[strongSwan] IKE_AUTH fails with "no matching peer config found" error message in strongswan ver 4.6.3
nagaraj
nagaraj2 at gmail.com
Fri May 25 04:23:47 CEST 2012
IKE_AUTH fails when I try to bring up net-net connection. I have
attached config files, certs for MOON and SUN below. I see that error
message is coming from the function load_cfg_candidates in
src/libcharon/sa/tasks/ike_auth.c. I have used the setup and configs
indicated at the following link
http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/. Please
let me know why it is throwing the error message "no matching peer
config found". Any help is appreciated.
Thanks,
Nagaraj
config files on MOON:
ipsec.conf
=========
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn net-net
left=192.167.21.1
leftcert=moonCert.pem
leftid=@localhost
leftsubnet=192.167.2.0/24
leftfirewall=no
right=192.167.21.2
rightid=@localhost
rightsubnet=192.167.1.0/24
auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem "testing"
# /etc/strongswan.conf - strongSwan configuration file
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation hmac xcbc stroke kernel-netlink socket-default updown
multiple_authentication = no
}
[root at moon certs]# openssl x509 -in moonCert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 44 (0x2c)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
Master/emailAddress=certmaster at democa.dom
Validity
Not Before: May 24 23:37:15 2012 GMT
Not After : May 24 23:37:15 2014 GMT
Subject: C=SG, ST=CA, O=DemoCA,
CN=localhost/emailAddress=admin at server.example.dom
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c8:f8:21:05:4e:b6:ea:43:28:ee:aa:3f:0a:72:
39:39:f1:1b:f9:a2:79:50:39:5b:09:a9:c9:00:e2:
76:39:07:1f:8a:83:9b:74:26:74:81:ba:be:73:14:
01:bb:76:44:a8:9f:48:13:2b:c5:e4:9b:41:78:75:
5b:e5:e2:06:cf:d2:c6:49:5b:f7:1f:d1:4a:2f:d2:
bb:35:c8:d9:36:e3:0a:60:c5:b0:a6:58:56:3e:fc:
c0:da:a6:7d:09:94:9e:da:2c:e2:e3:6e:27:3a:4a:
43:f8:0e:f4:6f:9a:95:86:0e:f0:5d:83:ce:6f:f0:
6f:af:c8:55:ba:cf:8d:26:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E0:C3:F6:51:C6:B2:81:B2:55:51:11:E3:24:77:CD:6D:CC:C0:DE:D3
X509v3 Authority Key Identifier:
keyid:A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
Signature Algorithm: sha1WithRSAEncryption
5a:dc:47:41:9e:c9:65:d6:33:36:e8:b1:0b:72:4b:ed:b5:a5:
3d:ea:73:1f:3c:e6:f4:93:54:33:dc:37:90:eb:b8:49:23:2e:
79:06:30:e9:a2:4c:4f:46:8f:1f:24:14:13:c1:45:80:1a:fb:
ea:59:68:a7:be:22:59:1d:94:9d:47:0d:d0:0e:fc:22:f2:63:
44:db:f8:cf:a3:df:bd:36:16:dd:bb:b4:22:fa:63:ee:39:cf:
65:5f:b0:2e:72:c7:ba:f0:6c:67:63:84:6e:96:42:36:eb:03:
fb:63:7b:32:75:17:cd:60:5c:b5:7b:a3:29:ff:64:54:93:d5:
68:e9:39:3a:03:3b:6d:b7:16:e2:89:a9:c9:24:60:e7:0a:bb:
44:c1:d8:ce:50:7a:80:be:ca:6b:33:b2:c5:68:77:72:c8:28:
0d:0f:aa:3c:7e:f7:01:7c:e2:7a:d4:83:27:8a:54:aa:22:a4:
63:6b:37:f8:60:eb:5f:70:e4:1b:54:0f:ee:09:ff:55:cb:44:
96:24:3e:6f:60:12:e1:31:45:c1:8e:6c:bc:f5:eb:81:f1:39:
50:58:b6:9c:f3:1d:76:8e:c5:ae:83:a4:b3:c1:66:e2:13:e5:
ab:64:29:08:b3:4f:5e:10:31:69:aa:ff:73:7b:a6:af:bd:da:
a3:8d:e1:38
[root at moon certs]#
config files on SUN:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn net-net
left=192.167.21.2
leftcert=sunCert.pem
leftid=@localhost
leftsubnet=192.167.1.0/24
leftfirewall=no
