[strongSwan] Error "no peer config found" when connecting

Justin Grover justin.grover at gmail.com
Wed Mar 13 16:36:33 CET 2013 

Lars,

When I got this error previously, it was because I didn't have a matching
leftid / rightid in my ipsec.conf files. this should be the subject or
altsubjectname from your cert.

I'm not seeing the leftid or rightid in your configs. If you add them, that
might fix it.

Justin
On Mar 13, 2013 10:26 AM, "Larsen" <larsen007 at web.de> wrote:

> Hi,
>
> I am still trying to establish a VPN connection between my Windows XP box
> using the ShrewSoft client and our IPFire server running Strongswan 5.0.2,
> but now I get the error "no peer config found" in the server log:
>
>
> charon: 16[NET] received packet: from 192.168.120.24[500] to #external
> IP#[500] (365 bytes)
> charon: 16[IKE] ignoring certificate request without data
> charon: 16[IKE] sending cert request for "C=DE, ST=city, L=city,
> O=mycompany, OU=IPFire, CN=mycompanyCA, E=noone at example.com"
> charon: 16[NET] sending packet: from #external IP#[500] to
> 192.168.120.24[500] (549 bytes)
> charon: 12[NET] sending packet: from #external IP#[500] to
> 192.168.120.24[500]
> charon: 16[MGR] checkin IKE_SA (unnamed)[5]
> charon: 16[MGR] check-in of IKE_SA successful.
> charon: 06[NET] received packet: from 192.168.120.24[500] to #external
> IP#[500]
> charon: 06[NET] waiting for data on sockets
> charon: 08[MGR] checkout IKE_SA by message
> charon: 08[MGR] IKE_SA (unnamed)[5] successfully checked out
> charon: 08[NET] received packet: from 192.168.120.24[500] to #external
> IP#[500] (1292 bytes)
> charon: 08[IKE] received end entity cert "C=DE, ST=city, O=mycompany,
> OU=IPFire, CN=JonDoe"
> charon: 08[CFG] looking for RSA signature peer configs matching #external
> IP#...192.168.120.24
> charon: 08[IKE] no peer config found
> charon: 08[NET] sending packet: from #external IP#[500] to
> 192.168.120.24[500] (92 bytes)
> charon: 08[MGR] checkin and destroy IKE_SA (unnamed)[5]
> charon: 08[MGR] check-in and destroy of IKE_SA successful
>
>
> I already did a search, but couldn´t find the right answers to my problem.
> As far as I understand this error, it seems to me that the certificate is
> missing on the server, but I have created it there via IPFire. That client
> cert was then imported into the local computer store according to
> http://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs .
>
> I get the same error message trying this with TheGreenBow client or an
> iPhone. My computer is on the same subnet it shall connect to via VPN, but
> I guess that shouldn´t be a problem for now. Also, the iPhone is not using
> the LAN, but still has the same problem.
>
>
> # cat /etc/ipsec.conf
> version 2
>
> config setup
>          charondebug="dmn 2, mgr 2, ike 1, chd 2, job 2, cfg 1, knl 2, net
> 2, asn 1, enc 0, lib 1, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2"
>
> conn %default
>          keyingtries=%forever
>
> include /etc/ipsec.user.conf
>
> conn JonDoe
>          left=#external IP#
>          leftsubnet=192.168.120.0/24
>          leftfirewall=yes
>          lefthostaccess=yes
>          right=%any
>          rightsubnet=vhost:%no,%priv
>          leftcert=/var/ipfire/certs/hostcert.pem
>          rightcert=/var/ipfire/certs/JonDoecert.pem
>
