[strongSwan] Auth Failed

Chris Arnold carnold at electrichendrix.com
Mon Dec 31 19:55:14 CET 2012 

strongSwan 4.4.06 on SLES 11 SP2. This use to work, i am working on adding users with ios to strongSwan but have commented that out of ipsec.conf and ipsec.secret to verify this is not the problem. User with Windows 7 with client cert connects and receives:
Error 13801: IKE Authentication Credentials are unacceptable

All other VPN connections work (like the conn teknerds which is strongSwan to sonicwall).

Error in the charon.log:
13[IKE] received end entity cert "O=Chris VPN service, CN=Client2"
13[CFG] looking for peer configs matching 192.168.1.18[%any]...public.ip[O=Chris VPN service, CN=Client2]
13[CFG] selected peer config 'rclientscerts'
13[CFG]   using certificate "O=Chris VPN service, CN=Client2"
13[CFG]   using trusted ca certificate "C=US, ST=NC, L=Durham, O=Edens Land Corp, OU=ELC, CN=Jarrod, E=email at address"
13[CFG] checking certificate status of "O=Chris VPN service, CN=Client2"
13[CFG] certificate status is not available
13[CFG]   reached self-signed root ca with a path length of 0
13[IKE] authentication of 'O=Chris VPN service, CN=Client2' with RSA signature successful
13[IKE] peer supports MOBIKE
13[IKE] no private key found for 'O=Chris VPN service, CN=70.63.136.95'
13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Here is ipsec.conf:
config setup
	# plutodebug=all
	  crlcheckinterval=600
	  strictcrlpolicy=no
	# cachecrls=yes
	  nat_traversal=yes
	# charonstart=no
	  plutostart=no
	#charondebug="cfg 3,lib=3"

# Add connections here.

conn %default
	ikelifetime=28800s
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	mobike=no

conn rclientseap
	rekey=no
	left=%any
	leftauth=pubkey
	leftcert=server_cert.crt
	leftid=@public.ip
	leftsubnet=0.0.0.0/0
	right=%any
	rightsourceip=192.168.2.0/24
	rightauth=eap-mschapv2
	rightsendcert=never
	eap_identity=%any
        mobike=yes
	auto=ignore

conn rclientscerts
        rekey=no
        left=%any
        leftauth=pubkey
        leftcert=server_cert.crt
        leftid=@public.ip
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=192.168.2.0/24
        #rightauth=eap-mschapv2
        #rightsendcert=never
        #eap_identity=%any
        mobike=yes
        auto=add




conn teknerds
	left=%defaultroute
	leftcert=elcCert.pem
	leftsubnet=192.168.1.0/24
	#leftid="C=XX, O=X, CN=Edens Land Corp VPN"
	#leftfirewall=yes
	right=sonicwall.public.ip
	rightsubnet=192.168.123.0/24
	rightcert=teknerdsCert.pem
	rightid="C=XX, O=X, CN=Tek-Nerds VPN"
	auto=add


#conn iOS
#	keyexchange=ikev1
#	authby=xauthrsasig
#	xauth=server
#	left=%defaultroute
#	leftsubnet=192.168.1.0/24
#	leftcert=elcCert.pem
#	right=%any
#	rightsourceip=192.168.3.0/24
#	#rightcert=
#	pfs=no
#	auto=add

Here is ipsec.secret:
: RSA elcKey.pem

Any help with this is greatly appreciated

More information about the Users mailing list