[strongSwan] IKE_AUTH fails with "no matching peer config found" error message in strongswan ver 4.6.3
nagaraj
nagaraj2 at gmail.com
Fri May 25 06:35:02 CEST 2012
I have attached gdb to charon process and set breakpoint at function
load_cfg_candidates( ) to debug this issue. However when I execute
"ipsec up net-net" on SUN, the breakpoint I set on MOON never hits.
Apparently when I ran nm on libcharon.so I do not see the symbol
load_cfg_candidates( ). Does anybody know what is happening in here ?
Regards,
Nagaraj
[root at moon ~]# ldd /usr/local/libexec/ipsec/charon
linux-gate.so.1 => (0x00110000)
libstrongswan.so.0 => /usr/local/lib/ipsec/libstrongswan.so.0 (0x00111000)
libhydra.so.0 => /usr/local/lib/ipsec/libhydra.so.0 (0x00141000)
libcharon.so.0 => /usr/local/lib/ipsec/libcharon.so.0 (0x00146000)
libm.so.6 => /lib/libm.so.6 (0x005a8000)
libpthread.so.0 => /lib/libpthread.so.0 (0x005da000)
libdl.so.2 => /lib/libdl.so.2 (0x005d3000)
libc.so.6 => /lib/libc.so.6 (0x0044d000)
librt.so.1 => /lib/librt.so.1 (0x006d5000)
/lib/ld-linux.so.2 (0x0042e000)
[root at moon ~]#
[root at moon etc]# ps aux | grep charon
root 29547 0.0 0.1 168148 1872 ? Ssl 19:14 0:00
/usr/local/libexec/ipsec/charon --use-syslog
root 29566 0.0 0.0 4044 680 pts/2 S+ 19:14 0:00 grep charon
[root at moon etc]# gdb attach 29547
GNU gdb Red Hat Linux (6.6-35.fc8rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
attach: No such file or directory.
Attaching to process 29547
Reading symbols from /usr/local/libexec/ipsec/charon...done.
Using host libthread_db library "/lib/libthread_db.so.1".
Reading symbols from /usr/local/lib/ipsec/libstrongswan.so.0...done.
Loaded symbols for /usr/local/lib/ipsec/libstrongswan.so.0
Reading symbols from /usr/local/lib/ipsec/libhydra.so.0...done.
Loaded symbols for /usr/local/lib/ipsec/libhydra.so.0
Reading symbols from /usr/local/lib/ipsec/libcharon.so.0...done.
Loaded symbols for /usr/local/lib/ipsec/libcharon.so.0
Reading symbols from /lib/libm.so.6...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/92/8ab51a53627c59877a85dd9afecc1619ca866c.debug
done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libpthread.so.0...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/6c/1cdbb38ae2a292613c8c31195417ee80ea7e1e.debug
done.
[Thread debugging using libthread_db enabled]
[New Thread -1208505760 (LWP 29547)]
[New Thread -1365857392 (LWP 29563)]
[New Thread -1355367536 (LWP 29562)]
[New Thread -1344877680 (LWP 29561)]
[New Thread -1334387824 (LWP 29560)]
[New Thread -1323897968 (LWP 29559)]
[New Thread -1313408112 (LWP 29558)]
[New Thread -1302918256 (LWP 29557)]
[New Thread -1292428400 (LWP 29556)]
[New Thread -1281938544 (LWP 29555)]
[New Thread -1271448688 (LWP 29554)]
[New Thread -1260958832 (LWP 29553)]
[New Thread -1250468976 (LWP 29552)]
[New Thread -1239979120 (LWP 29551)]
[New Thread -1229489264 (LWP 29550)]
[New Thread -1218999408 (LWP 29549)]
[New Thread -1208509552 (LWP 29548)]
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libdl.so.2...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/db/a292aff9720bfc3f25c53fa8e469168460a894.debug
done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libc.so.6...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/ba/4ea1118691c826426e9410cafb798f25cefad5.debug
done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/librt.so.1...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/e3/3448de964a5ca97b70edbdcea227c6ea5d3657.debug
done.
