[strongSwan] Auth Failed

Bharath Kumar cbkumar at gmail.com
Wed Jan 2 21:41:09 CET 2013


I think you should try with either one of these options:

  1. In ipsec.secrets file, uncomment this line
                     #: RSA server_priv.pem
     The assumption here is that this private key is the one that matches
with server_cert.crt used in the ipsec.conf file. And also, that this
private key file is not password protected. If it is, you'd have to provide
it at the end of the line in double quotes

  2. In the ipsec.conf file, conn rclientscerts
                      leftcert=elcCert.pem

      This option will ensure that the connection profile makes use of
"eleCert.pem" which is proven to work for teknerds connection. No changes
would be required for ipsec.secrets

Thanks,
Bharath Kumar


On Mon, Dec 31, 2012 at 1:55 PM, Chris Arnold
<carnold at electrichendrix.com>wrote:

> Here is the complete (with lines commented out) ipsec.secrets file:
>
> # ipsec.secrets
> #
> # This file holds the RSA private keys or the PSK preshared secrets for
> # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
> #
> : RSA elcKey.pem
> #: RSA akimmo-key.pem
> #: RSA server_priv.pem
> #kimmo : EAP "test"
> #: RSA elcKey.pem ----->commented out to see if this was the issue
> #username : XAUTH "" --->commented out to see if this was the issue
>
> ------------------------------
> *From: *"Chris Arnold" <carnold at electrichendrix.com>
> *To: *users at lists.strongswan.org
> *Sent: *Monday, December 31, 2012 4:42:00 PM
> *Subject: *Re: [strongSwan] Auth Failed
>
>
>  >Chris,
>
> >Assuming elcKey.pem is the private key associated with the certificate
> elcCert.pem (used for conn teknerds), shouldn't there be another private
> key associated with server_cert.crt used in conn rclientscerts? Just
> >wondering since you are using separate (left) certificates for the
> connections...
>
> Nothing has been changed in the ipsec.secret file except ios secret
> commented out. This worked for months without any issues. Kimmo, a user
> here on the list, configured it and tested it and it was working. The last
> thing that was done was SLES strongSwan update from 4.3 to 4.4. The other
> conn, teknerds, works fine.
>
> >The ipsec.secrets should be more like
> >  : RSA eleKey.pem
> >  : RSA server_Key.pem <"my-passphrase">
> >
> >Where the passphrase is needed only if the private key is password
> protected.
>
>
>
>    On Mon, Dec 31, 2012 at 10:55 AM, Chris Arnold <
>> carnold at electrichendrix.com> wrote:
>>
>>> strongSwan 4.4.06 on SLES 11 SP2. This use to work, i am working on
>>> adding users with ios to strongSwan but have commented that out of
>>> ipsec.conf and ipsec.secret to verify this is not the problem. User with
>>> Windows 7 with client cert connects and receives:
>>> Error 13801: IKE Authentication Credentials are unacceptable
>>>
>>> All other VPN connections work (like the conn teknerds which is
>>> strongSwan to sonicwall).
>>>
>>> Error in the charon.log:
>>> 13[IKE] received end entity cert "O=Chris VPN service, CN=Client2"
>>> 13[CFG] looking for peer configs matching
>>> 192.168.1.18[%any]...public.ip[O=Chris VPN service, CN=Client2]
>>> 13[CFG] selected peer config 'rclientscerts'
>>> 13[CFG]   using certificate "O=Chris VPN service, CN=Client2"
>>> 13[CFG]   using trusted ca certificate "C=US, ST=NC, L=Durham, O=Edens
>>> Land Corp, OU=ELC, CN=Jarrod, E=email at address"
>>> 13[CFG] checking certificate status of "O=Chris VPN service, CN=Client2"
>>> 13[CFG] certificate status is not available
>>> 13[CFG]   reached self-signed root ca with a path length of 0
>>> 13[IKE] authentication of 'O=Chris VPN service, CN=Client2' with RSA
>>> signature successful
>>> 13[IKE] peer supports MOBIKE
>>> 13[IKE] no private key found for 'O=Chris VPN service, CN=70.63.136.95'
>>> 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>>
>>> Here is ipsec.conf:
>>> config setup
>>>         # plutodebug=all
>>>           crlcheckinterval=600
>>>           strictcrlpolicy=no
>>>         # cachecrls=yes
>>>           nat_traversal=yes
>>>         # charonstart=no
>>>           plutostart=no
>>>         #charondebug="cfg 3,lib=3"
>>>
>>> # Add connections here.
>>>
>>> conn %default
>>>         ikelifetime=28800s
>>>         keylife=20m
>>>         rekeymargin=3m
>>>         keyingtries=1
>>>         keyexchange=ikev2
>>>         mobike=no
>>>
>>> conn rclientseap
>>>         rekey=no
>>>         left=%any
>>>         leftauth=pubkey
>>>         leftcert=server_cert.crt
>>>         leftid=@public.ip
>>>         leftsubnet=0.0.0.0/0
>>>         right=%any
>>>         rightsourceip=192.168.2.0/24
>>>         rightauth=eap-mschapv2
>>>         rightsendcert=never
>>>         eap_identity=%any
>>>         mobike=yes
>>>         auto=ignore
>>>
>>> conn rclientscerts
>>>         rekey=no
>>>         left=%any
>>>         leftauth=pubkey
>>>         leftcert=server_cert.crt
>>>         leftid=@public.ip
>>>         leftsubnet=0.0.0.0/0
>>>         right=%any
>>>         rightsourceip=192.168.2.0/24
>>>         #rightauth=eap-mschapv2
>>>         #rightsendcert=never
>>>         #eap_identity=%any
>>>         mobike=yes
>>>         auto=add
>>>
>>>
>>>
>>>
>>> conn teknerds
>>>         left=%defaultroute
>>>         leftcert=elcCert.pem
>>>         leftsubnet=192.168.1.0/24
>>>         #leftid="C=XX, O=X, CN=Edens Land Corp VPN"
>>>         #leftfirewall=yes
>>>         right=sonicwall.public.ip
>>>         rightsubnet=192.168.123.0/24
>>>         rightcert=teknerdsCert.pem
>>>         rightid="C=XX, O=X, CN=Tek-Nerds VPN"
>>>         auto=add
>>>
>>>
>>> #conn iOS
>>> #       keyexchange=ikev1
>>> #       authby=xauthrsasig
>>> #       xauth=server
>>> #       left=%defaultroute
>>> #       leftsubnet=192.168.1.0/24
>>> #       leftcert=elcCert.pem
>>> #       right=%any
>>> #       rightsourceip=192.168.3.0/24
>>> #       #rightcert=
>>> #       pfs=no
>>> #       auto=add
>>>
>>> Here is ipsec.secret:
>>> : RSA elcKey.pem
>>>
>>> Any help with this is greatly appreciated
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130102/66950d10/attachment.html>


More information about the Users mailing list