right=192.167.21.1
rightid=@localhost
rightsubnet=192.167.2.0/24
auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA sunKey.pem "testing"
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation hmac xcbc stroke kernel-netlink socket-default updown
multiple_authentication = no
}
root at sun:/etc/ipsec.d/certs# openssl x509 -in sunCert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 44 (0x2c)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
Master/emailAddress=certmaster at democa.dom
Validity
Not Before: May 25 00:16:10 2012 GMT
Not After : May 25 00:16:10 2014 GMT
Subject: C=SG, ST=CA, O=DemoCA,
CN=localhost/emailAddress=admin1 at server.example.dom
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:cc:d3:74:06:38:b5:57:77:6c:fc:24:3a:7d:32:
f2:33:60:61:31:b3:f9:8b:af:49:8b:da:f8:69:ac:
af:e4:b2:da:22:8d:b9:f0:68:8c:d7:13:05:ca:9e:
ef:38:6e:c5:29:1e:f5:6e:88:8f:95:8a:b3:f3:90:
04:5a:d9:67:eb:ba:48:cd:69:02:77:72:e2:47:2a:
f0:8c:6e:78:0b:f3:c8:3d:1d:b5:82:7b:05:59:e5:
91:22:30:22:4e:bc:27:df:bc:89:2b:42:32:75:90:
72:ec:e6:40:1a:f0:05:72:89:53:f5:af:d0:f8:fe:
8b:73:5d:e6:f9:2e:a2:ab:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:sun.a10networks.com
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A4:86:07:B5:12:84:5C:AC:2E:86:DE:63:E1:27:BE:A4:8B:4D:6C:3B
X509v3 Authority Key Identifier:
keyid:A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
Signature Algorithm: sha1WithRSAEncryption
b8:17:ce:d3:8b:83:54:f3:b2:5a:5f:4e:5c:ac:bf:21:2b:a2:
ac:b5:17:8d:bf:f6:b8:31:b6:b1:05:eb:54:c9:69:dc:9b:5e:
b0:d6:60:b8:bd:f0:c7:91:f6:9e:53:e8:8b:57:27:95:46:d9:
68:c4:a3:04:26:b5:9f:38:a3:37:89:09:01:31:63:55:aa:9b:
cc:9e:5d:9c:b5:cc:42:66:f8:3c:ff:8f:c9:b0:28:60:a9:07:
8a:3c:b8:10:9f:f9:42:14:d9:0d:39:19:6c:2d:46:67:94:4c:
b2:7f:54:ea:1d:2b:1c:90:31:0c:ba:32:73:62:ab:39:7a:04:
4f:27:cf:cb:2c:1c:4d:05:35:2e:da:ea:65:1f:74:80:95:8a:
9a:96:1c:9c:e4:6a:52:1a:3f:c8:3f:23:b3:dc:51:70:47:f6:
3f:b1:fe:66:b9:c5:6f:68:a7:28:dc:5f:35:3e:da:b4:95:c4:
97:cf:e1:b0:1e:06:cc:a8:c6:d5:64:e4:cb:7e:77:67:89:39:
8d:01:e9:cd:81:ad:00:16:35:d5:fd:5c:22:16:70:f3:60:d3:
a4:7f:96:70:7a:2c:97:8f:8a:f3:cd:54:7b:d3:5c:6e:d7:d9:
e5:aa:fc:dd:9a:70:ff:5b:04:05:8b:9c:b5:eb:1f:2e:16:e5:
58:8c:b6:ab
root at sun:/etc/ipsec.d/certs#
CA Certificate
===========
root at sun:/etc/ipsec.d/cacerts# openssl x509 -in strongswanCert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ad:86:88:ea:13:7f:c2:85
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
Master/emailAddress=certmaster at democa.dom
Validity
Not Before: May 24 23:17:55 2012 GMT
Not After : May 23 23:17:55 2016 GMT
Subject: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
Master/emailAddress=certmaster at democa.dom
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d2:22:43:3d:b9:d1:ab:49:b5:24:3d:7a:a9:24:
7d:87:9e:3b:7a:ea:9b:96:71:7f:87:4c:e2:05:55:
f5:e7:ed:0c:62:fd:3f:05:a5:7d:33:d5:1e:dd:39:
81:07:60:9d:98:20:14:f8:c1:f9:4b:55:8b:a5:5d:
8c:67:6f:fe:45:b3:bd:6f:da:a8:4d:04:aa:6e:e6:
9c:eb:1f:52:da:94:0a:b6:ae:6e:6a:9d:45:7f:c6:
b8:9d:34:ad:8b:97:da:b1:e2:6f:eb:e9:3c:fd:df:
0a:d2:e1:dd:c3:57:3d:8b:aa:d6:fe:32:8f:1d:ae:
77:93:6a:f5:83:d2:ad:cc:da:d6:68:69:6e:c5:a0:
e7:fd:e6:85:10:ab:c7:ea:2c:40:25:4f:34:eb:c6:
17:d2:af:b5:40:ef:bd:c9:96:8e:89:cc:af:99:34:
