[strongSwan] Error "no peer config found" when connecting
Larsen
larsen007 at web.de
Wed Mar 13 16:47:00 CET 2013
Hi Justin,
for another problem, I have already set subjectAltName of the server cert
to the external IP.
Do I have to put this somewhere in my client config? It´s not StrongSwan
on the client side, so there is no ipsec.conf. What should I look for in
my client software? You probably don´t know the ShrewSoft client, but
perhaps you can push me in the right direction.
Second question: What value should I put into my client software as
leftid/rightid?
Please bear in mind that I´m a total newbie with IPsec =/
Lars
On Wed, 13 Mar 2013 16:36:33 +0100, Justin Grover
<justin.grover at gmail.com> wrote:
> Lars,
>
> When I got this error previously, it was because I didn't have a matching
> leftid / rightid in my ipsec.conf files. this should be the subject or
> altsubjectname from your cert.
>
> I'm not seeing the leftid or rightid in your configs. If you add them,
> that
> might fix it.
>
> Justin
> On Mar 13, 2013 10:26 AM, "Larsen" <larsen007 at web.de> wrote:
>
>> Hi,
>>
>> I am still trying to establish a VPN connection between my Windows XP
>> box
>> using the ShrewSoft client and our IPFire server running Strongswan
>> 5.0.2,
>> but now I get the error "no peer config found" in the server log:
>>
>>
>> charon: 16[NET] received packet: from 192.168.120.24[500] to #external
>> IP#[500] (365 bytes)
>> charon: 16[IKE] ignoring certificate request without data
>> charon: 16[IKE] sending cert request for "C=DE, ST=city, L=city,
>> O=mycompany, OU=IPFire, CN=mycompanyCA, E=noone at example.com"
>> charon: 16[NET] sending packet: from #external IP#[500] to
>> 192.168.120.24[500] (549 bytes)
>> charon: 12[NET] sending packet: from #external IP#[500] to
>> 192.168.120.24[500]
>> charon: 16[MGR] checkin IKE_SA (unnamed)[5]
>> charon: 16[MGR] check-in of IKE_SA successful.
>> charon: 06[NET] received packet: from 192.168.120.24[500] to #external
>> IP#[500]
>> charon: 06[NET] waiting for data on sockets
>> charon: 08[MGR] checkout IKE_SA by message
>> charon: 08[MGR] IKE_SA (unnamed)[5] successfully checked out
>> charon: 08[NET] received packet: from 192.168.120.24[500] to #external
>> IP#[500] (1292 bytes)
>> charon: 08[IKE] received end entity cert "C=DE, ST=city, O=mycompany,
>> OU=IPFire, CN=JonDoe"
>> charon: 08[CFG] looking for RSA signature peer configs matching
>> #external
>> IP#...192.168.120.24
>> charon: 08[IKE] no peer config found
>> charon: 08[NET] sending packet: from #external IP#[500] to
>> 192.168.120.24[500] (92 bytes)
>> charon: 08[MGR] checkin and destroy IKE_SA (unnamed)[5]
>> charon: 08[MGR] check-in and destroy of IKE_SA successful
>>
>>
>> I already did a search, but couldn´t find the right answers to my
>> problem.
>> As far as I understand this error, it seems to me that the certificate
>> is
>> missing on the server, but I have created it there via IPFire. That
>> client
>> cert was then imported into the local computer store according to
>> http://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs .
>>
>> I get the same error message trying this with TheGreenBow client or an
>> iPhone. My computer is on the same subnet it shall connect to via VPN,
>> but
>> I guess that shouldn´t be a problem for now. Also, the iPhone is not
>> using
>> the LAN, but still has the same problem.
