[strongSwan] Error "no peer config found" when connecting

Larsen larsen007 at web.de
Mon Mar 18 19:09:29 CET 2013


Could anybody else please answer my questions regarding what value to use  
for leftid/rightid?


Lars

On Wed, 13 Mar 2013 16:47:00 +0100, Larsen <larsen007 at web.de> wrote:

> Hi Justin,
>
> for another problem, I have already set subjectAltName of the server cert
> to the external IP.
> Do I have to put this somewhere in my client config? It´s not StrongSwan
> on the client side, so there is no ipsec.conf. What should I look for in
> my client software? You probably don´t know the ShrewSoft client, but
> perhaps you can push me in the right direction.
>
> Second question: What value should I put into my client software as
> leftid/rightid?
>
> Please bear in mind that I´m a total newbie with IPsec =/
>
>
> Lars
>
>
> On Wed, 13 Mar 2013 16:36:33 +0100, Justin Grover
> <justin.grover at gmail.com> wrote:
>
>> Lars,
>>
>> When I got this error previously, it was because I didn't have a  
>> matching
>> leftid / rightid in my ipsec.conf files. this should be the subject or
>> altsubjectname from your cert.
>>
>> I'm not seeing the leftid or rightid in your configs. If you add them,
>> that
>> might fix it.
>>
>> Justin
>> On Mar 13, 2013 10:26 AM, "Larsen" <larsen007 at web.de> wrote:
>>
>>> Hi,
>>>
>>> I am still trying to establish a VPN connection between my Windows XP
>>> box
>>> using the ShrewSoft client and our IPFire server running Strongswan
>>> 5.0.2,
>>> but now I get the error "no peer config found" in the server log:
>>>
>>>
>>> charon: 16[NET] received packet: from 192.168.120.24[500] to #external
>>> IP#[500] (365 bytes)
>>> charon: 16[IKE] ignoring certificate request without data
>>> charon: 16[IKE] sending cert request for "C=DE, ST=city, L=city,
>>> O=mycompany, OU=IPFire, CN=mycompanyCA, E=noone at example.com"
>>> charon: 16[NET] sending packet: from #external IP#[500] to
>>> 192.168.120.24[500] (549 bytes)
>>> charon: 12[NET] sending packet: from #external IP#[500] to
>>> 192.168.120.24[500]
>>> charon: 16[MGR] checkin IKE_SA (unnamed)[5]
>>> charon: 16[MGR] check-in of IKE_SA successful.
>>> charon: 06[NET] received packet: from 192.168.120.24[500] to #external
>>> IP#[500]
>>> charon: 06[NET] waiting for data on sockets
>>> charon: 08[MGR] checkout IKE_SA by message
>>> charon: 08[MGR] IKE_SA (unnamed)[5] successfully checked out
>>> charon: 08[NET] received packet: from 192.168.120.24[500] to #external
>>> IP#[500] (1292 bytes)
>>> charon: 08[IKE] received end entity cert "C=DE, ST=city, O=mycompany,
>>> OU=IPFire, CN=JonDoe"
>>> charon: 08[CFG] looking for RSA signature peer configs matching
>>> #external
>>> IP#...192.168.120.24
>>> charon: 08[IKE] no peer config found
>>> charon: 08[NET] sending packet: from #external IP#[500] to
>>> 192.168.120.24[500] (92 bytes)
>>> charon: 08[MGR] checkin and destroy IKE_SA (unnamed)[5]
>>> charon: 08[MGR] check-in and destroy of IKE_SA successful
>>>
>>>
>>> I already did a search, but couldn´t find the right answers to my
>>> problem.
>>> As far as I understand this error, it seems to me that the certificate
>>> is
>>> missing on the server, but I have created it there via IPFire. That
>>> client
>>> cert was then imported into the local computer store according to
>>> http://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs .
>>>
>>> I get the same error message trying this with TheGreenBow client or an
>>> iPhone. My computer is on the same subnet it shall connect to via VPN,
>>> but
>>> I guess that shouldn´t be a problem for now. Also, the iPhone is not
>>> using
>>> the LAN, but still has the same problem.
>>>
>>>
>>> # cat /etc/ipsec.conf
>>> version 2
>>>
>>> config setup
>>>          charondebug="dmn 2, mgr 2, ike 1, chd 2, job 2, cfg 1, knl 2,
>>> net
>>> 2, asn 1, enc 0, lib 1, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2"
>>>
>>> conn %default
>>>          keyingtries=%forever
>>>
>>> include /etc/ipsec.user.conf
>>>
>>> conn JonDoe
>>>          left=#external IP#
>>>          leftsubnet=192.168.120.0/24
>>>          leftfirewall=yes