Loaded symbols for /lib/librt.so.1
Reading symbols from /lib/ld-linux.so.2...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/ac/2eeb206486bb7315d6ac4cd64de0cb50838ff6.debug
done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-aes.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-aes.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-des.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-des.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-sha1.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-sha1.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-sha2.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-sha2.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-md5.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-md5.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-pem.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-pem.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-pkcs1.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-pkcs1.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-gmp.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-gmp.so
Reading symbols from /usr/lib/sse2/libgmp.so.3...
warning: Missing the separate debug info file:
/usr/lib/debug/.build-id/37/55d27c6449d134914657849fa2365db4001a93.debug
done.
Loaded symbols for /usr/lib/sse2/libgmp.so.3
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-random.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-random.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-x509.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-x509.so
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-revocation.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-revocation.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-hmac.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-hmac.so
Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-xcbc.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-xcbc.so
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-stroke.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-stroke.so
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-kernel-netlink.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-socket-default.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-socket-default.so
Reading symbols from
/usr/local/lib/ipsec/plugins/libstrongswan-updown.so...done.
Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-updown.so
0x00110402 in __kernel_vsyscall ()
(gdb) b load_cfg_candidates
Function "load_cfg_candidates" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (load_cfg_candidates) pending.
(gdb) c
Continuing.
On Thu, May 24, 2012 at 7:23 PM, nagaraj <nagaraj2 at gmail.com> wrote:
> IKE_AUTH fails when I try to bring up net-net connection. I have
> attached config files, certs for MOON and SUN below. I see that error
> message is coming from the function load_cfg_candidates in
> src/libcharon/sa/tasks/ike_auth.c. I have used the setup and configs
> indicated at the following link
> http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/. Please
> let me know why it is throwing the error message "no matching peer
> config found". Any help is appreciated.
>
> Thanks,
> Nagaraj
>
> config files on MOON:
> ipsec.conf
> =========
