[strongSwan] Auth Failed

Chris Arnold carnold at electrichendrix.com
Mon Dec 31 22:42:00 CET 2012


>Chris, 

>Assuming elcKey.pem is the private key associated with the certificate elcCert.pem (used for conn teknerds), shouldn't there be another private key associated with server_cert.crt used in conn rclientscerts? Just >wondering since you are using separate (left) certificates for the connections... 

Nothing has been changed in the ipsec.secret file except ios secret commented out. This worked for months without any issues. Kimmo, a user here on the list, configured it and tested it and it was working. The last thing that was done was SLES strongSwan update from 4.3 to 4.4. The other conn, teknerds, works fine. 
  
>The ipsec.secrets should be more like 
>  : RSA eleKey.pem 
>  : RSA server_Key.pem <"my-passphrase"> 
> 
>Where the passphrase is needed only if the private key is password protected. 

  




On Mon, Dec 31, 2012 at 10:55 AM, Chris Arnold < carnold at electrichendrix.com > wrote: 

<blockquote>
strongSwan 4.4.06 on SLES 11 SP2. This use to work, i am working on adding users with ios to strongSwan but have commented that out of ipsec.conf and ipsec.secret to verify this is not the problem. User with Windows 7 with client cert connects and receives: 
Error 13801: IKE Authentication Credentials are unacceptable 

All other VPN connections work (like the conn teknerds which is strongSwan to sonicwall). 

Error in the charon.log: 
13[IKE] received end entity cert "O=Chris VPN service, CN=Client2" 
13[CFG] looking for peer configs matching 192.168.1.18[%any]...public.ip[O=Chris VPN service, CN=Client2] 
13[CFG] selected peer config 'rclientscerts' 
13[CFG]   using certificate "O=Chris VPN service, CN=Client2" 
13[CFG]   using trusted ca certificate "C=US, ST=NC, L=Durham, O=Edens Land Corp, OU=ELC, CN=Jarrod, E=email at address" 
13[CFG] checking certificate status of "O=Chris VPN service, CN=Client2" 
13[CFG] certificate status is not available 
13[CFG]   reached self-signed root ca with a path length of 0 
13[IKE] authentication of 'O=Chris VPN service, CN=Client2' with RSA signature successful 
13[IKE] peer supports MOBIKE 
13[IKE] no private key found for 'O=Chris VPN service, CN=70.63.136.95' 
13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 

Here is ipsec.conf: 
config setup 
        # plutodebug=all 
          crlcheckinterval=600 
          strictcrlpolicy=no 
        # cachecrls=yes 
          nat_traversal=yes 
        # charonstart=no 
          plutostart=no 
        #charondebug="cfg 3,lib=3" 

# Add connections here. 

conn %default 
        ikelifetime=28800s 
        keylife=20m 
        rekeymargin=3m 
        keyingtries=1 
        keyexchange=ikev2 
        mobike=no 

conn rclientseap 
        rekey=no 
        left=%any 
        leftauth=pubkey 
        leftcert=server_cert.crt 
        leftid=@public.ip 
        leftsubnet= 0.0.0.0/0 
        right=%any 
        rightsourceip= 192.168.2.0/24 
        rightauth=eap-mschapv2 
        rightsendcert=never 
        eap_identity=%any 
        mobike=yes 
        auto=ignore 

conn rclientscerts 
        rekey=no 
        left=%any 
        leftauth=pubkey 
        leftcert=server_cert.crt 
        leftid=@public.ip 
        leftsubnet= 0.0.0.0/0 
        right=%any 
        rightsourceip= 192.168.2.0/24 
        #rightauth=eap-mschapv2 
        #rightsendcert=never 
        #eap_identity=%any 
        mobike=yes 
        auto=add 




conn teknerds 
        left=%defaultroute 
        leftcert=elcCert.pem 
        leftsubnet= 192.168.1.0/24 
        #leftid="C=XX, O=X, CN=Edens Land Corp VPN" 
        #leftfirewall=yes 
        right=sonicwall.public.ip 
        rightsubnet= 192.168.123.0/24 
        rightcert=teknerdsCert.pem 
        rightid="C=XX, O=X, CN=Tek-Nerds VPN" 
        auto=add 


#conn iOS 
#       keyexchange=ikev1 
#       authby=xauthrsasig 
#       xauth=server 
#       left=%defaultroute 
#       leftsubnet= 192.168.1.0/24 
#       leftcert=elcCert.pem 
#       right=%any 
#       rightsourceip= 192.168.3.0/24 
#       #rightcert= 
#       pfs=no 
#       auto=add 

Here is ipsec.secret: 
: RSA elcKey.pem 

Any help with this is greatly appreciated 

_______________________________________________ 
Users mailing list 
Users at lists.strongswan.org 
https://lists.strongswan.org/mailman/listinfo/users 





</blockquote>



_______________________________________________ 
Users mailing list 
Users at lists.strongswan.org 
https://lists.strongswan.org/mailman/listinfo/users 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121231/ce71b9f7/attachment.html>


More information about the Users mailing list