[strongSwan] Question on IKEv2

Chris Arnold carnold at electrichendrix.com
Thu Apr 5 19:47:24 CEST 2012 

OK, i have gotten a little further. When i run ipsec up <conn-name>, i get this:
initiating IKE_SA teknerds[1] to sonicwall.public.ip
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA teknerds[1] to 75.177.187.225
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.18[500] to sonicwall.public.ip[500]
received packet: from sonicwall.public.ip[500] to 192.168.1.18[500]
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
local host is behind NAT, sending keep alives
received cert request for "C=CH, O=ELC, CN=Edens Land Corp CA"
received cert request for unknown ca with keyid <removed>
sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens Land Corp, CN=Jarrod, E=email at address"
sending cert request for "C=CH, O=ELC, CN=Edens Land Corp CA"
authentication of 'edenslandcorp.com' (myself) with pre-shared key
establishing CHILD_SA teknerds
generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 192.168.1.18[4500] to sonicwall.public.ip[4500]
received packet: from sonicwall.public.ip[4500] to 192.168.1.18[4500]
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(INIT_CONTACT) ]
authentication of 'sonicwall id' with pre-shared key successful
constraint check failed: identity 'sonicwall id' required
selected peer config 'teknerds' inacceptable
no alternative config found

The sonicwall shows a active tunnel. Unable to ping from either network to the other side.
Ipsec statusall shows:
Status of IKEv2 charon daemon (strongSwan 4.4.0):
  uptime: 8 minutes, since Apr 05 13:09:48 2012
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl gcrypt fips-prf xcbc hmac gmp attr kernel-netlink socket-raw stroke updown resolve
Listening IP addresses:
  192.168.1.18
Connections:
    teknerds:  192.168.1.18...sonicwall.public.ip
    teknerds:   local:  [edenslandcorp.com] uses pre-shared key authentication
    teknerds:   remote: [sonicwall id] uses any authentication
    teknerds:   child:  192.168.1.0/24 === 192.168.123.0/24
Security Associations:
  none

Here is the ipsec.conf:
config setup
	# plutodebug=all
	# crlcheckinterval=600
	# strictcrlpolicy=yes
	# cachecrls=yes
	# nat_traversal=yes
	# charonstart=no
	  plutostart=no

# Add connections here.

conn %default
	ikelifetime=28800s
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	authby=secret
	keyexchange=ikev2
	mobike=no

conn teknerds
	left=192.168.1.18
	leftsubnet=192.168.1.0/24
	leftid=@strongswan.id
	#leftfirewall=yes
	right=sonicwall.public.ip
	rightsubnet=192.168.123.0/24
	rightid=@sonicwall.id
	auto=add

The sonicwall proposals are:
phase 1 - ikev2. group 2, 3des-sha1
phase 2 - esp, 3des, sha1 no pfs

----- Original Message -----
From: "Andreas Steffen" <andreas.steffen at strongswan.org>
To: "Chris Arnold" <carnold at electrichendrix.com>
Cc: users at lists.strongswan.org
Sent: Thursday, April 5, 2012 3:57:10 AM
Subject: Re: [strongSwan] Question on IKEv2

Hi Chris,

can you send me your caCert.der certificate?

Andreas

On 04/05/2012 12:25 AM, Chris Arnold wrote:
> Thank you all for not calling me an id10t!! I read, completely, the
> email Andreas sent and saw where you can use the pki tool.... So, I
> followed the instructions and on the import of caCert.der into the
> sonicwall, I get the error, invalid format. Please use der or pem.
> The other 2 files import fine into the sonicwall and they too are der
> format.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list