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> plutostart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> mobike=no
>
> conn net-net
> left=192.167.21.1
> leftcert=moonCert.pem
> leftid=@localhost
> leftsubnet=192.167.2.0/24
> leftfirewall=no
> right=192.167.21.2
> rightid=@localhost
> rightsubnet=192.167.1.0/24
> auto=add
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
> : RSA moonKey.pem "testing"
>
> # /etc/strongswan.conf - strongSwan configuration file
>
> # /etc/strongswan.conf - strongSwan configuration file
>
> charon {
> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation hmac xcbc stroke kernel-netlink socket-default updown
> multiple_authentication = no
> }
>
> [root at moon certs]# openssl x509 -in moonCert.pem -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 44 (0x2c)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
> Master/emailAddress=certmaster at democa.dom
> Validity
> Not Before: May 24 23:37:15 2012 GMT
> Not After : May 24 23:37:15 2014 GMT
> Subject: C=SG, ST=CA, O=DemoCA,
> CN=localhost/emailAddress=admin at server.example.dom
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:c8:f8:21:05:4e:b6:ea:43:28:ee:aa:3f:0a:72:
> 39:39:f1:1b:f9:a2:79:50:39:5b:09:a9:c9:00:e2:
> 76:39:07:1f:8a:83:9b:74:26:74:81:ba:be:73:14:
> 01:bb:76:44:a8:9f:48:13:2b:c5:e4:9b:41:78:75:
> 5b:e5:e2:06:cf:d2:c6:49:5b:f7:1f:d1:4a:2f:d2:
> bb:35:c8:d9:36:e3:0a:60:c5:b0:a6:58:56:3e:fc:
> c0:da:a6:7d:09:94:9e:da:2c:e2:e3:6e:27:3a:4a:
> 43:f8:0e:f4:6f:9a:95:86:0e:f0:5d:83:ce:6f:f0:
> 6f:af:c8:55:ba:cf:8d:26:df
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> E0:C3:F6:51:C6:B2:81:B2:55:51:11:E3:24:77:CD:6D:CC:C0:DE:D3
> X509v3 Authority Key Identifier:
>
> keyid:A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
>
> Signature Algorithm: sha1WithRSAEncryption
> 5a:dc:47:41:9e:c9:65:d6:33:36:e8:b1:0b:72:4b:ed:b5:a5:
> 3d:ea:73:1f:3c:e6:f4:93:54:33:dc:37:90:eb:b8:49:23:2e:
> 79:06:30:e9:a2:4c:4f:46:8f:1f:24:14:13:c1:45:80:1a:fb:
> ea:59:68:a7:be:22:59:1d:94:9d:47:0d:d0:0e:fc:22:f2:63:
> 44:db:f8:cf:a3:df:bd:36:16:dd:bb:b4:22:fa:63:ee:39:cf:
> 65:5f:b0:2e:72:c7:ba:f0:6c:67:63:84:6e:96:42:36:eb:03:
> fb:63:7b:32:75:17:cd:60:5c:b5:7b:a3:29:ff:64:54:93:d5:
> 68:e9:39:3a:03:3b:6d:b7:16:e2:89:a9:c9:24:60:e7:0a:bb:
> 44:c1:d8:ce:50:7a:80:be:ca:6b:33:b2:c5:68:77:72:c8:28:
> 0d:0f:aa:3c:7e:f7:01:7c:e2:7a:d4:83:27:8a:54:aa:22:a4:
> 63:6b:37:f8:60:eb:5f:70:e4:1b:54:0f:ee:09:ff:55:cb:44:
> 96:24:3e:6f:60:12:e1:31:45:c1:8e:6c:bc:f5:eb:81:f1:39:
> 50:58:b6:9c:f3:1d:76:8e:c5:ae:83:a4:b3:c1:66:e2:13:e5:
> ab:64:29:08:b3:4f:5e:10:31:69:aa:ff:73:7b:a6:af:bd:da:
> a3:8d:e1:38
> [root at moon certs]#
>
> config files on SUN:
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> plutostart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> mobike=no
>
> conn net-net
> left=192.167.21.2
> leftcert=sunCert.pem
> leftid=@localhost
> leftsubnet=192.167.1.0/24
> leftfirewall=no
> right=192.167.21.1
> rightid=@localhost
> rightsubnet=192.167.2.0/24
> auto=add
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
> : RSA sunKey.pem "testing"
>
> # /etc/strongswan.conf - strongSwan configuration file
>
> charon {
> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation hmac xcbc stroke kernel-netlink socket-default updown
> multiple_authentication = no
> }
>
