[strongSwan] Win7 machine certificate connection failing
Paton, Andy
andy.paton at hp.com
Wed Jul 10 23:12:31 CEST 2013
Can you post details of your certificates. Both the machine cert for the gateway and the device cert?
--
Andrew Paton
On 10 Jul 2013, at 21:55, "Gregg Hughes" <ghughes at iscinternational.com<mailto:ghughes at iscinternational.com>> wrote:
Good afternoon, all!
I've been working on getting a Strongswan installation running on a VMware Workstation test platform. The server is Ubuntu Server 12.04 with Strongswan 4.5.2 from the Ubuntu repository.
I've been able to get a net-net test config to work, but have had trouble with a roadwarrior config. I think it's a problem with certificates because I get "Error 13801: IKE authentication credentials are unacceptable", so I know the client is reaching the server and trying to get in.
I followed the examples listed here, working on an X.509 machine certificate to start: http://wiki.strongswan.org/projects/strongswan/wiki/Windows7 I used the multiple client configs and the instructions on importing certificates into Win7.
All certs were generated and signed on the strongswan server and are in the proper directories under /etc/ipsec.d. Content of ipsec.conf and greps from auth.log and syslog also.
I confess to being at a loss as to why I am still getting the Error 13801 after several hours troubleshooting.
Thanks in advance!
Gregg
# ipsec.conf - strongSwan1 IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=180
# strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=no
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
# authby=secret
keyexchange=ikev2
# mobike=no
conn net-net
left=192.168.91.163
leftsubnet=10.1.0.0/16
leftid=@strongswan1
leftfirewall=yes
right=192.168.91.160
rightsubnet=10.2.0.0/16
rightid=@strongswan2
auto=add
conn Win7
left=%defaultroute
# leftcert=cacert.pem
leftsubnet=10.1.0.0/16
leftid=strongswan1
right=%any
rightsourceip=192.168.93.0/24
# rightauth=eap-mschapv2
# rightsendcert=never
# eap_identity=%any
# rightcert=client1cert.pem
# keyexchange=ikev2
auto=add
include /var/lib/strongswan/ipsec.conf.inc
----------------------------------------
auth.log cuts
Jul 10 15:20:28 strongswan1 charon: 03[IKE] 192.168.91.166 is initiating an IKE_SA
Jul 10 15:21:51 strongswan1 ipsec_starter[1606]: charon stopped after 200 ms
Jul 10 15:21:54 strongswan1 ipsec_starter[1641]: charon (1667) started after 60 ms
Jul 10 15:23:02 strongswan1 ipsec_starter[1641]: charon stopped after 200 ms
Jul 10 15:23:25 strongswan1 ipsec_starter[931]: charon (939) started after 1120 ms
Jul 10 15:32:19 strongswan1 ipsec_starter[999]: charon (1003) started after 1060 ms
Jul 10 15:32:43 strongswan1 charon: 13[IKE] 192.168.91.166 is initiating an IKE_SA
--------------------------------------------
syslog cuts
Jul 10 15:32:20 strongswan1 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
Jul 10 15:32:19 strongswan1 charon: 00[KNL] listening on interfaces:
Jul 10 15:32:19 strongswan1 charon: 00[KNL] eth0
Jul 10 15:32:19 strongswan1 charon: 00[KNL] 192.168.91.163
Jul 10 15:32:19 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c6b
Jul 10 15:32:19 strongswan1 charon: 00[KNL] eth1
Jul 10 15:32:19 strongswan1 charon: 00[KNL] 10.1.0.1
Jul 10 15:32:19 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c75
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded ca certificate "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>" from '/etc/ipsec.d/cacerts/cacert.pem'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/cakey.pem'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
Jul 10 15:32:19 strongswan1 charon: 00[CFG] sql plugin: database URI not set
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded 0 RADIUS server configurations
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory
Jul 10 15:32:19 strongswan1 charon: 00[CFG] mediation client database URI not defined, skipped
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'nm' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory
Jul 10 15:32:19 strongswan1 charon: 00[CFG] HA config misses local/remote address
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Jul 10 15:32:19 strongswan1 charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Jul 10 15:32:19 strongswan1 charon: 00[JOB] spawning 16 worker threads
Jul 10 15:32:19 strongswan1 charon: 05[CFG] received stroke: add connection 'net-net'
Jul 10 15:32:19 strongswan1 charon: 05[CFG] added configuration 'net-net'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] received stroke: add connection 'Win7'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] added configuration 'Win7'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] adding virtual IP address pool 'Win7': 192.168.93.0/24
Jul 10 15:32:43 strongswan1 charon: 13[NET] received packet: from 192.168.91.166[500] to 192.168.91.163[500]
Jul 10 15:32:43 strongswan1 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 10 15:32:43 strongswan1 charon: 13[IKE] 192.168.91.166 is initiating an IKE_SA
Jul 10 15:32:43 strongswan1 charon: 13[IKE] sending cert request for "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 10 15:32:43 strongswan1 charon: 13[NET] sending packet: from 192.168.91.163[500] to 192.168.91.166[500]
Jul 10 15:32:43 strongswan1 charon: 14[NET] received packet: from 192.168.91.166[4500] to 192.168.91.163[4500]
Jul 10 15:32:43 strongswan1 charon: 14[ENC] unknown attribute type INTERNAL_IP4_SERVER
Jul 10 15:32:43 strongswan1 charon: 14[ENC] unknown attribute type INTERNAL_IP6_SERVER
Jul 10 15:32:43 strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jul 10 15:32:43 strongswan1 charon: 14[IKE] received cert request for "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[IKE] received 8 cert requests for an unknown ca
Jul 10 15:32:43 strongswan1 charon: 14[IKE] received end entity cert "C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] looking for peer configs matching 192.168.91.163[%any]...192.168.91.166[C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>]
Jul 10 15:32:43 strongswan1 charon: 14[CFG] selected peer config 'Win7'
Jul 10 15:32:43 strongswan1 charon: 14[CFG] using certificate "C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] using trusted ca certificate "C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] checking certificate status of "C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] certificate status is not available
Jul 10 15:32:43 strongswan1 charon: 14[CFG] reached self-signed root ca with a path length of 0
Jul 10 15:32:43 strongswan1 charon: 14[IKE] authentication of 'C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at iscinternational.com<http://iscinternational.com>' with RSA signature successful
Jul 10 15:32:43 strongswan1 charon: 14[IKE] peer supports MOBIKE
Jul 10 15:32:43 strongswan1 charon: 14[IKE] no private key found for 'strongswan1'
Jul 10 15:32:43 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 10 15:32:43 strongswan1 charon: 14[NET] sending packet: from 192.168.91.163[4500] to 192.168.91.166[4500]
Gregg Hughes
IT Administrator
www.iscinternational.com<http://www.iscinternational.com>
414.721.0301 phone
262.313.3106 fax
_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list