[strongSwan] Auth Failed
Chris Arnold
carnold at electrichendrix.com
Mon Dec 31 22:42:00 CET 2012
>Chris,
>Assuming elcKey.pem is the private key associated with the certificate elcCert.pem (used for conn teknerds), shouldn't there be another private key associated with server_cert.crt used in conn rclientscerts? Just >wondering since you are using separate (left) certificates for the connections...
Nothing has been changed in the ipsec.secret file except ios secret commented out. This worked for months without any issues. Kimmo, a user here on the list, configured it and tested it and it was working. The last thing that was done was SLES strongSwan update from 4.3 to 4.4. The other conn, teknerds, works fine.
>The ipsec.secrets should be more like
> : RSA eleKey.pem
> : RSA server_Key.pem <"my-passphrase">
>
>Where the passphrase is needed only if the private key is password protected.
On Mon, Dec 31, 2012 at 10:55 AM, Chris Arnold < carnold at electrichendrix.com > wrote:
<blockquote>
strongSwan 4.4.06 on SLES 11 SP2. This use to work, i am working on adding users with ios to strongSwan but have commented that out of ipsec.conf and ipsec.secret to verify this is not the problem. User with Windows 7 with client cert connects and receives:
Error 13801: IKE Authentication Credentials are unacceptable
All other VPN connections work (like the conn teknerds which is strongSwan to sonicwall).
Error in the charon.log:
13[IKE] received end entity cert "O=Chris VPN service, CN=Client2"
13[CFG] looking for peer configs matching 192.168.1.18[%any]...public.ip[O=Chris VPN service, CN=Client2]
13[CFG] selected peer config 'rclientscerts'
13[CFG] using certificate "O=Chris VPN service, CN=Client2"
13[CFG] using trusted ca certificate "C=US, ST=NC, L=Durham, O=Edens Land Corp, OU=ELC, CN=Jarrod, E=email at address"
13[CFG] checking certificate status of "O=Chris VPN service, CN=Client2"
13[CFG] certificate status is not available
13[CFG] reached self-signed root ca with a path length of 0
13[IKE] authentication of 'O=Chris VPN service, CN=Client2' with RSA signature successful
13[IKE] peer supports MOBIKE
13[IKE] no private key found for 'O=Chris VPN service, CN=70.63.136.95'
13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Here is ipsec.conf:
config setup
# plutodebug=all
crlcheckinterval=600
strictcrlpolicy=no
# cachecrls=yes
nat_traversal=yes
# charonstart=no
plutostart=no
#charondebug="cfg 3,lib=3"
# Add connections here.
conn %default
ikelifetime=28800s
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn rclientseap
rekey=no
left=%any
leftauth=pubkey
leftcert=server_cert.crt
leftid=@public.ip
leftsubnet= 0.0.0.0/0
right=%any
rightsourceip= 192.168.2.0/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
mobike=yes
auto=ignore
conn rclientscerts
rekey=no
left=%any
leftauth=pubkey
leftcert=server_cert.crt
leftid=@public.ip
leftsubnet= 0.0.0.0/0
right=%any
rightsourceip= 192.168.2.0/24
#rightauth=eap-mschapv2
#rightsendcert=never
#eap_identity=%any
mobike=yes
auto=add
conn teknerds
left=%defaultroute
leftcert=elcCert.pem
leftsubnet= 192.168.1.0/24
#leftid="C=XX, O=X, CN=Edens Land Corp VPN"
#leftfirewall=yes
right=sonicwall.public.ip
rightsubnet= 192.168.123.0/24
rightcert=teknerdsCert.pem
rightid="C=XX, O=X, CN=Tek-Nerds VPN"
auto=add
#conn iOS
# keyexchange=ikev1
# authby=xauthrsasig
# xauth=server
# left=%defaultroute
# leftsubnet= 192.168.1.0/24
# leftcert=elcCert.pem
# right=%any
# rightsourceip= 192.168.3.0/24
# #rightcert=
# pfs=no
# auto=add
Here is ipsec.secret:
: RSA elcKey.pem
Any help with this is greatly appreciated
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
</blockquote>
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121231/ce71b9f7/attachment.html>
More information about the Users
mailing list