> root at sun:/etc/ipsec.d/certs# openssl x509 -in sunCert.pem -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 44 (0x2c)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
> Master/emailAddress=certmaster at democa.dom
> Validity
> Not Before: May 25 00:16:10 2012 GMT
> Not After : May 25 00:16:10 2014 GMT
> Subject: C=SG, ST=CA, O=DemoCA,
> CN=localhost/emailAddress=admin1 at server.example.dom
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:cc:d3:74:06:38:b5:57:77:6c:fc:24:3a:7d:32:
> f2:33:60:61:31:b3:f9:8b:af:49:8b:da:f8:69:ac:
> af:e4:b2:da:22:8d:b9:f0:68:8c:d7:13:05:ca:9e:
> ef:38:6e:c5:29:1e:f5:6e:88:8f:95:8a:b3:f3:90:
> 04:5a:d9:67:eb:ba:48:cd:69:02:77:72:e2:47:2a:
> f0:8c:6e:78:0b:f3:c8:3d:1d:b5:82:7b:05:59:e5:
> 91:22:30:22:4e:bc:27:df:bc:89:2b:42:32:75:90:
> 72:ec:e6:40:1a:f0:05:72:89:53:f5:af:d0:f8:fe:
> 8b:73:5d:e6:f9:2e:a2:ab:3b
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Alternative Name:
> DNS:sun.a10networks.com
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> A4:86:07:B5:12:84:5C:AC:2E:86:DE:63:E1:27:BE:A4:8B:4D:6C:3B
> X509v3 Authority Key Identifier:
>
> keyid:A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
>
> Signature Algorithm: sha1WithRSAEncryption
> b8:17:ce:d3:8b:83:54:f3:b2:5a:5f:4e:5c:ac:bf:21:2b:a2:
> ac:b5:17:8d:bf:f6:b8:31:b6:b1:05:eb:54:c9:69:dc:9b:5e:
> b0:d6:60:b8:bd:f0:c7:91:f6:9e:53:e8:8b:57:27:95:46:d9:
> 68:c4:a3:04:26:b5:9f:38:a3:37:89:09:01:31:63:55:aa:9b:
> cc:9e:5d:9c:b5:cc:42:66:f8:3c:ff:8f:c9:b0:28:60:a9:07:
> 8a:3c:b8:10:9f:f9:42:14:d9:0d:39:19:6c:2d:46:67:94:4c:
> b2:7f:54:ea:1d:2b:1c:90:31:0c:ba:32:73:62:ab:39:7a:04:
> 4f:27:cf:cb:2c:1c:4d:05:35:2e:da:ea:65:1f:74:80:95:8a:
> 9a:96:1c:9c:e4:6a:52:1a:3f:c8:3f:23:b3:dc:51:70:47:f6:
> 3f:b1:fe:66:b9:c5:6f:68:a7:28:dc:5f:35:3e:da:b4:95:c4:
> 97:cf:e1:b0:1e:06:cc:a8:c6:d5:64:e4:cb:7e:77:67:89:39:
> 8d:01:e9:cd:81:ad:00:16:35:d5:fd:5c:22:16:70:f3:60:d3:
> a4:7f:96:70:7a:2c:97:8f:8a:f3:cd:54:7b:d3:5c:6e:d7:d9:
> e5:aa:fc:dd:9a:70:ff:5b:04:05:8b:9c:b5:eb:1f:2e:16:e5:
> 58:8c:b6:ab
> root at sun:/etc/ipsec.d/certs#
>
> CA Certificate
> ===========
> root at sun:/etc/ipsec.d/cacerts# openssl x509 -in strongswanCert.pem -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> ad:86:88:ea:13:7f:c2:85
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
> Master/emailAddress=certmaster at democa.dom
> Validity
> Not Before: May 24 23:17:55 2012 GMT
> Not After : May 23 23:17:55 2016 GMT
> Subject: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
> Master/emailAddress=certmaster at democa.dom
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (2048 bit)
> Modulus (2048 bit):
> 00:d2:22:43:3d:b9:d1:ab:49:b5:24:3d:7a:a9:24:
> 7d:87:9e:3b:7a:ea:9b:96:71:7f:87:4c:e2:05:55:
> f5:e7:ed:0c:62:fd:3f:05:a5:7d:33:d5:1e:dd:39:
> 81:07:60:9d:98:20:14:f8:c1:f9:4b:55:8b:a5:5d:
> 8c:67:6f:fe:45:b3:bd:6f:da:a8:4d:04:aa:6e:e6:
> 9c:eb:1f:52:da:94:0a:b6:ae:6e:6a:9d:45:7f:c6:
> b8:9d:34:ad:8b:97:da:b1:e2:6f:eb:e9:3c:fd:df:
> 0a:d2:e1:dd:c3:57:3d:8b:aa:d6:fe:32:8f:1d:ae:
> 77:93:6a:f5:83:d2:ad:cc:da:d6:68:69:6e:c5:a0:
> e7:fd:e6:85:10:ab:c7:ea:2c:40:25:4f:34:eb:c6:
> 17:d2:af:b5:40:ef:bd:c9:96:8e:89:cc:af:99:34:
> 28:5a:f3:83:2a:15:c6:ab:94:c3:62:5d:31:32:05:
> 16:ef:53:8a:5b:28:49:67:f0:09:76:79:6c:cb:18:
> b0:80:df:bd:26:0f:15:2b:c7:65:c7:7c:bb:77:28:
> 0d:8a:ce:63:f8:7b:74:df:b6:0e:6f:50:5f:4a:eb:
> b7:6f:ca:ba:a1:ab:af:11:f5:10:4f:d0:d1:8d:51:
> 35:9b:43:9c:31:a1:5e:73:21:82:d8:e4:ac:21:b8:
> c2:15
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
> X509v3 Authority Key Identifier:
>
> keyid:A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
> DirName:/C=SG/ST=CA/O=DemoCA/CN=DemoCA Certificate
> Master/emailAddress=certmaster at democa.dom
> serial:AD:86:88:EA:13:7F:C2:85
>
> X509v3 Basic Constraints:
> CA:TRUE
> Signature Algorithm: sha1WithRSAEncryption
> 1a:6e:af:fc:a4:0d:13:89:19:eb:bd:e2:f3:59:23:44:8a:5e:
> 7c:86:f8:ac:20:9e:07:22:2f:e9:d8:04:e3:59:5b:58:c3:64:
> 5b:47:8e:d2:56:3a:c0:da:c2:55:aa:39:6a:74:24:3b:59:6c:
> f6:72:a1:b6:4c:07:ea:74:8b:6e:97:77:0a:04:69:b2:d1:35:
> 27:42:ad:d7:27:fc:da:68:d7:9d:58:45:3a:90:c7:d8:3b:c6:
> e5:db:b4:a3:cf:bb:5d:f2:1d:eb:a6:9d:f7:06:37:46:22:a9:
> 92:79:00:9c:d0:2c:34:2a:3a:1c:cf:75:9a:c5:70:ca:e3:d1:
> 17:dc:b2:59:5e:3a:50:1f:53:e2:7c:c9:4e:65:1d:5b:b2:3c:
> 9a:1a:eb:db:38:a1:55:7e:aa:6e:0b:03:71:41:53:f3:72:6e:
> d0:f8:a7:d8:ee:db:40:38:68:2a:60:79:8e:43:b0:d9:f2:77:
> 54:8e:b2:ab:34:00:aa:48:14:f7:81:ed:b2:4a:41:ee:a1:53:
> 61:7a:f9:b2:87:79:93:da:44:25:c1:4f:95:07:fa:78:41:a6:
> c7:4f:7e:f8:ad:31:68:25:77:75:99:e5:87:f3:9a:ef:dd:d3:
> 97:59:7d:fb:f8:be:5b:29:06:a8:a7:01:af:4d:22:d4:61:99:
> 33:17:8b:83
> root at sun:/etc/ipsec.d/cacerts#
> HostA------------MOON==============SUN---------------HostB
>
> HostA:
> ipadress: 192.167.2.2/24
>
> MOON:
> ipaddress
> etho: 192.167.2.180/24
> eth1: 192.167.21.1/24
> SUN:
> ipaddress
> eth1: 192.167.21.2/24
> eth0: 192.167.1.180/24
>
> HostB:
> ipaddress 192.167.1.69/24
>
> [root at moon etc]# ipsec up net-net
> initiating IKE_SA net-net[1] to 192.167.21.2
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.167.21.1[500] to 192.167.21.2[500]
> received packet: from 192.167.21.2[500] to 192.167.21.1[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> received cert request for "C=SG, ST=CA, O=DemoCA, CN=DemoCA
> Certificate Master, E=certmaster at democa.dom"
> sending cert request for "C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
> Master, E=certmaster at democa.dom"
> authentication of 'C=SG, ST=CA, O=DemoCA, CN=localhost,
> E=admin at server.example.dom' (myself) with RSA signature successful
> sending end entity cert "C=SG, ST=CA, O=DemoCA, CN=localhost,
> E=admin at server.example.dom"
> establishing CHILD_SA net-net
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
> AUTH SA TSi TSr N(EAP_ONLY) ]
> sending packet: from 192.167.21.1[500] to 192.167.21.2[500]
> received packet: from 192.167.21.2[500] to 192.167.21.1[500]
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> [root at moon etc]#
>
> root at sun:tail -f /var/log/daemon.log
> May 25 00:54:19 gateway2 charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.6.3)
> May 25 00:54:19 gateway2 charon: 00[LIB] plugin 'curl' failed to load:
> /usr/local/lib/ipsec/plugins/libstrongswan-curl.so: cannot open shared
> object file: No such file or directory
> May 25 00:54:19 gateway2 charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> May 25 00:54:19 gateway2 charon: 00[CFG] loaded ca certificate
> "C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate Master,
> E=certmaster at democa.dom" from
> '/etc/ipsec.d/cacerts/strongswanCert.pem'
