[strongSwan] 4.6.2 - AUTHENTICATION_FAILED / N(AUTH_FAILED)
Andreas Steffen
andreas.steffen at strongswan.org
Wed Mar 7 17:10:37 CET 2012
Hello,
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
means that the authentication error occurred on the remote end.
Do you have the log from the other endpoint. I see that you don't
load any CA certificate on you end. If this is also the case
on the remote end then it is clear that the authentication must
fail since no trust anchor is present.
Regards
Andreas
On 07.03.2012 14:14, Leandro . wrote:
> Hi everybody, Hi Andreas.
>
> In my last e-mail, my problem was a certificate generated with openSSL
> 1.0 and sontrgSwan 4.5.3.
> I 've downloaded the 4.6.2 version and did the instalation.
>
> Now, I have other error (I think the certificates are OK now), I don't
> know if error it's configuration files (probably).
>
>
> Here are my scenario:
>
> *opensuse-vm*:~ # ipsec up net-net
> initiating IKE_SA net-net[1] to 192.168.10.198
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.10.197[500] to 192.168.10.198[500]
> received packet: from 192.168.10.198[500] to 192.168.10.197[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(MULT_AUTH) ]
> authentication of 'C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm,
> E=197' (myself) with RSA signature successful
> establishing CHILD_SA net-net
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
> N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 192.168.10.197[500] to 192.168.10.198[500]
> received packet: from 192.168.10.198[500] to 192.168.10.197[500]
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
>
> *opensuse-vm*:~ # cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
> # plutodebug=all
> crlcheckinterval=600
> strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> # charonstart=no
> plutostart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> mobike=no
>
> conn net-net
> left=192.168.10.197
> leftsubnet=192.168.9.0/24 <http://192.168.9.0/24>
> leftcert=197cert.pem
> leftid="C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197"
> leftfirewall=yes
> right=192.168.10.198
> rightsubnet=192.168.8.0/24 <http://192.168.8.0/24>
> rightid=@opensuse2-vm
> auto=add
> *opensuse-vm*:~ # cat /etc/ipsec.secrets
> #
> # ipsec.secrets
> #
> # This file holds the RSA private keys or the PSK preshared secrets for
> # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
> #
> : RSA 197key.pem "197chave"
>
> *opensuse-vm*:~ # cat /etc/strongswan.conf
> # strongswan.conf - strongSwan configuration file
> charon {
>
> # number of worker threads in charon
> threads = 16
>
> # send strongswan vendor ID?
> # send_vendor_id = yes
>
> plugins {
>
> sql {
> # loglevel to log into sql database
> loglevel = -1
>
> # URI to the database
> # database = sqlite:///path/to/file.db
> # database =
> mysql://user:password@localhost/database
> }
> }
>
> # ...
> }
>
> pluto {
>
> }
>
> libstrongswan {
>
> # set to no, the DH exponent size is optimized
> # dh_exponent_ansi_x9_42 = no
> }
> *opensuse-vm*:~ # tail -f /var/log/messages -n 35
> Mar 7 09:50:10 opensuse-vm charon: 00[DMN] signal of type SIGINT
> received. Shutting down
> Mar 7 09:50:18 opensuse-vm ipsec_starter[5725]: Starting strongSwan
> 4.6.2 IPsec [starter]...
> Mar 7 09:50:18 opensuse-vm charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.6.2)
> Mar 7 09:50:18 opensuse-vm charon: 00[KNL] listening on interfaces:
> Mar 7 09:50:18 opensuse-vm charon: 00[KNL] eth0
> Mar 7 09:50:18 opensuse-vm charon: 00[KNL] 192.168.10.197
> Mar 7 09:50:18 opensuse-vm charon: 00[KNL] eth3
> Mar 7 09:50:18 opensuse-vm charon: 00[KNL] 192.168.9.1
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Mar 7 09:50:18 opensuse-vm charon: 00[CFG] loaded RSA private key
> from '/etc/ipsec.d/private/197key.pem'
> Mar 7 09:50:18 opensuse-vm charon: 00[DMN] loaded plugins: aes des sha1
> sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem
> fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
> Mar 7 09:50:18 opensuse-vm charon: 00[JOB] spawning 16 worker threads
> Mar 7 09:50:18 opensuse-vm charon: 04[CFG] received stroke: add
> connection 'net-net'
> Mar 7 09:50:18 opensuse-vm charon: 04[CFG] loaded certificate "C=BR,
> ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197" from '197cert.pem'
> Mar 7 09:50:18 opensuse-vm charon: 04[CFG] added configuration 'net-net'
> Mar 7 09:50:22 opensuse-vm charon: 13[CFG] received stroke: initiate
> 'net-net'
> Mar 7 09:50:22 opensuse-vm charon: 15[IKE] initiating IKE_SA net-net[1]
> to 192.168.10.198
> Mar 7 09:50:22 opensuse-vm charon: 15[IKE] initiating IKE_SA net-net[1]
> to 192.168.10.198
> Mar 7 09:50:22 opensuse-vm charon: 15[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Mar 7 09:50:22 opensuse-vm charon: 15[NET] sending packet: from
> 192.168.10.197[500] to 192.168.10.198[500]
> Mar 7 09:50:23 opensuse-vm charon: 16[NET] received packet: from
> 192.168.10.198[500] to 192.168.10.197[500]
> Mar 7 09:50:23 opensuse-vm charon: 16[ENC] parsed IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Mar 7 09:50:23 opensuse-vm charon: 16[IKE] authentication of 'C=BR,
> ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197' (myself) with RSA
> signature successful
> Mar 7 09:50:23 opensuse-vm charon: 16[IKE] establishing CHILD_SA net-net
> Mar 7 09:50:23 opensuse-vm charon: 16[IKE] establishing CHILD_SA net-net
> Mar 7 09:50:23 opensuse-vm charon: 16[ENC] generating IKE_AUTH request
> 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
> Mar 7 09:50:23 opensuse-vm charon: 16[NET] sending packet: from
> 192.168.10.197[500] to 192.168.10.198[500]
> Mar 7 09:50:23 opensuse-vm charon: 03[NET] received packet: from
> 192.168.10.198[500] to 192.168.10.197[500]
> Mar 7 09:50:23 opensuse-vm charon: 03[ENC] parsed IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> Mar 7 09:50:23 opensuse-vm charon: 03[IKE] received
> AUTHENTICATION_FAILED notify error
>
> --
> *Jefferson Leandro*
> *Curitiba - BR*
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120307/471e0a54/attachment.bin>
More information about the Users
mailing list