[strongSwan] Config IKE

Huang, Zhenxing huang.zhenxing at eco-schulte.cn
Sat Nov 9 15:21:28 CET 2013 

HI,super,

We are prepare  use SOPHOS UTM and centos to build a net2net vpn network.

For test ,we have two UTMs(b.company.cn,c.company.cn)、one centos(a.company) and one windows

We use the windows act as a certifying authority , and issue cert for them :
a .company.cn.cer , b.company.cn.cer , c.company.cn , and export a CA : ca.pfx
・         use openssl convert a/b/c.company.cn.cer to a/b/c.pem

we are upload the ca.pfx to b.company.cn and c.company.cn to site-to-site VPN ->Certificate management -> certifying authority
            upload the b.pem to c.company.cn site-to-site VPN ->Certificate management -> Certificate
            upload the c.pem to b.company.cn site-to-site VPN ->Certificate management -> Certificate
・         and set up a IPsec VPN connect .the remote gateway authentication type is local x509 certificate and certificate is pem Certificate , b.company.cn set certificate is c.pem, c.company.cn set certificate is b.pem , the Connections is establish

NOW, we are on Centos setup strongswan.
We are copy the pem and ca.pfx to the computer ,but we are received a error form log/messages:

Nov  9 22:16:03 gateway charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, Linux 2.6.32-358.el6.x86_64, x86_64)
Nov  9 22:16:03 gateway charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Nov  9 22:16:03 gateway charon: 00[CFG]   loaded ca certificate "CN=IPSecVPN-CA" from '/usr/local/etc/ipsec.d/cacerts/ca.pem'
Nov  9 22:16:03 gateway charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov  9 22:16:03 gateway charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov  9 22:16:03 gateway charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov  9 22:16:03 gateway charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Nov  9 22:16:03 gateway charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Nov  9 22:16:03 gateway charon: 00[CFG]   loaded ca certificate "CN=IPSecVPN-CA" from '/usr/local/etc/ipsec.d/private/ca.pfx'
Nov  9 22:16:03 gateway charon: 00[CFG]   loaded RSA private key from '/usr/local/etc/ipsec.d/private/ca.pfx'
Nov  9 22:16:03 gateway charon: 00[CFG] loaded 0 RADIUS server configurations
Nov  9 22:16:03 gateway charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-radius eap-peap xauth-generic
Nov  9 22:16:03 gateway charon: 00[LIB] unable to load 8 plugin features (8 due to unmet dependencies)
Nov  9 22:16:03 gateway charon: 00[JOB] spawning 16 worker threads
Nov  9 22:16:03 gateway charon: 05[CFG] received stroke: add ca 'addca'
Nov  9 22:16:03 gateway charon: 05[CFG]   loaded ca certificate "CN=IPSecVPN-CA" from 'ca.pem'
Nov  9 22:16:03 gateway charon: 05[CFG] added ca 'addca'
Nov  9 22:16:03 gateway charon: 07[CFG] received stroke: add connection 'net-net'
Nov  9 22:16:03 gateway charon: 07[CFG]   loaded certificate "C=cn, O=gw-c, CN=gw-c.eco-schulte.cn" from 'gw-c.pem'
Nov  9 22:16:03 gateway charon: 07[CFG]   id 'gw-a.eco-schulte.cn' not confirmed by certificate, defaulting to 'C=cn, O=gw-c, CN=gw-c.eco-schulte.cn'
Nov  9 22:16:03 gateway charon: 07[CFG] added configuration 'net-net'
Nov  9 22:16:03 gateway charon: 09[CFG] received stroke: add connection 'xl2tp'
Nov  9 22:16:03 gateway charon: 09[CFG] added configuration 'xl2tp'
Nov  9 22:16:15 gateway charon: 11[NET] received packet: from 59.37.27.178[500] to 59.37.27.180[500] (256 bytes)
Nov  9 22:16:15 gateway charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V ]
Nov  9 22:16:15 gateway charon: 11[IKE] no IKE config found for 59.37.27.180...59.37.27.178, sending NO_PROPOSAL_CHOSEN
Nov  9 22:16:15 gateway charon: 11[ENC] generating INFORMATIONAL_V1 request 3529918923 [ N(NO_PROP) ]
Nov  9 22:16:15 gateway charon: 11[NET] sending packet: from 59.37.27.180[500] to 59.37.27.178[500] (40 bytes)
Nov  9 22:16:55 gateway charon: 12[NET] received packet: from 59.37.27.178[500] to 59.37.27.180[500] (256 bytes)
Nov  9 22:16:55 gateway charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V ]
Nov  9 22:16:55 gateway charon: 12[IKE] no IKE config found for 59.37.27.180...59.37.27.178, sending NO_PROPOSAL_CHOSEN
Nov  9 22:16:55 gateway charon: 12[ENC] generating INFORMATIONAL_V1 request 3127351181 [ N(NO_PROP) ]
Nov  9 22:16:55 gateway charon: 12[NET] sending packet: from 59.37.27.180[500] to 59.37.27.178[500] (40 bytes)

Where are we not doing? Thank a lot !!







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131109/2a1b7e4e/attachment.html>

More information about the Users mailing list