching peer config found
Nov 21 23:31:56 firewall1 charon: 04[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 21 23:31:56 firewall1 charon: 04[NET] sending packet: from ***SUN IP***[4500] to ***MOON IP***[11060]

MOON
-------
Nov 21 16:43:54 linuxfw charon: 11[IKE] initiating IKE_SA site-site[22] to ***SUN IP***
Nov 21 16:43:54 linuxfw charon: 11[IKE] initiating IKE_SA site-site[22] to ***SUN IP***
Nov 21 16:43:54 linuxfw charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 21 16:43:54 linuxfw charon: 11[NET] sending packet: from ***MOON IP***[500] to ***SUN IP***[500]
Nov 21 16:43:54 linuxfw charon: 14[NET] received packet: from ***SUN IP***[500] to ***MOON IP***[500]
Nov 21 16:43:54 linuxfw charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 21 16:43:54 linuxfw charon: 14[IKE] local host is behind NAT, sending keep alives
Nov 21 16:43:54 linuxfw charon: 14[IKE] received 1 cert requests for an unknown ca
Nov 21 16:43:54 linuxfw charon: 14[IKE] authentication of '***MOON DN ON CERTIFICATE***' (myself) with RSA signature successful
Nov 21 16:43:54 linuxfw charon: 14[IKE] sending end entity cert "***MOON DN ON CERTIFICATE***"
Nov 21 16:43:54 linuxfw charon: 14[IKE] establishing CHILD_SA site-site
Nov 21 16:43:54 linuxfw charon: 14[IKE] establishing CHILD_SA site-site
Nov 21 16:43:54 linuxfw charon: 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Nov 21 16:43:54 linuxfw charon: 14[NET] sending packet: from ***MOON IP***[4500] to ***SUN IP***[4500]
Nov 21 16:43:54 linuxfw charon: 04[NET] received packet: from ***SUN IP***[4500] to ***MOON IP***[4500]
Nov 21 16:43:54 linuxfw charon: 04[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 21 16:43:54 linuxfw charon: 04[IKE] received AUTHENTICATION_FAILED notify error

And ipsec.conf files

SUN
-------
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        #strict is new
        strictcrlpolicy=no
        plutostart=no

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        mobike=no

conn site-site
        left=***SUN IP***
        leftsubnet=***SUN INTERNAL SUBNET***
        leftcert=***CERT FILE NAME***
        leftfirewall=yes
        right=%any
        rightsubnet=***MOON INTERNAL SUBNET***
        rightid="***MOON DN ON CERTIFICATE***"
        auto=add

MOON
-------
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        plutostart=no
        strictcrlpolicy=no

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        mobike=no

# Sample VPN connections
conn site-site
        left=%defaultroute
        leftcert=***CERT FILE NAME***
        leftsubnet=***MOON INTERNAL SUBNET***
        leftfirewall=yes
        right=***SUN FQDN***
        #rightid=@vpn.frakkingsweet.com
        rightsubnet=***SUN INTERNAL SUBNET***
        auto=add
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111122/34251ad9/attachment.html>

More information about the Users mailing list