[strongSwan] Config IKE

Noel Kuntze noel at familie-kuntze.de
Sat Nov 9 23:41:00 CET 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Huang,

That error means, that charon can't find a fitting configuration that matches the information the other peer sent it (cipher proposal, ID, sender IP address, authentication mode).
Take a look at the other peer's configuration and find out with what settings it tries to connect to strongSwan.
Increasing the log's verbosity on charon's side might help, if the documentation of SOPHOS UTM isn't clear about this.

Regards
Noel Kuntze

On 09.11.2013 15:21, Huang, Zhenxing wrote:
>
> HI,super,
>
> 
>
> We are prepare  use SOPHOS UTM and centos to build a net2net vpn network.
>
> 
>
> For test ,we have two UTMs(b.company.cn,c.company.cn)、one centos(a.company) and one windows
>
> 
>
> We use the windows act as a certifying authority , and issue cert for them :
>
> a .company.cn.cer, b.company.cn.cer , c.company.cn , and export a CA : ca.pfx
>
> ·         use openssl convert a/b/c.company.cn.cer to a/b/c.pem
>
> 
>
> we are upload the ca.pfx to b.company.cn and c.company.cn to site-to-site VPN ->Certificate management -> certifying authority
>
>             upload the b.pem to c.company.cn site-to-site VPN ->Certificate management -> Certificate
>
>             upload the c.pem to b.company.cn site-to-site VPN ->Certificate management -> Certificate
>
> ·         and set up a IPsec VPN connect .the remote gateway authentication type is local x509 certificate and certificate is pem Certificate , b.company.cn set certificate is c.pem, c.company.cn set certificate is b.pem , the Connections is establish
>
> 
>
> NOW, we are on Centos setup strongswan.
>
> We are copy the pem and ca.pfx to the computer ,but we are received a error form log/messages:
>
> 
>
> Nov  9 22:16:03 gateway charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, Linux 2.6.32-358.el6.x86_64, x86_64)
>
> Nov  9 22:16:03 gateway charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>
> Nov  9 22:16:03 gateway charon: 00[CFG]   loaded ca certificate "CN=IPSecVPN-CA" from '/usr/local/etc/ipsec.d/cacerts/ca.pem'
>
> Nov  9 22:16:03 gateway charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>
> Nov  9 22:16:03 gateway charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>
> Nov  9 22:16:03 gateway charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
>
> Nov  9 22:16:03 gateway charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>
> Nov  9 22:16:03 gateway charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>
> Nov  9 22:16:03 gateway charon: 00[CFG]   loaded ca certificate "CN=IPSecVPN-CA" from '/usr/local/etc/ipsec.d/private/ca.pfx'
>
> Nov  9 22:16:03 gateway charon: 00[CFG]   loaded RSA private key from '/usr/local/etc/ipsec.d/private/ca.pfx'
>
> Nov  9 22:16:03 gateway charon: 00[CFG] loaded 0 RADIUS server configurations
>
> Nov  9 22:16:03 gateway charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-radius eap-peap xauth-generic
>
