[strongSwan] Configure RoadWarrior

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 26 20:39:47 CET 2013


Hi Diego,

either the IKE identity "diego at ipsec.org" must be contained as a
subjectAltName in the client certificate or the IKE identity must be
""C=UK, ST=Beds, L=Luton, O=Beds, OU=IT, CN=client, N=IPSec,
E=root at ipsec.com".

Regards

Andreas

 On 03/26/2013 06:39 PM, carachi diego wrote:
> Hello,
> I am trying to configure a roadwarrior system between Linux Debian and
> Windows XP.
> 
> I configure the gateway like in the example but it give me this error:
> 
> Mar 26 14:06:51 debian charon: 12[IKE] no trusted RSA public key found
> for 'diego at ipsec.org <mailto:diego at ipsec.org>'
> Mar 26 14:06:51 debian charon: 12[CFG] no alternative config found
> Mar 26 14:06:51 debian charon: 12[ENC] generating INFORMATIONAL_V1
> request 2480925513 [ HASH N(AUTH_FAILED) ]
> 
> How can I solve it?
> Thank you very much.
> 
> 
> 
> LOG FILE
> 
> Mar 26 14:06:40 debian charon: 00[DMN] signal of type SIGINT received.
> Shutting down
> Mar 26 14:06:43 debian charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.0.2, Linux 2.6.32-5-amd64, x86_64)
> Mar 26 14:06:43 debian charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Mar 26 14:06:43 debian charon: 00[CFG]   loaded ca certificate "C=UK,
> ST=Beds, L=Luton, O=Beds, OU=IT, CN=Beds CA, N=IPSec, E=root at ipsec.com
> <mailto:root at ipsec.com>" from '/etc/ipsec.d/cacerts/ca.crt'
> Mar 26 14:06:43 debian charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Mar 26 14:06:43 debian charon: 00[CFG] loading ocsp signer certificates
> from '/etc/ipsec.d/ocspcerts'
> Mar 26 14:06:43 debian charon: 00[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts'
> Mar 26 14:06:43 debian charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Mar 26 14:06:43 debian charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Mar 26 14:06:43 debian charon: 00[CFG]   loaded RSA private key from
> '/etc/ipsec.d/private/gateway.key'
> Mar 26 14:06:43 debian charon: 00[DMN] loaded plugins: charon curl
> test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509
> revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink
> socket-default updown
> Mar 26 14:06:43 debian charon: 00[JOB] spawning 16 worker threads
> Mar 26 14:06:43 debian charon: 08[CFG] received stroke: add connection 'rw'
> Mar 26 14:06:43 debian charon: 08[CFG]   loaded certificate "C=UK,
> ST=Beds, L=Luton, O=Beds, OU=IT, CN=gateway, N=IPSec, E=root at ipsec.com
> <mailto:root at ipsec.com>" from 'gateway.crt'
> Mar 26 14:06:43 debian charon: 08[CFG]   id 'gw.ipsec.com
> <http://gw.ipsec.com>' not confirmed by certificate, defaulting to
> 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT, CN=gateway, N=IPSec,
> E=root at ipsec.com <mailto:root at ipsec.com>'
> Mar 26 14:06:43 debian charon: 08[CFG] added configuration 'rw'
> Mar 26 14:06:51 debian charon: 10[NET] received packet: from
> 172.16.151.141[500] to 172.16.151.100[500] (3756 bytes)
> Mar 26 14:06:51 debian charon: 10[ENC] parsed ID_PROT request 0 [ SA V V
> V V V V V V V V V ]
> Mar 26 14:06:51 debian charon: 10[IKE] received
> draft-ietf-ipsec-nat-t-ike-00 vendor ID
> Mar 26 14:06:51 debian charon: 10[ENC] received unknown vendor ID:
> 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
> Mar 26 14:06:51 debian charon: 10[IKE] received
> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Mar 26 14:06:51 debian charon: 10[IKE] received
> draft-ietf-ipsec-nat-t-ike-03 vendor ID
> Mar 26 14:06:51 debian charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
> Mar 26 14:06:51 debian charon: 10[IKE] received FRAGMENTATION vendor ID
> Mar 26 14:06:51 debian charon: 10[IKE] received DPD vendor ID
> Mar 26 14:06:51 debian charon: 10[ENC] received unknown vendor ID:
> f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
> Mar 26 14:06:51 debian charon: 10[ENC] received unknown vendor ID:
> 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
> Mar 26 14:06:51 debian charon: 10[ENC] received unknown vendor ID:
> 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
> Mar 26 14:06:51 debian charon: 10[IKE] received Cisco Unity vendor ID
> Mar 26 14:06:51 debian charon: 10[IKE] 172.16.151.141 is initiating a
> Main Mode IKE_SA
> Mar 26 14:06:51 debian charon: 10[ENC] generating ID_PROT response 0 [
> SA V V V ]
> Mar 26 14:06:51 debian charon: 10[NET] sending packet: from
> 172.16.151.100[500] to 172.16.151.141[500] (140 bytes)
> Mar 26 14:06:51 debian charon: 11[NET] received packet: from
> 172.16.151.141[500] to 172.16.151.100[500] (365 bytes)
> Mar 26 14:06:51 debian charon: 11[ENC] parsed ID_PROT request 0 [ KE No
> CERTREQ NAT-D NAT-D ]
> Mar 26 14:06:51 debian charon: 11[IKE] ignoring certificate request
> without data
> Mar 26 14:06:51 debian charon: 11[IKE] sending cert request for "C=UK,
> ST=Beds, L=Luton, O=Beds, OU=IT, CN=Beds CA, N=IPSec, E=root at ipsec.com
> <mailto:root at ipsec.com>"
> Mar 26 14:06:51 debian charon: 11[ENC] generating ID_PROT response 0 [
> KE No CERTREQ NAT-D NAT-D ]
> Mar 26 14:06:51 debian charon: 11[NET] sending packet: from
> 172.16.151.100[500] to 172.16.151.141[500] (517 bytes)
> Mar 26 14:06:51 debian charon: 12[NET] received packet: from
> 172.16.151.141[500] to 172.16.151.100[500] (1564 bytes)
> Mar 26 14:06:51 debian charon: 12[ENC] parsed ID_PROT request 0 [ ID
> CERT SIG ]
> Mar 26 14:06:51 debian charon: 12[IKE] received end entity cert "C=UK,
> ST=Beds, L=Luton, O=Beds, OU=IT, CN=client, N=IPSec, E=root at ipsec.com
> <mailto:root at ipsec.com>"
> Mar 26 14:06:51 debian charon: 12[CFG] looking for RSA signature peer
> configs matching 172.16.151.100...172.16.151.141[diego at ipsec.org
> <mailto:diego at ipsec.org>]
> Mar 26 14:06:51 debian charon: 12[CFG] selected peer config "rw"
> Mar 26 14:06:51 debian charon: 12[IKE] no trusted RSA public key found
> for 'diego at ipsec.org <mailto:diego at ipsec.org>'
> Mar 26 14:06:51 debian charon: 12[CFG] no alternative config found
> Mar 26 14:06:51 debian charon: 12[ENC] generating INFORMATIONAL_V1
> request 2480925513 [ HASH N(AUTH_FAILED) ]
> Mar 26 14:06:51 debian charon: 12[NET] sending packet: from
> 172.16.151.100[500] to 172.16.151.141[500] (92 bytes)
> Mar 26 14:07:18 debian mpt-statusd: detected non-optimal RAID status
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130326/1024fa78/attachment.bin>


More information about the Users mailing list