[strongSwan] 4.6.2 - AUTHENTICATION_FAILED / N(AUTH_FAILED)

Leandro . frr8rrf at gmail.com
Thu Mar 8 14:16:59 CET 2012 

Andreas, Greetings !

Yes, the log from remote host have a message "no trusted RSA public key
found"
but, how can I load the CA cert ?
I copied the certficate generated at the remote host to local in the
directory /etc/ipsec.d/cacert but what I have put in the ipsec.conf ?

In the machine opensuse-vm I did the reference for the certificate for
remote host, but doesn't work.

Ipsec.conf session:
ca opensuse2-vm
        cacert=198cert.pem
        auto=add

list of files:
opensuse-vm:/etc/ipsec.d # ls -R

./aacerts:

./acerts:

./cacerts:
198cert.pem

./certs:
197cert.pem  198cert.pem

./crls:

./ocspcerts:

./private:
197key.pem  198key.pem

./reqs:
197req.pem  198req.pem


Sorry, it's maybe basic configuration ...

Thank you.






Em 7 de março de 2012 13:10, Andreas Steffen <andreas.steffen at strongswan.org
> escreveu:

> Hello,
>
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
>
> means that the authentication error occurred on the remote end.
> Do you have the log from the other endpoint. I see that you don't
> load any CA certificate on you end. If this is also the case
> on the remote end then it  is clear that the authentication must
> fail since no trust anchor is present.
>
> Regards
>
> Andreas
>
> On 07.03.2012 14:14, Leandro . wrote:
> > Hi everybody, Hi Andreas.
> >
> > In my last e-mail, my problem was a certificate generated with openSSL
> > 1.0 and sontrgSwan 4.5.3.
> > I 've downloaded the 4.6.2 version and did the instalation.
> >
> > Now, I have other error (I think the certificates are OK now), I don't
> > know if error it's configuration files (probably).
> >
> >
> > Here are my scenario:
> >
> > *opensuse-vm*:~ # ipsec up net-net
> > initiating IKE_SA net-net[1] to 192.168.10.198
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 192.168.10.197[500] to 192.168.10.198[500]
> > received packet: from 192.168.10.198[500] to 192.168.10.197[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > N(MULT_AUTH) ]
> > authentication of 'C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm,
> > E=197' (myself) with RSA signature successful
> > establishing CHILD_SA net-net
> > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
> > N(MULT_AUTH) N(EAP_ONLY) ]
> > sending packet: from 192.168.10.197[500] to 192.168.10.198[500]
> > received packet: from 192.168.10.198[500] to 192.168.10.197[500]
> > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > received AUTHENTICATION_FAILED notify error
> >
> > *opensuse-vm*:~ # cat /etc/ipsec.conf
> > # ipsec.conf - strongSwan IPsec configuration file
> > # basic configuration
> > config setup
> >         # plutodebug=all
> >         crlcheckinterval=600
> >         strictcrlpolicy=yes
> >         # cachecrls=yes
> >         # nat_traversal=yes
> >         # charonstart=no
> >         plutostart=no
> >
> > conn %default
> >         ikelifetime=60m
> >         keylife=20m
> >         rekeymargin=3m
> >         keyingtries=1
> >         keyexchange=ikev2
> >         mobike=no
> >
> > conn net-net
> >         left=192.168.10.197
> >         leftsubnet=192.168.9.0/24 <http://192.168.9.0/24>
> >         leftcert=197cert.pem
> >         leftid="C=BR, ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197"
> >         leftfirewall=yes
> >         right=192.168.10.198
> >         rightsubnet=192.168.8.0/24 <http://192.168.8.0/24>
> >         rightid=@opensuse2-vm
> >         auto=add
> > *opensuse-vm*:~ # cat /etc/ipsec.secrets
> > #
> > # ipsec.secrets
> > #
> > # This file holds the RSA private keys or the PSK preshared secrets for
> > # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
> > #
> > : RSA 197key.pem "197chave"
> >
> > *opensuse-vm*:~ # cat /etc/strongswan.conf
> > # strongswan.conf - strongSwan configuration file
> > charon {
> >
> >         # number of worker threads in charon
> >         threads = 16
> >
> >         # send strongswan vendor ID?
> >         # send_vendor_id = yes
> >
> >         plugins {
> >
> >                 sql {
> >                         # loglevel to log into sql database
> >                         loglevel = -1
> >
> >                         # URI to the database
> >                         # database = sqlite:///path/to/file.db