28:5a:f3:83:2a:15:c6:ab:94:c3:62:5d:31:32:05:
16:ef:53:8a:5b:28:49:67:f0:09:76:79:6c:cb:18:
b0:80:df:bd:26:0f:15:2b:c7:65:c7:7c:bb:77:28:
0d:8a:ce:63:f8:7b:74:df:b6:0e:6f:50:5f:4a:eb:
b7:6f:ca:ba:a1:ab:af:11:f5:10:4f:d0:d1:8d:51:
35:9b:43:9c:31:a1:5e:73:21:82:d8:e4:ac:21:b8:
c2:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
X509v3 Authority Key Identifier:
keyid:A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
DirName:/C=SG/ST=CA/O=DemoCA/CN=DemoCA Certificate
Master/emailAddress=certmaster at democa.dom
serial:AD:86:88:EA:13:7F:C2:85
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
1a:6e:af:fc:a4:0d:13:89:19:eb:bd:e2:f3:59:23:44:8a:5e:
7c:86:f8:ac:20:9e:07:22:2f:e9:d8:04:e3:59:5b:58:c3:64:
5b:47:8e:d2:56:3a:c0:da:c2:55:aa:39:6a:74:24:3b:59:6c:
f6:72:a1:b6:4c:07:ea:74:8b:6e:97:77:0a:04:69:b2:d1:35:
27:42:ad:d7:27:fc:da:68:d7:9d:58:45:3a:90:c7:d8:3b:c6:
e5:db:b4:a3:cf:bb:5d:f2:1d:eb:a6:9d:f7:06:37:46:22:a9:
92:79:00:9c:d0:2c:34:2a:3a:1c:cf:75:9a:c5:70:ca:e3:d1:
17:dc:b2:59:5e:3a:50:1f:53:e2:7c:c9:4e:65:1d:5b:b2:3c:
9a:1a:eb:db:38:a1:55:7e:aa:6e:0b:03:71:41:53:f3:72:6e:
d0:f8:a7:d8:ee:db:40:38:68:2a:60:79:8e:43:b0:d9:f2:77:
54:8e:b2:ab:34:00:aa:48:14:f7:81:ed:b2:4a:41:ee:a1:53:
61:7a:f9:b2:87:79:93:da:44:25:c1:4f:95:07:fa:78:41:a6:
c7:4f:7e:f8:ad:31:68:25:77:75:99:e5:87:f3:9a:ef:dd:d3:
97:59:7d:fb:f8:be:5b:29:06:a8:a7:01:af:4d:22:d4:61:99:
33:17:8b:83
root at sun:/etc/ipsec.d/cacerts#
HostA------------MOON==============SUN---------------HostB
HostA:
ipadress: 192.167.2.2/24
MOON:
ipaddress
etho: 192.167.2.180/24
eth1: 192.167.21.1/24
SUN:
ipaddress
eth1: 192.167.21.2/24
eth0: 192.167.1.180/24
HostB:
ipaddress 192.167.1.69/24
[root at moon etc]# ipsec up net-net
initiating IKE_SA net-net[1] to 192.167.21.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.167.21.1[500] to 192.167.21.2[500]
received packet: from 192.167.21.2[500] to 192.167.21.1[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
received cert request for "C=SG, ST=CA, O=DemoCA, CN=DemoCA
Certificate Master, E=certmaster at democa.dom"
sending cert request for "C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
Master, E=certmaster at democa.dom"
authentication of 'C=SG, ST=CA, O=DemoCA, CN=localhost,
E=admin at server.example.dom' (myself) with RSA signature successful
sending end entity cert "C=SG, ST=CA, O=DemoCA, CN=localhost,
E=admin at server.example.dom"
establishing CHILD_SA net-net
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 192.167.21.1[500] to 192.167.21.2[500]
received packet: from 192.167.21.2[500] to 192.167.21.1[500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
[root at moon etc]#
root at sun:tail -f /var/log/daemon.log
May 25 00:54:19 gateway2 charon: 00[DMN] Starting IKEv2 charon daemon
(strongSwan 4.6.3)
May 25 00:54:19 gateway2 charon: 00[LIB] plugin 'curl' failed to load:
/usr/local/lib/ipsec/plugins/libstrongswan-curl.so: cannot open shared
object file: No such file or directory
May 25 00:54:19 gateway2 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
May 25 00:54:19 gateway2 charon: 00[CFG] loaded ca certificate
"C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate Master,
E=certmaster at democa.dom" from
'/etc/ipsec.d/cacerts/strongswanCert.pem'