>>>          lefthostaccess=yes
>>>          right=%any
>>>          rightsubnet=vhost:%no,%priv
>>>          leftcert=/var/ipfire/certs/hostcert.pem
>>>          rightcert=/var/ipfire/certs/JonDoecert.pem
>>>
>>>  ike=aes256-sha2_256-modp8192,aes256-sha2_256-modp6144,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp8192,aes256-sha-modp6144,aes256-sha-modp4096,aes256-sha-modp3072,aes256-sha-modp2048,aes256-sha-modp1536,aes256-sha-modp1024,aes256-md5-modp8192,aes256-md5-modp6144,aes256-md5-modp4096,aes256-md5-modp3072,aes256-md5-modp2048,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_256-modp8192,aes192-sha2_256-modp6144,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp8192,aes192-sha-modp6144,aes192-sha-modp4096,aes192-sha-modp3072,aes192-sha-modp2048,aes192-sha-modp1536,aes192-sha-modp1024,aes192-md5-modp8192,aes192-md5-modp6144,aes192-md5-modp4096,aes192-md5-modp3072,aes192-md5-modp2048,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_256-modp8192,aes128-sha2_256-modp6144,aes128-sha2_256-modp4096,a
>>>
>>> es128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp8192,aes128-sha-modp6144,aes128-sha-modp4096,aes128-sha-modp3072,aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp8192,aes128-md5-modp6144,aes128-md5-modp4096,aes128-md5-modp3072,aes128-md5-modp2048,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha2_256-modp8192,3des-sha2_256-modp6144,3des-sha2_256-modp4096,3des-sha2_256-modp3072,3des-sha2_256-modp2048,3des-sha2_256-modp1536,3des-sha2_256-modp1024,3des-sha-modp8192,3des-sha-modp6144,3des-sha-modp4096,3des-sha-modp3072,3des-sha-modp2048,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp8192,3des-md5-modp6144,3des-md5-modp4096,3des-md5-modp3072,3des-md5-modp2048,3des-md5-modp1536,3des-md5-modp1024
>>>
>>>  esp=aes256-sha2_256-modp8192,aes256-sha2_256-modp6144,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp8192,aes256-sha1-modp6144,aes256-sha1-modp4096,aes256-sha1-modp3072,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-md5-modp8192,aes256-md5-modp6144,aes256-md5-modp4096,aes256-md5-modp3072,aes256-md5-modp2048,aes256-md5-modp1536,aes256-md5-modp1024,aes192-sha2_256-modp8192,aes192-sha2_256-modp6144,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp8192,aes192-sha1-modp6144,aes192-sha1-modp4096,aes192-sha1-modp3072,aes192-sha1-modp2048,aes192-sha1-modp1536,aes192-sha1-modp1024,aes192-md5-modp8192,aes192-md5-modp6144,aes192-md5-modp4096,aes192-md5-modp3072,aes192-md5-modp2048,aes192-md5-modp1536,aes192-md5-modp1024,aes128-sha2_256-modp8192,aes128-sha2_256-modp6144,aes128-sha2_
>>>
>>> 256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp8192,aes128-sha1-modp6144,aes128-sha1-modp4096,aes128-sha1-modp3072,aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp8192,aes128-md5-modp6144,aes128-md5-modp4096,aes128-md5-modp3072,aes128-md5-modp2048,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha2_256-modp8192,3des-sha2_256-modp6144,3des-sha2_256-modp4096,3des-sha2_256-modp3072,3des-sha2_256-modp2048,3des-sha2_256-modp1536,3des-sha2_256-modp1024,3des-sha1-modp8192,3des-sha1-modp6144,3des-sha1-modp4096,3des-sha1-modp3072,3des-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp8192,3des-md5-modp6144,3des-md5-modp4096,3des-md5-modp3072,3des-md5-modp2048,3des-md5-modp1536,3des-md5-modp1024
>>>          keyexchange=ikev1
>>>          ikelifetime=1h
>>>          keylife=8h
>>>          compress=yes
>>>          dpddelay=30
>>>          dpdtimeout=120
>>>          dpdaction=clear
>>>          authby=rsasig
>>>          leftrsasigkey=%cert
>>>          rightrsasigkey=%cert
>>>          auto=add
>>>          rightsourceip=
>>>
>>>
>>> # ll /var/ipfire/certs/hostcert.pem
>>> -rw-r--r-- 1 nobody nobody 1639 2013-02-25 16:19
>>> /var/ipfire/certs/hostcert.pem
>>>
>>> ~# ll /var/ipfire/certs/JonDoecert.pem
>>> -rw-r--r-- 1 nobody nobody 1533 2013-02-25 16:20
>>> /var/ipfire/certs/JonDoecert.pem
>>>
>>>
>>> What is the cause of this error message?
>>>
>>>
>>> Lars
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users




More information about the Users mailing list