> >                         # database =
> > mysql://user:password@localhost/database
> >                 }
> >         }
> >
> >         # ...
> > }
> >
> > pluto {
> >
> > }
> >
> > libstrongswan {
> >
> >         #  set to no, the DH exponent size is optimized
> >         #  dh_exponent_ansi_x9_42 = no
> > }
> > *opensuse-vm*:~ # tail -f /var/log/messages -n 35
> > Mar  7 09:50:10 opensuse-vm charon: 00[DMN] signal of type SIGINT
> > received. Shutting down
> > Mar  7 09:50:18 opensuse-vm ipsec_starter[5725]: Starting strongSwan
> > 4.6.2 IPsec [starter]...
> > Mar  7 09:50:18 opensuse-vm charon: 00[DMN] Starting IKEv2 charon daemon
> > (strongSwan 4.6.2)
> > Mar  7 09:50:18 opensuse-vm charon: 00[KNL] listening on interfaces:
> > Mar  7 09:50:18 opensuse-vm charon: 00[KNL]   eth0
> > Mar  7 09:50:18 opensuse-vm charon: 00[KNL]     192.168.10.197
> > Mar  7 09:50:18 opensuse-vm charon: 00[KNL]   eth3
> > Mar  7 09:50:18 opensuse-vm charon: 00[KNL]     192.168.9.1
> > Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading ca certificates from
> > '/etc/ipsec.d/cacerts'
> > Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading aa certificates from
> > '/etc/ipsec.d/aacerts'
> > Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading ocsp signer
> > certificates from '/etc/ipsec.d/ocspcerts'
> > Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading attribute
> > certificates from '/etc/ipsec.d/acerts'
> > Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading crls from
> > '/etc/ipsec.d/crls'
> > Mar  7 09:50:18 opensuse-vm charon: 00[CFG] loading secrets from
> > '/etc/ipsec.secrets'
> > Mar  7 09:50:18 opensuse-vm charon: 00[CFG]   loaded RSA private key
> > from '/etc/ipsec.d/private/197key.pem'
> > Mar  7 09:50:18 opensuse-vm charon: 00[DMN] loaded plugins: aes des sha1
> > sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem
> > fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke
> updown
> > Mar  7 09:50:18 opensuse-vm charon: 00[JOB] spawning 16 worker threads
> > Mar  7 09:50:18 opensuse-vm charon: 04[CFG] received stroke: add
> > connection 'net-net'
> > Mar  7 09:50:18 opensuse-vm charon: 04[CFG]   loaded certificate "C=BR,
> > ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197" from '197cert.pem'
> > Mar  7 09:50:18 opensuse-vm charon: 04[CFG] added configuration 'net-net'
> > Mar  7 09:50:22 opensuse-vm charon: 13[CFG] received stroke: initiate
> > 'net-net'
> > Mar  7 09:50:22 opensuse-vm charon: 15[IKE] initiating IKE_SA net-net[1]
> > to 192.168.10.198
> > Mar  7 09:50:22 opensuse-vm charon: 15[IKE] initiating IKE_SA net-net[1]
> > to 192.168.10.198
> > Mar  7 09:50:22 opensuse-vm charon: 15[ENC] generating IKE_SA_INIT
> > request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > Mar  7 09:50:22 opensuse-vm charon: 15[NET] sending packet: from
> > 192.168.10.197[500] to 192.168.10.198[500]
> > Mar  7 09:50:23 opensuse-vm charon: 16[NET] received packet: from
> > 192.168.10.198[500] to 192.168.10.197[500]
> > Mar  7 09:50:23 opensuse-vm charon: 16[ENC] parsed IKE_SA_INIT response
> > 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> > Mar  7 09:50:23 opensuse-vm charon: 16[IKE] authentication of 'C=BR,
> > ST=PR, L=CTA, O=OC, OU=IT, CN=opensuse-vm, E=197' (myself) with RSA
> > signature successful
> > Mar  7 09:50:23 opensuse-vm charon: 16[IKE] establishing CHILD_SA net-net
> > Mar  7 09:50:23 opensuse-vm charon: 16[IKE] establishing CHILD_SA net-net
> > Mar  7 09:50:23 opensuse-vm charon: 16[ENC] generating IKE_AUTH request
> > 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
> > Mar  7 09:50:23 opensuse-vm charon: 16[NET] sending packet: from
> > 192.168.10.197[500] to 192.168.10.198[500]
> > Mar  7 09:50:23 opensuse-vm charon: 03[NET] received packet: from
> > 192.168.10.198[500] to 192.168.10.197[500]
> > Mar  7 09:50:23 opensuse-vm charon: 03[ENC] parsed IKE_AUTH response 1 [
> > N(AUTH_FAILED) ]
> > Mar  7 09:50:23 opensuse-vm charon: 03[IKE] received
> > AUTHENTICATION_FAILED notify error
> >
> > --
> > *Jefferson Leandro*
> > *Curitiba - BR*
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>


-- 
*Jefferson Leandro*
*Curitiba - BR*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120308/07a1f636/attachment.html>

More information about the Users mailing list