[strongSwan] Error "no peer config found" when connecting

Larsen larsen007 at web.de
Wed Mar 13 15:26:02 CET 2013 

Hi,

I am still trying to establish a VPN connection between my Windows XP box  
using the ShrewSoft client and our IPFire server running Strongswan 5.0.2,  
but now I get the error "no peer config found" in the server log:


charon: 16[NET] received packet: from 192.168.120.24[500] to #external  
IP#[500] (365 bytes)
charon: 16[IKE] ignoring certificate request without data
charon: 16[IKE] sending cert request for "C=DE, ST=city, L=city,  
O=mycompany, OU=IPFire, CN=mycompanyCA, E=noone at example.com"
charon: 16[NET] sending packet: from #external IP#[500] to  
192.168.120.24[500] (549 bytes)
charon: 12[NET] sending packet: from #external IP#[500] to  
192.168.120.24[500]
charon: 16[MGR] checkin IKE_SA (unnamed)[5]
charon: 16[MGR] check-in of IKE_SA successful.
charon: 06[NET] received packet: from 192.168.120.24[500] to #external  
IP#[500]
charon: 06[NET] waiting for data on sockets
charon: 08[MGR] checkout IKE_SA by message
charon: 08[MGR] IKE_SA (unnamed)[5] successfully checked out
charon: 08[NET] received packet: from 192.168.120.24[500] to #external  
IP#[500] (1292 bytes)
charon: 08[IKE] received end entity cert "C=DE, ST=city, O=mycompany,  
OU=IPFire, CN=JonDoe"
charon: 08[CFG] looking for RSA signature peer configs matching #external  
IP#...192.168.120.24
charon: 08[IKE] no peer config found
charon: 08[NET] sending packet: from #external IP#[500] to  
192.168.120.24[500] (92 bytes)
charon: 08[MGR] checkin and destroy IKE_SA (unnamed)[5]
charon: 08[MGR] check-in and destroy of IKE_SA successful


I already did a search, but couldn´t find the right answers to my problem.  
As far as I understand this error, it seems to me that the certificate is  
missing on the server, but I have created it there via IPFire. That client  
cert was then imported into the local computer store according to  
http://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs .

I get the same error message trying this with TheGreenBow client or an  
iPhone. My computer is on the same subnet it shall connect to via VPN, but  
I guess that shouldn´t be a problem for now. Also, the iPhone is not using  
the LAN, but still has the same problem.


# cat /etc/ipsec.conf
version 2

config setup
         charondebug="dmn 2, mgr 2, ike 1, chd 2, job 2, cfg 1, knl 2, net  
2, asn 1, enc 0, lib 1, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2"

conn %default
         keyingtries=%forever

include /etc/ipsec.user.conf

conn JonDoe
         left=#external IP#
         leftsubnet=192.168.120.0/24
         leftfirewall=yes
         lefthostaccess=yes
         right=%any
         rightsubnet=vhost:%no,%priv
         leftcert=/var/ipfire/certs/hostcert.pem
         rightcert=/var/ipfire/certs/JonDoecert.pem
         ike=aes256-sha2_256-modp8192,aes256-sha2_256-modp6144,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp8192,aes256-sha-modp6144,aes256-sha-modp4096,aes256-sha-modp3072,aes256-sha-modp2048,aes256-sha-modp1536,aes256-sha-modp1024,aes256-md5-modp8192,aes256-md5-modp6144,aes256-md5-modp4096,aes256-md5-modp3072,aes256-md5-modp2048,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_256-modp8192,aes192-sha2_256-modp6144,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp8192,aes192-sha-modp6144,aes192-sha-modp4096,aes192-sha-modp3072,aes192-sha-modp2048,aes192-sha-modp1536,aes192-sha-modp1024,aes192-md5-modp8192,aes192-md5-modp6144,aes192-md5-modp4096,aes192-md5-modp3072,aes192-md5-modp2048,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_256-modp8192,aes128-sha2_256-modp6144,aes128-sha2_256-modp4096,a 
es128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp8192,aes128-sha-modp6144,aes128-sha-modp4096,aes128-sha-modp3072,aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp8192,aes128-md5-modp6144,aes128-md5-modp4096,aes128-md5-modp3072,aes128-md5-modp2048,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha2_256-modp8192,3des-sha2_256-modp6144,3des-sha2_256-modp4096,3des-sha2_256-modp3072,3des-sha2_256-modp2048,3des-sha2_256-modp1536,3des-sha2_256-modp1024,3des-sha-modp8192,3des-sha-modp6144,3des-sha-modp4096,3des-sha-modp3072,3des-sha-modp2048,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp8192,3des-md5-modp6144,3des-md5-modp4096,3des-md5-modp3072,3des-md5-modp2048,3des-md5-modp1536,3des-md5-modp1024
         esp=aes256-sha2_256-modp8192,aes256-sha2_256-modp6144,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp8192,aes256-sha1-modp6144,aes256-sha1-modp4096,aes256-sha1-modp3072,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-md5-modp8192,aes256-md5-modp6144,aes256-md5-modp4096,aes256-md5-modp3072,aes256-md5-modp2048,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_256-modp8192,aes192-sha2_256-modp6144,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp8192,aes192-sha1-modp6144,aes192-sha1-modp4096,aes192-sha1-modp3072,aes192-sha1-modp2048,aes192-sha1-modp1536,aes192-sha1-modp1024,aes192-md5-modp8192,aes192-md5-modp6144,aes192-md5-modp4096,aes192-md5-modp3072,aes192-md5-modp2048,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_256-modp8192,aes128-sha2_256-modp6144,aes128-sha2_ 
256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp8192,aes128-sha1-modp6144,aes128-sha1-modp4096,aes128-sha1-modp3072,aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp8192,aes128-md5-modp6144,aes128-md5-modp4096,aes128-md5-modp3072,aes128-md5-modp2048,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha2_256-modp8192,3des-sha2_256-modp6144,3des-sha2_256-modp4096,3des-sha2_256-modp3072,3des-sha2_256-modp2048,3des-sha2_256-modp1536,3des-sha2_256-modp1024,3des-sha1-modp8192,3des-sha1-modp6144,3des-sha1-modp4096,3des-sha1-modp3072,3des-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp8192,3des-md5-modp6144,3des-md5-modp4096,3des-md5-modp3072,3des-md5-modp2048,3des-md5-modp1536,3des-md5-modp1024
         keyexchange=ikev1
         ikelifetime=1h
         keylife=8h
         compress=yes
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         authby=rsasig
         leftrsasigkey=%cert
         rightrsasigkey=%cert
         auto=add
         rightsourceip=


# ll /var/ipfire/certs/hostcert.pem
-rw-r--r-- 1 nobody nobody 1639 2013-02-25 16:19  
/var/ipfire/certs/hostcert.pem

~# ll /var/ipfire/certs/JonDoecert.pem
-rw-r--r-- 1 nobody nobody 1533 2013-02-25 16:20  
/var/ipfire/certs/JonDoecert.pem


What is the cause of this error message?


Lars

More information about the Users mailing list