> Nov  9 22:16:03 gateway charon: 00[LIB] unable to load 8 plugin features (8 due to unmet dependencies)
>
> Nov  9 22:16:03 gateway charon: 00[JOB] spawning 16 worker threads
>
> Nov  9 22:16:03 gateway charon: 05[CFG] received stroke: add ca 'addca'
>
> Nov  9 22:16:03 gateway charon: 05[CFG]   loaded ca certificate "CN=IPSecVPN-CA" from 'ca.pem'
>
> Nov  9 22:16:03 gateway charon: 05[CFG] added ca 'addca'
>
> Nov  9 22:16:03 gateway charon: 07[CFG] received stroke: add connection 'net-net'
>
> Nov  9 22:16:03 gateway charon: 07[CFG]   loaded certificate "C=cn, O=gw-c, CN=gw-c.eco-schulte.cn" from 'gw-c.pem'
>
> Nov  9 22:16:03 gateway charon: 07[CFG]   id 'gw-a.eco-schulte.cn' not confirmed by certificate, defaulting to 'C=cn, O=gw-c, CN=gw-c.eco-schulte.cn'
>
> Nov  9 22:16:03 gateway charon: 07[CFG] added configuration 'net-net'
>
> Nov  9 22:16:03 gateway charon: 09[CFG] received stroke: add connection 'xl2tp'
>
> Nov  9 22:16:03 gateway charon: 09[CFG] added configuration 'xl2tp'
>
> *Nov  9 22:16:15 gateway charon: 11[NET] received packet: from 59.37.27.178[500] to 59.37.27.180[500] (256 bytes)*
>
> *Nov  9 22:16:15 gateway charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V ]*
>
> *Nov  9 22:16:15 gateway charon: 11[IKE] no IKE config found for 59.37.27.180...59.37.27.178, sending NO_PROPOSAL_CHOSEN*
>
> *Nov  9 22:16:15 gateway charon: 11[ENC] generating INFORMATIONAL_V1 request 3529918923 [ N(NO_PROP) ]*
>
> *Nov  9 22:16:15 gateway charon: 11[NET] sending packet: from 59.37.27.180[500] to 59.37.27.178[500] (40 bytes)*
>
> *Nov  9 22:16:55 gateway charon: 12[NET] received packet: from 59.37.27.178[500] to 59.37.27.180[500] (256 bytes)*
>
> *Nov  9 22:16:55 gateway charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V ]*
>
> *Nov  9 22:16:55 gateway charon: 12[IKE] no IKE config found for 59.37.27.180...59.37.27.178, sending NO_PROPOSAL_CHOSEN*
>
> *Nov  9 22:16:55 gateway charon: 12[ENC] generating INFORMATIONAL_V1 request 3127351181 [ N(NO_PROP) ]*
>
> *Nov  9 22:16:55 gateway charon: 12[NET] sending packet: from 59.37.27.180[500] to 59.37.27.178[500] (40 bytes)***
>
> * *
>
> Where are we not doing? Thank a lot !!
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> * *
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSfrn8AAoJEDg5KY9j7GZYIUoP/01ZCq2PwuEaX+EBvExcBeEi
BYAWM33BWn0u0wGrAxTTO3BuiRdOxf5ZhajpmbEZiz5XTu4XMTxwc7N1quF0sFvj
f5LLD2ReXy+Otzh3fWXur4zddpBU8UGRc5Hnx0lsToHZaPIiImHEiOQeqCD8ggXV
F11MPIlhL1qWjqXFX3zDZelHdrgb04p6k6shtBCBM++J3Xiwe6eSM+cpttXYh2li
/6V5eT0V4BNCGPP7loq3EEZfyzZoOOVVD1GAXUOV4BxkwFnAZ6m0CdmCnGcNk0jx
0TSOX3swMcYjY29VaRH1G3igMTLAljoKl5fyNB0M0K8SXwArY88aTL2XW3qZ7bXM
cyi9FPRSGFkM59IE3Fqo2raYmyJ6v9Mtn7iEnJHXfZe/GbAzM3WlV+etLia+9ipg
slcKhmBr4asN6xRm4oPw3l0lifVqfannj5X8S2EL+lCqne2yZdjlLd5xiWajkq4c
JgfXfU7Hkop0n3bye76PCggQL/XkYfaahbThowFOllih92OwYRMdm/UscHcSzn3V
dlxYjcF5zaFu2LXGXDC5rh8C9s7nKJGVw9kvos7EJhl3cj0tC4It/dsabakWs5RM
KAgLixB2vz2l4/wt7l+hi0wua2aJnnosGdxCgtIV7v0Y19Xd1XF3agO96v1drOE6
U0njULpGrslLyKUpp601
=mOsQ
-----END PGP SIGNATURE-----

More information about the Users mailing list