[strongSwan] AUTH_FAILED and " no matching peer config found" errors
Frederik Freg
frreggy.fh at gmail.com
Sun Jul 6 11:34:31 CEST 2014
I'm trying to create a roadwarrior set-up with Strongswan 5.1.3
on Debian. The goal is that roadwarriors (also when behind NAT)
can connect from everywhere to the VPN server, and all their
Internet traffic is routed through the VPN server. As there is
actually only one single VPN client, I would like to use PSK.
On my server, I have set this in ipsec.conf:
config setup
uniqueids = yes
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
leftauth=psk
rightauth=psk
conn roadwarrior
left=[PUBLIC IP ADDRESS]
leftsubnet=0.0.0.0/24
leftfirewall=yes
right=%any
rightsourceip=192.168.36.0/24
auto=add
On the roadwarrior VPN client, the ipsec.conf looks like this:
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn vpn
left=%any
leftsourceip=%config
leftfirewall=yes
right=artipc10.vub.ac.be
rightsubnet=192.168.36.0/24
auto=add
/etc/ipsec.secrets on both VPN server as roadwarrior system
looks like this:
%any : PSK "MyPSK"
ipsec up vpn on the roadwarrior system, gives this output:
initiating IKE_SA vpn[6] to [PUBLIC IP]
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.5.128[500] to [PUBLIC IP][500] (684 bytes)
received packet: from [PUBLIC IP][500] to 192.168.5.128[500] (465 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
received 1 cert requests for an unknown ca
no IDi configured, fall back on IP address
authentication of '192.168.5.128' (myself) with pre-shared key
establishing CHILD_SA vpn
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR
DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH)
N(EAP_ONLY) ]
sending packet: from 192.168.5.128[4500] to [PUBLIC IP][4500] (444 bytes)
received packet: from [PUBLIC IP][4500] to 192.168.5.128[4500] (76 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'vpn' failed
This is what is logged on the VPN server after starting ipsec and trying
to establish the connection from the roadwarrior:
Jul 6 11:15:03 vpn charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.1.3, Linux 3.12-1-amd64, x86_64)
Jul 6 11:15:03 vpn charon: 00[CFG] loaded legacy entry attribute
INTERNAL_IP4_DNS: 86:b8:1a:44
Jul 6 11:15:03 vpn charon: 00[LIB] enabled RNG_TRUE[random]:
skipping test (disabled by config)
Jul 6 11:15:03 vpn charon: 00[LIB] enabled RNG_STRONG[random]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HASH_SHA1[sha1]: no test
vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HASH_SHA1[default]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled RNG_STRONG[default]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled AES_CBC[aes]: no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled AES_CBC[aes]: no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled AES_CBC[aes]: no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled RC2_CBC[rc2]: no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled PRF_KEYED_SHA1[sha1]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HASH_SHA224[sha2]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HASH_SHA256[sha2]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HASH_SHA384[sha2]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HASH_SHA512[sha2]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HASH_MD5[md5]: no test
vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled
PRF_FIPS_SHA1_160[fips-prf]: no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled PRF_AES128_XCBC[xcbc]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled AES_XCBC_96[xcbc]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled PRF_HMAC_SHA1[hmac]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled PRF_HMAC_MD5[hmac]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled PRF_HMAC_SHA2_256[hmac]:
no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled PRF_HMAC_SHA2_384[hmac]:
no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled PRF_HMAC_SHA2_512[hmac]:
no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HMAC_SHA1_96[hmac]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HMAC_SHA1_128[hmac]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HMAC_SHA1_160[hmac]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HMAC_MD5_96[hmac]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HMAC_MD5_128[hmac]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HMAC_SHA2_256_128[hmac]:
no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HMAC_SHA2_256_256[hmac]:
no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HMAC_SHA2_384_192[hmac]:
no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HMAC_SHA2_384_384[hmac]:
no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HMAC_SHA2_512_256[hmac]:
no test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HMAC_SHA2_512_512[hmac]:
no test vectors found
Jul 6 11:15:03 vpn charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HASH_SHA1[default]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HASH_SHA1[default]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[CFG] loaded ca certificate "C=BE,
O=fred, CN=vpn root ca" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Jul 6 11:15:03 vpn charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jul 6 11:15:03 vpn charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Jul 6 11:15:03 vpn charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Jul 6 11:15:03 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 6 11:15:03 vpn charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 6 11:15:03 vpn charon: 00[CFG] loaded IKE secret for %any
Jul 6 11:15:03 vpn charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HASH_SHA1[default]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled RNG_WEAK[default]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] enabled HASH_SHA1[default]: no
test vectors found
Jul 6 11:15:03 vpn charon: 00[LIB] loaded plugins: charon aes rc2
sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr
kernel-netlink resolve socket-default stroke updown
Jul 6 11:15:03 vpn charon: 00[LIB] unable to load 6 plugin features
(6 due to unmet dependencies)
Jul 6 11:15:03 vpn charon: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Jul 6 11:15:03 vpn charon: 00[JOB] spawning 16 worker threads
Jul 6 11:15:03 vpn charon: 02[NET] waiting for data on sockets
Jul 6 11:15:03 vpn charon: 05[CFG] received stroke: add connection
'roadwarrior'
Jul 6 11:15:03 vpn charon: 05[CFG] conn roadwarrior
Jul 6 11:15:03 vpn charon: 05[CFG] left=[PUBLIC IP]
Jul 6 11:15:03 vpn charon: 05[CFG] leftsubnet=0.0.0.0/24
Jul 6 11:15:03 vpn charon: 05[CFG] leftsourceip=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftdns=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftauth=psk
Jul 6 11:15:03 vpn charon: 05[CFG] leftauth2=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftid=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftid2=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftrsakey=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftcert=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftcert2=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftca=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftca2=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftgroups=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftgroups2=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] leftupdown=ipsec _updown iptables
Jul 6 11:15:03 vpn charon: 05[CFG] right=%any
Jul 6 11:15:03 vpn charon: 05[CFG] rightsubnet=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightsourceip=192.168.36.0/24
Jul 6 11:15:03 vpn charon: 05[CFG] rightdns=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightauth=psk
Jul 6 11:15:03 vpn charon: 05[CFG] rightauth2=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightid=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightid2=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightrsakey=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightcert=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightcert2=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightca=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightca2=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightgroups=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightgroups2=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] rightupdown=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] eap_identity=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] aaa_identity=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] xauth_identity=(null)
Jul 6 11:15:03 vpn charon: 05[CFG]
ike=aes128-sha1-modp2048,3des-sha1-modp1536
Jul 6 11:15:03 vpn charon: 05[CFG] esp=aes128-sha1,3des-sha1
Jul 6 11:15:03 vpn charon: 05[CFG] ah=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] dpddelay=30
Jul 6 11:15:03 vpn charon: 05[CFG] dpdtimeout=150
Jul 6 11:15:03 vpn charon: 05[CFG] dpdaction=0
Jul 6 11:15:03 vpn charon: 05[CFG] closeaction=0
Jul 6 11:15:03 vpn charon: 05[CFG] mediation=no
