[strongSwan] 答复: Config IKE

Noel Kuntze noel at familie-kuntze.de
Sun Nov 10 14:09:37 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Huang,

Any settings regarding connections are done in ipsec.conf.
Take a look at the manpage for it (man ipsec.conf) and look for the "ike" statement.
To configure logging, see [1].

[1] http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

Regards
Noel Kuntze

On 10.11.2013 13:46, Huang, Zhenxing wrote:
> I'm so sorry,
> I'm reference  the page : http://strongswan.org/testresults.html , and other relevant page ,there have not the configure about ike  ,
>
> so I don't know how to configure it on which one config_file.
>
> Thanks a lot !!
>
>
>
>
> -----邮件原件-----
> 发件人: Noel Kuntze [mailto:noel at familie-kuntze.de]
> 发送时间: 2013年11月10日 6:41
> 收件人: Huang, Zhenxing; users at lists.strongswan.org
> 主题: Re: [strongSwan] Config IKE
>
>
> Hello Huang,
>
> That error means, that charon can't find a fitting configuration that matches the information the other peer sent it (cipher proposal, ID, sender IP address, authentication mode).
> Take a look at the other peer's configuration and find out with what settings it tries to connect to strongSwan.
> Increasing the log's verbosity on charon's side might help, if the documentation of SOPHOS UTM isn't clear about this.
>
> Regards
> Noel Kuntze
>
> On 09.11.2013 15:21, Huang, Zhenxing wrote:
>
> > HI,super,
>
>
>
> > We are prepare  use SOPHOS UTM and centos to build a net2net vpn network.
>
>
>
> > For test ,we have two UTMs(b.company.cn,c.company.cn)、one centos(a.company) and one windows
>
>
>
> > We use the windows act as a certifying authority , and issue cert for them :
>
> > a .company.cn.cer, b.company.cn.cer , c.company.cn , and export a CA : ca.pfx
>
> > ·         use openssl convert a/b/c.company.cn.cer to a/b/c.pem
>
>
>
> > we are upload the ca.pfx to b.company.cn and c.company.cn to site-to-site VPN ->Certificate management -> certifying authority
>
> >             upload the b.pem to c.company.cn site-to-site VPN ->Certificate management -> Certificate
>
> >             upload the c.pem to b.company.cn site-to-site VPN ->Certificate management -> Certificate
>
> > ·         and set up a IPsec VPN connect .the remote gateway authentication type is local x509 certificate and certificate is pem Certificate , b.company.cn set certificate is c.pem, c.company.cn set certificate is b.pem , the Connections is establish
>
>
>
> > NOW, we are on Centos setup strongswan.
>
> > We are copy the pem and ca.pfx to the computer ,but we are received a error form log/messages:
>
>
>
> > Nov  9 22:16:03 gateway charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, Linux 2.6.32-358.el6.x86_64, x86_64)
>
> > Nov  9 22:16:03 gateway charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>
> > Nov  9 22:16:03 gateway charon: 00[CFG]   loaded ca certificate "CN=IPSecVPN-CA" from '/usr/local/etc/ipsec.d/cacerts/ca.pem'
>
> > Nov  9 22:16:03 gateway charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>
> > Nov  9 22:16:03 gateway charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>
> > Nov  9 22:16:03 gateway charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
>
> > Nov  9 22:16:03 gateway charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>
> > Nov  9 22:16:03 gateway charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>
> > Nov  9 22:16:03 gateway charon: 00[CFG]   loaded ca certificate "CN=IPSecVPN-CA" from '/usr/local/etc/ipsec.d/private/ca.pfx'