>>
>>
>> # cat /etc/ipsec.conf
>> version 2
>>
>> config setup
>> charondebug="dmn 2, mgr 2, ike 1, chd 2, job 2, cfg 1, knl 2,
>> net
>> 2, asn 1, enc 0, lib 1, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2"
>>
>> conn %default
>> keyingtries=%forever
>>
>> include /etc/ipsec.user.conf
>>
>> conn JonDoe
>> left=#external IP#
>> leftsubnet=192.168.120.0/24
>> leftfirewall=yes
>> lefthostaccess=yes
>> right=%any
>> rightsubnet=vhost:%no,%priv
>> leftcert=/var/ipfire/certs/hostcert.pem
>> rightcert=/var/ipfire/certs/JonDoecert.pem
>>
>> ike=aes256-sha2_256-modp8192,aes256-sha2_256-modp6144,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp8192,aes256-sha-modp6144,aes256-sha-modp4096,aes256-sha-modp3072,aes256-sha-modp2048,aes256-sha-modp1536,aes256-sha-modp1024,aes256-md5-modp8192,aes256-md5-modp6144,aes256-md5-modp4096,aes256-md5-modp3072,aes256-md5-modp2048,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_256-modp8192,aes192-sha2_256-modp6144,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp8192,aes192-sha-modp6144,aes192-sha-modp4096,aes192-sha-modp3072,aes192-sha-modp2048,aes192-sha-modp1536,aes192-sha-modp1024,aes192-md5-modp8192,aes192-md5-modp6144,aes192-md5-modp4096,aes192-md5-modp3072,aes192-md5-modp2048,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_256-modp8192,aes128-sha2_256-modp6144,aes128-sha2_256-modp4096,a
>>
>> es128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp8192,aes128-sha-modp6144,aes128-sha-modp4096,aes128-sha-modp3072,aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp8192,aes128-md5-modp6144,aes128-md5-modp4096,aes128-md5-modp3072,aes128-md5-modp2048,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha2_256-modp8192,3des-sha2_256-modp6144,3des-sha2_256-modp4096,3des-sha2_256-modp3072,3des-sha2_256-modp2048,3des-sha2_256-modp1536,3des-sha2_256-modp1024,3des-sha-modp8192,3des-sha-modp6144,3des-sha-modp4096,3des-sha-modp3072,3des-sha-modp2048,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp8192,3des-md5-modp6144,3des-md5-modp4096,3des-md5-modp3072,3des-md5-modp2048,3des-md5-modp1536,3des-md5-modp1024
>>
>> esp=aes256-sha2_256-modp8192,aes256-sha2_256-modp6144,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp8192,aes256-sha1-modp6144,aes256-sha1-modp4096,aes256-sha1-modp3072,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-md5-modp8192,aes256-md5-modp6144,aes256-md5-modp4096,aes256-md5-modp3072,aes256-md5-modp2048,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_256-modp8192,aes192-sha2_256-modp6144,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp8192,aes192-sha1-modp6144,aes192-sha1-modp4096,aes192-sha1-modp3072,aes192-sha1-modp2048,aes192-sha1-modp1536,aes192-sha1-modp1024,aes192-md5-modp8192,aes192-md5-modp6144,aes192-md5-modp4096,aes192-md5-modp3072,aes192-md5-modp2048,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_256-modp8192,aes128-sha2_256-modp6144,aes128-sha2_
>>
>> 256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp8192,aes128-sha1-modp6144,aes128-sha1-modp4096,aes128-sha1-modp3072,aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp8192,aes128-md5-modp6144,aes128-md5-modp4096,aes128-md5-modp3072,aes128-md5-modp2048,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha2_256-modp8192,3des-sha2_256-modp6144,3des-sha2_256-modp4096,3des-sha2_256-modp3072,3des-sha2_256-modp2048,3des-sha2_256-modp1536,3des-sha2_256-modp1024,3des-sha1-modp8192,3des-sha1-modp6144,3des-sha1-modp4096,3des-sha1-modp3072,3des-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp8192,3des-md5-modp6144,3des-md5-modp4096,3des-md5-modp3072,3des-md5-modp2048,3des-md5-modp1536,3des-md5-modp1024
>> keyexchange=ikev1
>> ikelifetime=1h
>> keylife=8h
>> compress=yes
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=clear
>> authby=rsasig
>> leftrsasigkey=%cert
>> rightrsasigkey=%cert
>> auto=add
>> rightsourceip=
>>
>>
>> # ll /var/ipfire/certs/hostcert.pem
>> -rw-r--r-- 1 nobody nobody 1639 2013-02-25 16:19
>> /var/ipfire/certs/hostcert.pem
>>
>> ~# ll /var/ipfire/certs/JonDoecert.pem
>> -rw-r--r-- 1 nobody nobody 1533 2013-02-25 16:20
>> /var/ipfire/certs/JonDoecert.pem
>>
>>
>> What is the cause of this error message?
>>
>>
>> Lars
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list