[strongSwan] Site to site vpn using certificates-no peer config in log files

Andreas Steffen andreas.steffen at strongswan.org
Tue Nov 22 09:05:36 CET 2011 

Hello Ed,

on the moon side you must configure

   rightid="***SUN DN ON CERTIFICATE***"

Regards

Andreas

On 11/22/2011 07:59 AM, Edward Cooke wrote:
> Hi all,
>
> I’m trying to get a site to site VPN set up between to strongswan Linux
> systems. I can’t get past the “no matching peer config found” message on
> Sun (my datacenter). I’ve tried using the net-net ikev2 config example
> in the tests as that is closest to what I am trying to do. Does anyone
> have any suggestions, below is detailed info on the setup’s. If anybody
> could help it would be most appreciated.
>
> Thanks in advance,
>
> -Ed-
>
> The way my setup looks is this:
>
> Moon -> Firewall -> internet <- Sun
>
> Here’s the log entries during the connection attempts:
>
> SUN
>
> -------
>
> Nov 21 23:31:55 firewall1 charon: 12[NET] received packet: from ***MOON
> EXTERNAL IP***[65146] to ***SUN IP***[500]
>
> Nov 21 23:31:55 firewall1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> Nov 21 23:31:55 firewall1 charon: 12[IKE] ***MOON EXTERNAL IP*** is
> initiating an IKE_SA
>
> Nov 21 23:31:55 firewall1 charon: 12[IKE] ***MOON EXTERNAL IP*** is
> initiating an IKE_SA
>
> Nov 21 23:31:56 firewall1 charon: 12[IKE] remote host is behind NAT
>
> Nov 21 23:31:56 firewall1 charon: 12[IKE] sending cert request for "***"
>
> Nov 21 23:31:56 firewall1 charon: 12[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>
> Nov 21 23:31:56 firewall1 charon: 12[NET] sending packet: from ***SUN
> IP***[500] to ***MOON EXTERNAL IP***[65146]
>
> Nov 21 23:31:56 firewall1 charon: 04[NET] received packet: from ***MOON
> EXTERNAL IP***[11060] to ***SUN IP***[4500]
>
> Nov 21 23:31:56 firewall1 charon: 04[ENC] parsed IKE_AUTH request 1 [
> IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
>
> Nov 21 23:31:56 firewall1 charon: 04[IKE] received end entity cert "***"
>
> Nov 21 23:31:56 firewall1 charon: 04[CFG] looking for peer configs
> matching ***SUN IP***[SUN HOSTNAME]...***MOON IP***[***MOON DN ON
> CERTIFICATE***]
>
> Nov 21 23:31:56 firewall1 charon: 04[CFG] no matching peer config found
>
> Nov 21 23:31:56 firewall1 charon: 04[ENC] generating IKE_AUTH response 1
> [ N(AUTH_FAILED) ]
>
> Nov 21 23:31:56 firewall1 charon: 04[NET] sending packet: from ***SUN
> IP***[4500] to ***MOON IP***[11060]
>
> MOON
>
> -------
>
> Nov 21 16:43:54 linuxfw charon: 11[IKE] initiating IKE_SA site-site[22]
> to ***SUN IP***
>
> Nov 21 16:43:54 linuxfw charon: 11[IKE] initiating IKE_SA site-site[22]
> to ***SUN IP***
>
> Nov 21 16:43:54 linuxfw charon: 11[ENC] generating IKE_SA_INIT request 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> Nov 21 16:43:54 linuxfw charon: 11[NET] sending packet: from ***MOON
> IP***[500] to ***SUN IP***[500]
>
> Nov 21 16:43:54 linuxfw charon: 14[NET] received packet: from ***SUN
> IP***[500] to ***MOON IP***[500]
>
> Nov 21 16:43:54 linuxfw charon: 14[ENC] parsed IKE_SA_INIT response 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>
> Nov 21 16:43:54 linuxfw charon: 14[IKE] local host is behind NAT,
> sending keep alives
>
> Nov 21 16:43:54 linuxfw charon: 14[IKE] received 1 cert requests for an
> unknown ca
>
> Nov 21 16:43:54 linuxfw charon: 14[IKE] authentication of '***MOON DN ON
> CERTIFICATE***' (myself) with RSA signature successful
>
> Nov 21 16:43:54 linuxfw charon: 14[IKE] sending end entity cert "***MOON
> DN ON CERTIFICATE***"
>
> Nov 21 16:43:54 linuxfw charon: 14[IKE] establishing CHILD_SA site-site
>
> Nov 21 16:43:54 linuxfw charon: 14[IKE] establishing CHILD_SA site-site
>
> Nov 21 16:43:54 linuxfw charon: 14[ENC] generating IKE_AUTH request 1 [
> IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
>
> Nov 21 16:43:54 linuxfw charon: 14[NET] sending packet: from ***MOON
> IP***[4500] to ***SUN IP***[4500]
>
> Nov 21 16:43:54 linuxfw charon: 04[NET] received packet: from ***SUN
> IP***[4500] to ***MOON IP***[4500]
>
> Nov 21 16:43:54 linuxfw charon: 04[ENC] parsed IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
>
> Nov 21 16:43:54 linuxfw charon: 04[IKE] received AUTHENTICATION_FAILED
> notify error
>
> And ipsec.conf files
>
> SUN
>
> -------
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
>
> #strict is new
>
> strictcrlpolicy=no
>
> plutostart=no
>
> conn %default
>
> ikelifetime=60m
>
> keylife=20m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev2
>
> mobike=no
>
> conn site-site
>
> left=***SUN IP***
>
> leftsubnet=***SUN INTERNAL SUBNET***
>
> leftcert=***CERT FILE NAME***
>
> leftfirewall=yes
>
> right=%any
>
> rightsubnet=***MOON INTERNAL SUBNET***
>
> rightid="***MOON DN ON CERTIFICATE***"
>
> auto=add
>
> MOON
>
> -------
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
>
> plutostart=no
>
> strictcrlpolicy=no
>
> conn %default
>
> ikelifetime=60m
>
> keylife=20m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev2
>
> mobike=no
>
> # Sample VPN connections
>
> conn site-site
>
> left=%defaultroute
>
> leftcert=***CERT FILE NAME***
>
> leftsubnet=***MOON INTERNAL SUBNET***
>
> leftfirewall=yes
>
> right=***SUN FQDN***
>
> #rightid=@vpn.frakkingsweet.com
>
> rightsubnet=***SUN INTERNAL SUBNET***
>
> auto=add
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list