[strongSwan] Auth Failed
Bharath Kumar
cbkumar at gmail.com
Mon Dec 31 22:12:46 CET 2012
Chris,
Assuming elcKey.pem is the private key associated with the certificate
elcCert.pem (used for conn teknerds), shouldn't there be another private
key associated with server_cert.crt used in conn rclientscerts? Just
wondering since you are using separate (left) certificates for the
connections...
The ipsec.secrets should be more like
: RSA eleKey.pem
: RSA server_Key.pem <"my-passphrase">
Where the passphrase is needed only if the private key is password
protected.
Thanks,
Bharath Kumar
On Mon, Dec 31, 2012 at 10:55 AM, Chris Arnold
<carnold at electrichendrix.com>wrote:
>
>> strongSwan 4.4.06 on SLES 11 SP2. This use to work, i am working on
>> adding users with ios to strongSwan but have commented that out of
>> ipsec.conf and ipsec.secret to verify this is not the problem. User with
>> Windows 7 with client cert connects and receives:
>> Error 13801: IKE Authentication Credentials are unacceptable
>>
>> All other VPN connections work (like the conn teknerds which is
>> strongSwan to sonicwall).
>>
>> Error in the charon.log:
>> 13[IKE] received end entity cert "O=Chris VPN service, CN=Client2"
>> 13[CFG] looking for peer configs matching
>> 192.168.1.18[%any]...public.ip[O=Chris VPN service, CN=Client2]
>> 13[CFG] selected peer config 'rclientscerts'
>> 13[CFG] using certificate "O=Chris VPN service, CN=Client2"
>> 13[CFG] using trusted ca certificate "C=US, ST=NC, L=Durham, O=Edens
>> Land Corp, OU=ELC, CN=Jarrod, E=email at address"
>> 13[CFG] checking certificate status of "O=Chris VPN service, CN=Client2"
>> 13[CFG] certificate status is not available
>> 13[CFG] reached self-signed root ca with a path length of 0
>> 13[IKE] authentication of 'O=Chris VPN service, CN=Client2' with RSA
>> signature successful
>> 13[IKE] peer supports MOBIKE
>> 13[IKE] no private key found for 'O=Chris VPN service, CN=70.63.136.95'
>> 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>
>> Here is ipsec.conf:
>> config setup
>> # plutodebug=all
>> crlcheckinterval=600
>> strictcrlpolicy=no
>> # cachecrls=yes
>> nat_traversal=yes
>> # charonstart=no
>> plutostart=no
>> #charondebug="cfg 3,lib=3"
>>
>> # Add connections here.
>>
>> conn %default
>> ikelifetime=28800s
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> mobike=no
>>
>> conn rclientseap
>> rekey=no
>> left=%any
>> leftauth=pubkey
>> leftcert=server_cert.crt
>> leftid=@public.ip
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightsourceip=192.168.2.0/24
>> rightauth=eap-mschapv2
>> rightsendcert=never
>> eap_identity=%any
>> mobike=yes
>> auto=ignore
>>
>> conn rclientscerts
>> rekey=no
>> left=%any
>> leftauth=pubkey
>> leftcert=server_cert.crt
>> leftid=@public.ip
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightsourceip=192.168.2.0/24
>> #rightauth=eap-mschapv2
>> #rightsendcert=never
>> #eap_identity=%any
>> mobike=yes
>> auto=add
>>
>>
>>
>>
>> conn teknerds
>> left=%defaultroute
>> leftcert=elcCert.pem
>> leftsubnet=192.168.1.0/24
>> #leftid="C=XX, O=X, CN=Edens Land Corp VPN"
>> #leftfirewall=yes
>> right=sonicwall.public.ip
>> rightsubnet=192.168.123.0/24
>> rightcert=teknerdsCert.pem
>> rightid="C=XX, O=X, CN=Tek-Nerds VPN"
>> auto=add
>>
>>
>> #conn iOS
>> # keyexchange=ikev1
>> # authby=xauthrsasig
>> # xauth=server
>> # left=%defaultroute
>> # leftsubnet=192.168.1.0/24
>> # leftcert=elcCert.pem
>> # right=%any
>> # rightsourceip=192.168.3.0/24
>> # #rightcert=
>> # pfs=no
>> # auto=add
>>
>> Here is ipsec.secret:
>> : RSA elcKey.pem
>>
>> Any help with this is greatly appreciated
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121231/9e71a639/attachment.html>
More information about the Users
mailing list