>  ike=aes256-sha2_256-modp8192,aes256-sha2_256-modp6144,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp8192,aes256-sha-modp6144,aes256-sha-modp4096,aes256-sha-modp3072,aes256-sha-modp2048,aes256-sha-modp1536,aes256-sha-modp1024,aes256-md5-modp8192,aes256-md5-modp6144,aes256-md5-modp4096,aes256-md5-modp3072,aes256-md5-modp2048,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_256-modp8192,aes192-sha2_256-modp6144,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp8192,aes192-sha-modp6144,aes192-sha-modp4096,aes192-sha-modp3072,aes192-sha-modp2048,aes192-sha-modp1536,aes192-sha-modp1024,aes192-md5-modp8192,aes192-md5-modp6144,aes192-md5-modp4096,aes192-md5-modp3072,aes192-md5-modp2048,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_256-modp8192,aes128-sha2_256-modp6144,aes128-sha2_256-modp4096,a
>
> es128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp8192,aes128-sha-modp6144,aes128-sha-modp4096,aes128-sha-modp3072,aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp8192,aes128-md5-modp6144,aes128-md5-modp4096,aes128-md5-modp3072,aes128-md5-modp2048,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha2_256-modp8192,3des-sha2_256-modp6144,3des-sha2_256-modp4096,3des-sha2_256-modp3072,3des-sha2_256-modp2048,3des-sha2_256-modp1536,3des-sha2_256-modp1024,3des-sha-modp8192,3des-sha-modp6144,3des-sha-modp4096,3des-sha-modp3072,3des-sha-modp2048,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp8192,3des-md5-modp6144,3des-md5-modp4096,3des-md5-modp3072,3des-md5-modp2048,3des-md5-modp1536,3des-md5-modp1024
>
>  esp=aes256-sha2_256-modp8192,aes256-sha2_256-modp6144,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp8192,aes256-sha1-modp6144,aes256-sha1-modp4096,aes256-sha1-modp3072,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-md5-modp8192,aes256-md5-modp6144,aes256-md5-modp4096,aes256-md5-modp3072,aes256-md5-modp2048,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_256-modp8192,aes192-sha2_256-modp6144,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp8192,aes192-sha1-modp6144,aes192-sha1-modp4096,aes192-sha1-modp3072,aes192-sha1-modp2048,aes192-sha1-modp1536,aes192-sha1-modp1024,aes192-md5-modp8192,aes192-md5-modp6144,aes192-md5-modp4096,aes192-md5-modp3072,aes192-md5-modp2048,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_256-modp8192,aes128-sha2_256-modp6144,aes128-sha2_
>
> 256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp8192,aes128-sha1-modp6144,aes128-sha1-modp4096,aes128-sha1-modp3072,aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp8192,aes128-md5-modp6144,aes128-md5-modp4096,aes128-md5-modp3072,aes128-md5-modp2048,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha2_256-modp8192,3des-sha2_256-modp6144,3des-sha2_256-modp4096,3des-sha2_256-modp3072,3des-sha2_256-modp2048,3des-sha2_256-modp1536,3des-sha2_256-modp1024,3des-sha1-modp8192,3des-sha1-modp6144,3des-sha1-modp4096,3des-sha1-modp3072,3des-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp8192,3des-md5-modp6144,3des-md5-modp4096,3des-md5-modp3072,3des-md5-modp2048,3des-md5-modp1536,3des-md5-modp1024
>          keyexchange=ikev1
>          ikelifetime=1h
>          keylife=8h
>          compress=yes
>          dpddelay=30
>          dpdtimeout=120
>          dpdaction=clear
>          authby=rsasig
>          leftrsasigkey=%cert
>          rightrsasigkey=%cert
>          auto=add
>          rightsourceip=
>
>
> # ll /var/ipfire/certs/hostcert.pem
> -rw-r--r-- 1 nobody nobody 1639 2013-02-25 16:19
> /var/ipfire/certs/hostcert.pem
>
> ~# ll /var/ipfire/certs/JonDoecert.pem
> -rw-r--r-- 1 nobody nobody 1533 2013-02-25 16:20
> /var/ipfire/certs/JonDoecert.pem
>
>
> What is the cause of this error message?
>
>
> Lars
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130313/985fe13e/attachment.html>

More information about the Users mailing list