> May 25 00:54:19 gateway2 charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> May 25 00:54:19 gateway2 charon: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> May 25 00:54:19 gateway2 charon: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> May 25 00:54:19 gateway2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> May 25 00:54:19 gateway2 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> May 25 00:54:19 gateway2 charon: 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/sunKey.pem'
> May 25 00:54:19 gateway2 charon: 00[KNL] listening on interfaces:
> May 25 00:54:19 gateway2 charon: 00[KNL] eth1
> May 25 00:54:19 gateway2 charon: 00[KNL] 192.167.21.2
> May 25 00:54:19 gateway2 charon: 00[KNL] fe80::222:3fff:fef2:2e3
> May 25 00:54:19 gateway2 charon: 00[KNL] eth0
> May 25 00:54:19 gateway2 charon: 00[KNL] 192.167.1.180
> May 25 00:54:19 gateway2 charon: 00[KNL] fe80::212:3fff:fea5:fd63
> May 25 00:54:19 gateway2 charon: 00[DMN] loaded plugins: aes des sha1
> sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke
> kernel-netlink socket-default updown
> May 25 00:54:19 gateway2 charon: 00[JOB] spawning 16 worker threads
> May 25 00:54:19 gateway2 charon: 08[CFG] received stroke: add
> connection 'net-net'
> May 25 00:54:19 gateway2 charon: 08[CFG] loaded certificate "C=SG,
> ST=CA, O=DemoCA, CN=localhost, E=admin1 at server.example.dom" from
> 'sunCert.pem'
> May 25 00:54:19 gateway2 charon: 08[CFG] id 'localhost' not
> confirmed by certificate, defaulting to 'C=SG, ST=CA, O=DemoCA,
> CN=localhost, E=admin1 at server.example.dom'
> May 25 00:54:19 gateway2 charon: 08[CFG] added configuration 'net-net'
> May 25 00:54:41 gateway2 charon: 09[NET] received packet: from
> 192.167.21.1[500] to 192.167.21.2[500]
> May 25 00:54:41 gateway2 charon: 09[ENC] parsed IKE_SA_INIT request 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> May 25 00:54:41 gateway2 charon: 09[IKE] 192.167.21.1 is initiating an IKE_SA
> May 25 00:54:41 gateway2 charon: 09[IKE] sending cert request for
> "C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate Master,
> E=certmaster at democa.dom"
> May 25 00:54:41 gateway2 charon: 09[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> May 25 00:54:41 gateway2 charon: 09[NET] sending packet: from
> 192.167.21.2[500] to 192.167.21.1[500]
> May 25 00:54:41 gateway2 charon: 10[NET] received packet: from
> 192.167.21.1[500] to 192.167.21.2[500]
> May 25 00:54:41 gateway2 charon: 10[ENC] parsed IKE_AUTH request 1 [
> IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> May 25 00:54:41 gateway2 charon: 10[IKE] received cert request for
> "C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate Master,
> E=certmaster at democa.dom"
> May 25 00:54:41 gateway2 charon: 10[IKE] received end entity cert
> "C=SG, ST=CA, O=DemoCA, CN=localhost, E=admin at server.example.dom"
> May 25 00:54:41 gateway2 charon: 10[CFG] looking for peer configs
> matching 192.167.21.2[localhost]...192.167.21.1[C=SG, ST=CA, O=DemoCA,
> CN=localhost, E=admin at server.example.dom]
> May 25 00:54:41 gateway2 charon: 10[CFG] no matching peer config found
> May 25 00:54:41 gateway2 charon: 10[ENC] generating IKE_AUTH response
> 1 [ N(AUTH_FAILED) ]
> May 25 00:54:41 gateway2 charon: 10[NET] sending packet: from
> 192.167.21.2[500] to 192.167.21.1[500]
More information about the Users
mailing list