Jul 6 11:15:03 vpn charon: 05[CFG] mediated_by=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] me_peerid=(null)
Jul 6 11:15:03 vpn charon: 05[CFG] keyexchange=ikev2
Jul 6 11:15:03 vpn charon: 05[CFG] adding virtual IP address pool
192.168.36.0/24
Jul 6 11:15:03 vpn charon: 05[CFG] added configuration 'roadwarrior'
Jul 6 11:15:14 vpn charon: 02[NET] received packet: from
78.20.27.128[500] to [PUBLIC IP][500]
Jul 6 11:15:14 vpn charon: 02[NET] waiting for data on sockets
Jul 6 11:15:14 vpn charon: 07[NET] received packet: from
78.20.27.128[500] to [PUBLIC IP][500] (684 bytes)
Jul 6 11:15:14 vpn charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 6 11:15:14 vpn charon: 07[CFG] looking for an ike config for
[PUBLIC IP]...78.20.27.128
Jul 6 11:15:14 vpn charon: 07[CFG] candidate: [PUBLIC IP]...%any, prio 1052
Jul 6 11:15:14 vpn charon: 07[CFG] found matching ike config: [PUBLIC
IP]...%any with prio 1052
Jul 6 11:15:14 vpn charon: 07[LIB] enabled HASH_SHA1[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 07[IKE] 78.20.27.128 is initiating an IKE_SA
Jul 6 11:15:14 vpn charon: 07[IKE] IKE_SA (unnamed)[1] state change:
CREATED => CONNECTING
Jul 6 11:15:14 vpn charon: 07[LIB] enabled RNG_WEAK[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 07[CFG] selecting proposal:
Jul 6 11:15:14 vpn charon: 07[CFG] proposal matches
Jul 6 11:15:14 vpn charon: 07[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/MODP_1024_160/MODP_2048_224/MODP_2048_256
Jul 6 11:15:14 vpn charon: 07[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/MODP_1024_160/MODP_2048_224/MODP_2048_256
Jul 6 11:15:14 vpn charon: 07[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jul 6 11:15:14 vpn charon: 07[LIB] enabled RNG_STRONG[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 07[IKE] remote host is behind NAT
Jul 6 11:15:14 vpn charon: 07[LIB] enabled PRF_HMAC_SHA1[default]:
no test vectors found
Jul 6 11:15:14 vpn charon: 07[LIB] enabled HASH_SHA1[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 07[LIB] enabled HMAC_SHA1_96[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 07[LIB] enabled HASH_SHA1[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 07[LIB] enabled HMAC_SHA1_96[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 07[LIB] enabled HASH_SHA1[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 07[LIB] enabled AES_CBC[default]: no test
vectors found
Jul 6 11:15:14 vpn charon: 07[LIB] enabled AES_CBC[default]: no test
vectors found
Jul 6 11:15:14 vpn charon: 07[LIB] enabled RNG_WEAK[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 07[LIB] enabled RNG_WEAK[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 07[LIB] enabled HASH_SHA1[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 07[IKE] sending cert request for "C=COM,
O=example, CN=vpn root ca"
Jul 6 11:15:14 vpn charon: 07[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 6 11:15:14 vpn charon: 07[NET] sending packet: from [PUBLIC
IP][500] to 78.20.27.128[500] (465 bytes)
Jul 6 11:15:14 vpn charon: 03[NET] sending packet: from [PUBLIC
IP][500] to 78.20.27.128[500]
Jul 6 11:15:14 vpn charon: 02[NET] received packet: from
78.20.27.128[4500] to [PUBLIC IP][4500]
Jul 6 11:15:14 vpn charon: 02[NET] waiting for data on sockets
Jul 6 11:15:14 vpn charon: 08[NET] received packet: from
78.20.27.128[4500] to [PUBLIC IP][4500] (444 bytes)
Jul 6 11:15:14 vpn charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jul 6 11:15:14 vpn charon: 08[CFG] looking for peer configs matching
[PUBLIC IP][vpn.example.com]...78.20.27.128[192.168.5.128]
Jul 6 11:15:14 vpn charon: 08[CFG] no matching peer config found
Jul 6 11:15:14 vpn charon: 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 6 11:15:14 vpn charon: 08[IKE] processing INTERNAL_IP4_DNS attribute
Jul 6 11:15:14 vpn charon: 08[IKE] peer supports MOBIKE
Jul 6 11:15:14 vpn charon: 08[IKE] got additional MOBIKE peer
address: 192.168.122.1
Jul 6 11:15:14 vpn charon: 08[IKE] got additional MOBIKE peer
address: 2a02:1812:1284:d900:2677:3ff:fef0:1664
Jul 6 11:15:14 vpn charon: 08[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jul 6 11:15:14 vpn charon: 08[LIB] enabled RNG_WEAK[default]: no
test vectors found
Jul 6 11:15:14 vpn charon: 08[NET] sending packet: from [PUBLIC
IP][4500] to 78.20.27.128[4500] (76 bytes)
Jul 6 11:15:14 vpn charon: 08[IKE] IKE_SA (unnamed)[1] state change:
CONNECTING => DESTROYING
Jul 6 11:15:14 vpn charon: 03[NET] sending packet: from [PUBLIC
IP][4500] to 78.20.27.128[4500]
What could be the problem here?
More information about the Users
mailing list