[strongSwan] 4.6.2 - AUTHENTICATION_FAILED / N(AUTH_FAILED)

Leandro . frr8rrf at gmail.com
Wed Mar 7 14:14:46 CET 2012


Hi everybody, Hi Andreas.

In my last e-mail, my problem was a certificate generated with openSSL 1.0
and sontrgSwan 4.5.3.
I 've downloaded the 4.6.2 version and did the instalation.

Now, I have other error (I think the certificates are OK now), I don't know
if error it's configuration files (probably).


Here are my scenario:

*opensuse-vm*:~ # ipsec up net-net
initiating IKE_SA net-net[1] to 192.168.10.198
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.10.197[500] to 192.168.10.198[500]
received packet: from 192.168.10.198[500] to 192.168.10.197[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
authentication of 'C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197'
(myself) with RSA signature successful
establishing CHILD_SA net-net
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.10.197[500] to 192.168.10.198[500]
received packet: from 192.168.10.198[500] to 192.168.10.197[500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error

*opensuse-vm*:~ # cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # plutodebug=all
        crlcheckinterval=600
        strictcrlpolicy=yes
        # cachecrls=yes
        # nat_traversal=yes
        # charonstart=no
        plutostart=no

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        mobike=no

conn net-net
        left=192.168.10.197
        leftsubnet=192.168.9.0/24
        leftcert=197cert.pem
        leftid="C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197"
        leftfirewall=yes
        right=192.168.10.198
        rightsubnet=192.168.8.0/24
        rightid=@opensuse2-vm
        auto=add
*opensuse-vm*:~ # cat /etc/ipsec.secrets
#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
: RSA 197key.pem "197chave"

*opensuse-vm*:~ # cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
charon {

        # number of worker threads in charon
        threads = 16

        # send strongswan vendor ID?
        # send_vendor_id = yes

        plugins {

                sql {
                        # loglevel to log into sql database
                        loglevel = -1

                        # URI to the database
                        # database = sqlite:///path/to/file.db
                        # database = mysql://user:password@localhost
/database
                }
        }

        # ...
}

pluto {

}

libstrongswan {

        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no
}
*opensuse-vm*:~ # tail -f /var/log/messages -n 35
Mar  7 09:50:10 opensuse-vm charon: 00[DMN] signal of type SIGINT received.
Shutting down
Mar  7 09:50:18 opensuse-vm ipsec_starter[5725]: Starting strongSwan 4.6.2
IPsec [starter]...
Mar  7 09:50:18 opensuse-vm charon: 00[DMN] Starting IKEv2 charon daemon
(strongSwan 4.6.2)
Mar  7 09:50:18 opensuse-vm charon: 00[KNL] listening on interfaces:
Mar  7 09:50:18 opensuse-vm charon: 00[KNL]   eth0
Mar  7 09:50:18 opensuse-vm charon: 00[KNL]     192.168.10.197
Mar  7 09:50:18 opensuse-vm charon: 00[KNL]   eth3
Mar  7 09:50:18 opensuse-vm charon: 00[KNL]     192.168.9.1
Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Mar  7 09:50:18 opensuse-vm charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/197key.pem'
Mar  7 09:50:18 opensuse-vm charon: 00[DMN] loaded plugins: aes des sha1
sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem
fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
Mar  7 09:50:18 opensuse-vm charon: 00[JOB] spawning 16 worker threads
Mar  7 09:50:18 opensuse-vm charon: 04[CFG] received stroke: add connection
'net-net'
Mar  7 09:50:18 opensuse-vm charon: 04[CFG]   loaded certificate "C=BR,
ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197" from '197cert.pem'
Mar  7 09:50:18 opensuse-vm charon: 04[CFG] added configuration 'net-net'
Mar  7 09:50:22 opensuse-vm charon: 13[CFG] received stroke: initiate
'net-net'
Mar  7 09:50:22 opensuse-vm charon: 15[IKE] initiating IKE_SA net-net[1] to
192.168.10.198
Mar  7 09:50:22 opensuse-vm charon: 15[IKE] initiating IKE_SA net-net[1] to
192.168.10.198
Mar  7 09:50:22 opensuse-vm charon: 15[ENC] generating IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar  7 09:50:22 opensuse-vm charon: 15[NET] sending packet: from
192.168.10.197[500] to 192.168.10.198[500]
Mar  7 09:50:23 opensuse-vm charon: 16[NET] received packet: from
192.168.10.198[500] to 192.168.10.197[500]
Mar  7 09:50:23 opensuse-vm charon: 16[ENC] parsed IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Mar  7 09:50:23 opensuse-vm charon: 16[IKE] authentication of 'C=BR, ST=PR,
L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197' (myself) with RSA signature
successful
Mar  7 09:50:23 opensuse-vm charon: 16[IKE] establishing CHILD_SA net-net
Mar  7 09:50:23 opensuse-vm charon: 16[IKE] establishing CHILD_SA net-net
Mar  7 09:50:23 opensuse-vm charon: 16[ENC] generating IKE_AUTH request 1 [
IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Mar  7 09:50:23 opensuse-vm charon: 16[NET] sending packet: from
192.168.10.197[500] to 192.168.10.198[500]
Mar  7 09:50:23 opensuse-vm charon: 03[NET] received packet: from
192.168.10.198[500] to 192.168.10.197[500]
Mar  7 09:50:23 opensuse-vm charon: 03[ENC] parsed IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Mar  7 09:50:23 opensuse-vm charon: 03[IKE] received AUTHENTICATION_FAILED
notify error



-- 
*Jefferson Leandro*
*Curitiba - BR*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120307/44d1f6cc/attachment.html>


More information about the Users mailing list