[strongSwan] StrongSwan Problem
Kambiz Mizanian
mizanian at yahoo.com
Tue Nov 13 18:30:52 CET 2012
I have installed strongSwan 4.5.2 on Mandriv linux 2011 and we connected to Juniper VPN server. When my /etc/ipsec.secrets is RSA <USERACCOUNT>Key.pem "<password>"everything is OK and VPN connection established, but when I changed the RSA <USERACCOUNT>Key.pem "<password>"to RSA <USERACCOUNT>Key.pem %prompt in /etc/ipsec.secrets and I started IPSEC by ipsec start command then my connection is not established and my log file is as below:
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[KNL] listening on interfaces:
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[KNL] eth0
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[KNL] 192.168.1.183
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[KNL] fe80::221:70ff:fea7:55ea
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loaded ca certificate "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5" from '/etc/ipsec.d/cacerts/VeriRootCA.pem'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loaded ca certificate "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3" from '/etc/ipsec.d/cacerts/VeriIssueCA.pem'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[DMN] loaded plugins: ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
Nov 6 17:32:32 wthr-lm9-p0106 charon: 00[JOB] spawning 16 worker threads
Nov 6 17:32:32 wthr-lm9-p0106 charon: 03[CFG] crl caching to /etc/ipsec.d/crls enabled
Nov 6 17:32:32 wthr-lm9-p0106 charon: 07[CFG] received stroke: add connection 'thrghazas'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 07[CFG] left nor right host is our side, assuming left=local
Nov 6 17:32:32 wthr-lm9-p0106 charon: 07[CFG] loaded certificate "DC=com, DC=XXX, DC=CORP, OU=MandrivaUser, OU=YYYY, CN=thrghazas" from 'thrghazasCert.pem'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 07[CFG] added configuration 'thrghazas'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 10[CFG] received stroke: initiate 'thrghazas'
Nov 6 17:32:32 wthr-lm9-p0106 charon: 10[IKE] initiating IKE_SA thrghazas[1] to A.B.C.D
Nov 6 17:32:32 wthr-lm9-p0106 charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 6 17:32:32 wthr-lm9-p0106 charon: 10[NET] sending packet: from 192.168.1.183[500] to A.B.C.D[500]
Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[NET] received packet: from A.B.C.D[500] to 192.168.1.183[500]
Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) ]
Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] local host is behind NAT, sending keep alives
Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] remote host is behind NAT
Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] received 2 cert requests for an unknown ca
Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3"
Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5"
Nov 6 17:32:32 wthr-lm9-p0106 charon: 13[IKE] no private key found for 'DC=com, DC=XXX, DC=CORP, OU=MandrivaUser, OU=Iran, CN=thrghazas'
And after that I run ipsec serets and I got the following prompt:
wthr-lm9-p0106 charon: 05[CFG] rereading secrets
wthr-lm9-p0106 charon: 05[CFG] loading secrets from '/etc/ipsec.secrets'
wthr-lm9-p0106 charon: 05[CFG] loaded RSA private key from '/etc/ipsec.d/private/thrghazasKey.pem'
and the following line will be added to log file:
Nov 6 17:32:37 wthr-lm9-p0106 charon: 11[CFG] rereading secrets
Nov 6 17:32:37 wthr-lm9-p0106 charon: 11[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 6 17:32:52 wthr-lm9-p0106 charon: 11[CFG] loaded RSA private key from '/etc/ipsec.d/private/thrghazasKey.pem'
and nothing else in log file. (no error but no VPN connection)
At that time, my log file at Junniper VPN server is as below:
Info NWC23465 2012-11-06 13:39:42 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: Session ended for user with IP 10.84.255.160
Info ERR24670 2012-11-06 13:39:42 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: ACL count = 0.
Info NWC23508 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - Key Exchange number 1 occured for user with NCIP 10.84.255.160
Info NWC30477 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: User with IP 10.84.255.160 connected with ESP transport mode.
Info NWC23464 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: Session started for user with IP 10.84.255.160, hostname
Info ERR24670 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[Com2-Trusted-XXX-Linux-IKEv2] - VPN Tunneling: ACL count = 25.
Info AUT24326 2012-11-06 13:38:34 - ive - [188.245.200.84] Root::thrghazas(Com2-Trusted-Linux-IKEv2)[] - Primary authentication successful for thrghazas/XXX-CERT-SN from 188.245.200.84
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121113/cca546f7/attachment.html>
More information about the Users
mailing list