>
> > Nov  9 22:16:03 gateway charon: 00[CFG]   loaded RSA private key from '/usr/local/etc/ipsec.d/private/ca.pfx'
>
> > Nov  9 22:16:03 gateway charon: 00[CFG] loaded 0 RADIUS server configurations
>
> > Nov  9 22:16:03 gateway charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-radius eap-peap xauth-generic
>
> > Nov  9 22:16:03 gateway charon: 00[LIB] unable to load 8 plugin features (8 due to unmet dependencies)
>
> > Nov  9 22:16:03 gateway charon: 00[JOB] spawning 16 worker threads
>
> > Nov  9 22:16:03 gateway charon: 05[CFG] received stroke: add ca 'addca'
>
> > Nov  9 22:16:03 gateway charon: 05[CFG]   loaded ca certificate "CN=IPSecVPN-CA" from 'ca.pem'
>
> > Nov  9 22:16:03 gateway charon: 05[CFG] added ca 'addca'
>
> > Nov  9 22:16:03 gateway charon: 07[CFG] received stroke: add connection 'net-net'
>
> > Nov  9 22:16:03 gateway charon: 07[CFG]   loaded certificate "C=cn, O=gw-c, CN=gw-c.eco-schulte.cn" from 'gw-c.pem'
>
> > Nov  9 22:16:03 gateway charon: 07[CFG]   id 'gw-a.eco-schulte.cn' not confirmed by certificate, defaulting to 'C=cn, O=gw-c, CN=gw-c.eco-schulte.cn'
>
> > Nov  9 22:16:03 gateway charon: 07[CFG] added configuration 'net-net'
>
> > Nov  9 22:16:03 gateway charon: 09[CFG] received stroke: add connection 'xl2tp'
>
> > Nov  9 22:16:03 gateway charon: 09[CFG] added configuration 'xl2tp'
>
> > *Nov  9 22:16:15 gateway charon: 11[NET] received packet: from aa.bb.27.178[500] to aa.bb.27.180[500] (256 bytes)*
>
> > *Nov  9 22:16:15 gateway charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V ]*
>
> > *Nov  9 22:16:15 gateway charon: 11[IKE] no IKE config found for aa.bb.27.180...aa.bb.27.178, sending NO_PROPOSAL_CHOSEN*
>
> > *Nov  9 22:16:15 gateway charon: 11[ENC] generating INFORMATIONAL_V1 request 3529918923 [ N(NO_PROP) ]*
>
> > *Nov  9 22:16:15 gateway charon: 11[NET] sending packet: from aa.bb.27.180[500] to aa.bb.27.178[500] (40 bytes)*
>
> > *Nov  9 22:16:55 gateway charon: 12[NET] received packet: from aa.bb.27.178[500] to aa.bb.27.180[500] (256 bytes)*
>
> > *Nov  9 22:16:55 gateway charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V ]*
>
> > *Nov  9 22:16:55 gateway charon: 12[IKE] no IKE config found for aa.bb.27.180...aa.bb.27.178, sending NO_PROPOSAL_CHOSEN*
>
> > *Nov  9 22:16:55 gateway charon: 12[ENC] generating INFORMATIONAL_V1 request 3127351181 [ N(NO_PROP) ]*
>
> > *Nov  9 22:16:55 gateway charon: 12[NET] sending packet: from aa.bb.27.180[500] to aa.bb.27.178[500] (40 bytes)***
>
> > * *
>
> > Where are we not doing? Thank a lot !!
>
>
>
>
>
>
>
>
>
>
>
>
>
> > * *
>
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSf4WQAAoJEDg5KY9j7GZYRmYP/jh+ornvpCE4d/tH+iyJSSeF
gyV5gvVCsAsKxVVNtaX09IPlozJ0UMa7qZ/tj+FhErw6RFSPR0KBllOhF/Lf1Sb6
+tKahCB6+b47ICvwquCU1zf3mHUvAMve4KT2aA9KeePtHHiMBs8zLzBUhw/gCscP
qMVJ9iwkdVFJDoqn0082SXjhoib/zEZH73S/PBxBi/GiMp71KwN0H+MMTNZNFvq8
2zBpGO2DltRLCCxyS7GE/VElTWtyY343UqVeejgUbvz06k/gsOV768C8ZOVl1oja
ZOvSf2RQv3nSdXXjmeuwkxqC0DkqTJ9fQ0qtpUhahKnkz16ZO9+qy2aeNIAwC5cv
vyRGQ65s+TmfTkNfvnxfE6qSjsUCwEFuAawNGxT4kPiWQpB7XnZhpzpehRc3OGgm
xU3fOVmFRVufcQ5cwkkFV5h9keqch0/lm7i2qRB6pAID6jD8CrLyXrdo1DfgP3DK
1SFNMbkBQb/1REOn5jG1K47DNP7nhGw1sVMdp1AYfJrAS7+LlAIDw5ziYKX2ScTs
cVffJi/e+Rc5jHgRyhQbL/qXD2Ujco9wMPY0Fup7Y4C/7RN8QcVzkZk57eZbNB7D
KQ8m6ZiPk3QJTELITTeoY4hVLhFjxTsJjQMBO1UeP8Nr7zGMFc2YTofgQQStBt3Q
C///j8aAqvg2YNx+RGZv
=ZkEj
-----END PGP SIGNATURE-----





More information about the Users mailing list