[strongSwan] strongswan error: "no matching peer config found"

Justin Grover justin.grover at gmail.com
Tue Mar 5 19:49:09 CET 2013 

Hello All Again,

I'm a little further along than I was when I last reached out for help.  I
would like to establish a connection between two ubuntu machines (client
and server) on the same subnet.  When I perform *sudo ipsec up myconn* from
my strongswan client, here's the current output:

initiating IKE_SA mytest[2] to 192.168.0.50
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.75[500] to 192.168.0.50[500]
received packet: from 192.168.0.50[500] to 192.168.0.75[500]
parsed ID_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(MULT_AUTH) ]
received cert request for "C=US, O=MSI, CN=MSI-ROOT-CA"
sending cert request for "C=US, O=MSI, CN=MSI-ROOT-CA"
authentication of 'C=US, O=MSI, CN=MSI-ROOT-CA' (myself) with RSA signature
successful
sending end entity cert "C=US, O=MSI, CN=MSI-ROOT-CA"
establishing CHILD_SA mytest
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH
SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.75[4500] to 192.168.0.50[4500]
received packet: from 192.168.0.50[4500] to 192.168.0.75[4500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error


When I check the logs on the server, they say:

[IKE] received cert request for "C=US, O=MSI, CN=MSI-ROOT-CA"
[IKE] received end entity cert "C=US, O=MSI, CN=MSI-ROOT-CA"
[CFG] looking for peer configs matching
192.168.0.50[192.168.0.50]...192.168.0.75[C=US, O=MSI, CN=MSI-ROOT-CA]
[CFG] no matching peer config found
[IKE] peer supports MOBIKE
[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
[NET] sending packet: from 192.168.0.50[4500] to 192.168.0.75[4500]


Does anyone know what this problem is?  Here are my client and server
ipsec.conf files:


==== CLIENT ipsec.conf ====
config setup
  strictcrlpolicy=no
  plutostart=no

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  authby=secret
  keyexchange=ikev2

conn mytest
  left=%any
  leftsubnet=0.0.0.0/0
  leftcert=/etc/ipsec.d/certs/cert.pem
  mobike=yes
  right=msi-strongswan.simorg.msi
  auto=start
  leftauth=pubkey




==== SERVER ipsec.conf ====
config setup
  strictcrlpolicy=no
  plutostart=no
  charondebug=all

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  authby=pubkey
  keyexchange=ikev2

conn mytest
  left=msi-strongswan.simorg.msi
  mobike=yes
  right=%any
  auto=add
  leftcert=cert.pem
  rightid=%any
  leftid=%any
  rightsourceip=192.168.0.1/24
  esp=aes-sha384-modp2048 !
  ike=aes-sha384-modp2048 !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130305/96c95d7f/attachment.html>

More information about the Users mailing list