May 25 00:54:19 gateway2 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
May 25 00:54:19 gateway2 charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
May 25 00:54:19 gateway2 charon: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
May 25 00:54:19 gateway2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 25 00:54:19 gateway2 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
May 25 00:54:19 gateway2 charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/sunKey.pem'
May 25 00:54:19 gateway2 charon: 00[KNL] listening on interfaces:
May 25 00:54:19 gateway2 charon: 00[KNL] eth1
May 25 00:54:19 gateway2 charon: 00[KNL] 192.167.21.2
May 25 00:54:19 gateway2 charon: 00[KNL] fe80::222:3fff:fef2:2e3
May 25 00:54:19 gateway2 charon: 00[KNL] eth0
May 25 00:54:19 gateway2 charon: 00[KNL] 192.167.1.180
May 25 00:54:19 gateway2 charon: 00[KNL] fe80::212:3fff:fea5:fd63
May 25 00:54:19 gateway2 charon: 00[DMN] loaded plugins: aes des sha1
sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke
kernel-netlink socket-default updown
May 25 00:54:19 gateway2 charon: 00[JOB] spawning 16 worker threads
May 25 00:54:19 gateway2 charon: 08[CFG] received stroke: add
connection 'net-net'
May 25 00:54:19 gateway2 charon: 08[CFG] loaded certificate "C=SG,
ST=CA, O=DemoCA, CN=localhost, E=admin1 at server.example.dom" from
'sunCert.pem'
May 25 00:54:19 gateway2 charon: 08[CFG] id 'localhost' not
confirmed by certificate, defaulting to 'C=SG, ST=CA, O=DemoCA,
CN=localhost, E=admin1 at server.example.dom'
May 25 00:54:19 gateway2 charon: 08[CFG] added configuration 'net-net'
May 25 00:54:41 gateway2 charon: 09[NET] received packet: from
192.167.21.1[500] to 192.167.21.2[500]
May 25 00:54:41 gateway2 charon: 09[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May 25 00:54:41 gateway2 charon: 09[IKE] 192.167.21.1 is initiating an IKE_SA
May 25 00:54:41 gateway2 charon: 09[IKE] sending cert request for
"C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate Master,
E=certmaster at democa.dom"
May 25 00:54:41 gateway2 charon: 09[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
May 25 00:54:41 gateway2 charon: 09[NET] sending packet: from
192.167.21.2[500] to 192.167.21.1[500]
May 25 00:54:41 gateway2 charon: 10[NET] received packet: from
192.167.21.1[500] to 192.167.21.2[500]
May 25 00:54:41 gateway2 charon: 10[ENC] parsed IKE_AUTH request 1 [
IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
May 25 00:54:41 gateway2 charon: 10[IKE] received cert request for
"C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate Master,
E=certmaster at democa.dom"
May 25 00:54:41 gateway2 charon: 10[IKE] received end entity cert
"C=SG, ST=CA, O=DemoCA, CN=localhost, E=admin at server.example.dom"
May 25 00:54:41 gateway2 charon: 10[CFG] looking for peer configs
matching 192.167.21.2[localhost]...192.167.21.1[C=SG, ST=CA, O=DemoCA,
CN=localhost, E=admin at server.example.dom]
May 25 00:54:41 gateway2 charon: 10[CFG] no matching peer config found
May 25 00:54:41 gateway2 charon: 10[ENC] generating IKE_AUTH response
1 [ N(AUTH_FAILED) ]
May 25 00:54:41 gateway2 charon: 10[NET] sending packet: from
192.167.21.2[500] to 192.167.21.1[500]
More information about the Users
mailing list