[strongSwan] Errors establishing connection

Rudolf Ladyzhenskii rudolfl at rumatech.com
Tue Apr 17 15:39:33 CEST 2012 

Hi, all

I have scenario that I used in the past without any issues.

Server 'voyage' is a gateway. Roadwarrior 'hp' is a client.

I use pre-shared keys. Log on 'votage' is:

Apr 18 00:03:50 voyage charon: 16[NET] received packet: from
10.0.0.10[500] to 10.0.0.3[500]
Apr 18 00:03:50 voyage charon: 16[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 18 00:03:50 voyage charon: 16[IKE] 10.0.0.10 is initiating an IKE_SA
Apr 18 00:03:51 voyage charon: 16[IKE] sending cert request for "C=AU,
ST=Some-State, O=Internet Widgits Pty Ltd"
Apr 18 00:03:51 voyage charon: 16[IKE] sending cert request for "C=AU,
ST=Some-State, O=Internet Widgits Pty Ltd"
Apr 18 00:03:51 voyage charon: 16[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 18 00:03:51 voyage charon: 16[NET] sending packet: from
10.0.0.3[500] to 10.0.0.10[500]
Apr 18 00:03:52 voyage charon: 02[NET] received packet: from
10.0.0.10[4500] to 10.0.0.3[4500]
Apr 18 00:03:52 voyage charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi
CERT N(INIT_CONTACT) CERTREQ IDr AUTH CP(ADDR DNS DNS NBNS) SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N((16417)) ]
Apr 18 00:03:52 voyage charon: 02[IKE] received cert request for
"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"
Apr 18 00:03:52 voyage charon: 02[IKE] received cert request for
"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"
Apr 18 00:03:52 voyage charon: 02[IKE] received end entity cert "C=AU,
ST=Some-State, O=Internet Widgits Pty Ltd"
Apr 18 00:03:52 voyage charon: 02[CFG] looking for peer configs
matching 10.0.0.3[C=AU, ST=Some-State, O=Internet Widgits Pty
Ltd]...10.0.0.10[C=AU, ST=Some-State, O=Internet Widgits Pty Ltd]
Apr 18 00:03:52 voyage charon: 02[CFG] selected peer config 'hp'
Apr 18 00:03:52 voyage charon: 02[CFG]   using trusted certificate
"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"
Apr 18 00:03:52 voyage charon: 02[IKE] signature validation failed,
looking for another key
Apr 18 00:03:52 voyage charon: 02[CFG]   using certificate "C=AU,
ST=Some-State, O=Internet Widgits Pty Ltd"
Apr 18 00:03:52 voyage charon: 02[CFG]   using trusted ca certificate
"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"
Apr 18 00:03:52 voyage charon: 02[CFG]   reached self-signed root ca
with a path length of 0
Apr 18 00:03:52 voyage charon: 02[IKE] authentication of 'C=AU,
ST=Some-State, O=Internet Widgits Pty Ltd' with RSA signature
successful
Apr 18 00:03:52 voyage charon: 02[CFG] constraint check failed: peer
not authenticated with peer cert 'C=AU, ST=Some-State, O=Internet
Widgits Pty Ltd'.
Apr 18 00:03:52 voyage charon: 02[CFG] selected peer config 'hp' inacceptable
Apr 18 00:03:52 voyage charon: 02[CFG] no alternative config found
Apr 18 00:03:52 voyage charon: 02[IKE] peer supports MOBIKE
Apr 18 00:03:52 voyage charon: 02[ENC] generating IKE_AUTH response 1
[ N(AUTH_FAILED) ]
Apr 18 00:03:52 voyage charon: 02[NET] sending packet: from
10.0.0.3[4500] to 10.0.0.10[4500]

Now, for configuration.

Both sides run:
Linux strongSwan U4.5.2/K3.0.0-17-generic-pae

Client is Ubuntu 11.10 if that helps.

Both set of keys were generated on server with:
openssl req -x509 -days 3650 -newkey rsa:1024 -keyout
private/<key>.pem -out certs/<cert>.pem

There is a bug in openssl in Ubuntu 11.10 where RSA keys are not
generated properly.
Key for 'hp' was transferred to 'hp' along with certificate for voyage.

Network configuration -- 'voyage' server has two LAN interfaces. One
is 192.168.1.1, second is 10.0.0.3
'hp' client is on address 10.0.0.10 for test purposes
I want 'hp' to be able to access 192.168.1.x network

On both devices pluto is off, charon is on.

'voyage' server:
ipsec.secrets:
 : RSA voyageKey.pem

ipsec.conf:
conn hp
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        leftcert=voyageCert.pem
        right=%any
        rightsourceip=192.168.1.111
        rightcert=hpCert.pem
        keyexchange=ikev2
        auto=add

'hp' roadwarrior
ipsec.secrets:
 : RSA hpKey.pem

ipsec.conf
conn voyage
        left=%defaultroute
        leftsourceip=%config
        leftcert=hpCert.pem
        right=rudolf.homelinux.com
        rightsubnet=192.168.1.0/24
        rightcert=voyageCert.pem
        keyexchange=ikev2
        auto=start

Any ideas why I am getting those authentications errors? I am lost.
Same mechanism works on different server/client pair.

Thanks,
Rudolf

More information about the Users mailing list