[strongSwan] Authentication FAILED

Thu Aug 6 04:29:41 CEST 2015

Hello,

I am using strongswan-5.3 to connect host-host

moon(192.168.82.99)<------------>sun(192.168.82.111)

error for this:

root at phyCORE-AM335x:~ ipsec up host-host
initiating IKE_SA host-host[1] to 192.168.82.111
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) ]
sending packet: from 192.168.82.99[500] to 192.168.82.111[500] (684 bytes)
received packet: from 192.168.82.111[500] to 192.168.82.99[500] (481 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(HASH_ALG) N(MULT_AUTH) ]
received 1 cert requests for an unknown ca
sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
authentication of 'C=CH, O=strongSwan, CN=moon.strongswan.org' (myself)
with RSA_EMSA_PKCS1_SHA256 successful
sending end entity cert "C=CH, O=strongSwan, CN=moon.strongswan.org"
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH
SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.82.99[500] to 192.168.82.111[500] (1884 bytes)
received packet: from 192.168.82.111[500] to 192.168.82.99[500] (76 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'host-host' failed

log messages:
Nov 22 07:50:06 phyCORE-AM335x authpriv.info ipsec_starter[1389]: Starting
strongSwan 5.3.2 IPsec [starter]...
Nov 22 07:50:06 phyCORE-AM335x authpriv.info ipsec_starter[1389]: !! Your
strongswan.conf contains manual plugin load options for charon.
Nov 22 07:50:06 phyCORE-AM335x authpriv.info ipsec_starter[1389]: !! This
is recommended for experts only, see
Nov 22 07:50:06 phyCORE-AM335x authpriv.info ipsec_starter[1389]: !!
http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[DMN] Starting IKE
charon daemon (strongSwan 5.3.2, Linux 3.2.0-PD13.1.2, armv7l)
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[KNL] received netlink
error: Operation not supported (95)
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[KNL] unable to create
IPv4 routing table rule
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[KNL] received netlink
error: Operation not supported (95)
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[KNL] unable to create
IPv6 routing table rule
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[CFG] loading ca
certificates from '/etc/ipsec.d/cacerts'
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[CFG]   loaded ca
certificate "C=CH, O=strongSwan, CN=strongSwan Root CA" from
'/etc/ipsec.d/cacerts/strongswanCert.der'
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[CFG] loading aa
certificates from '/etc/ipsec.d/aacerts'
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[CFG] loading ocsp
signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[CFG] loading
attribute certificates from '/etc/ipsec.d/acerts'
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[CFG] loading crls
from '/etc/ipsec.d/crls'
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[CFG] loading secrets
from '/etc/ipsec.secrets'
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[CFG]   loaded RSA
private key from '/etc/ipsec.d/private/moonKey.der'
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[LIB] loaded plugins:
charon aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac
xcbc stroke kernel-netlink socket-default updown attr
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 00[JOB] spawning 16
worker threads
Nov 22 07:50:06 phyCORE-AM335x authpriv.info ipsec_starter[1402]: charon
(1403) started after 100 ms
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 08[CFG] received stroke:
add connection 'host-host'
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 08[CFG] left nor right
host is our side, assuming left=local
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 08[CFG]   loaded
certificate "C=CH, O=strongSwan, CN=moon.strongswan.org" from 'moonCert.der'
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 08[CFG]   id '%any' not
confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=
moon.strongswan.org'
Nov 22 07:50:06 phyCORE-AM335x daemon.info charon: 08[CFG] added
configuration 'host-host'
Nov 22 07:50:14 phyCORE-AM335x daemon.info charon: 09[CFG] received stroke:
initiate 'host-host'
Nov 22 07:50:14 phyCORE-AM335x daemon.info charon: 02[IKE] initiating
IKE_SA host-host[1] to 192.168.82.111
Nov 22 07:50:14 phyCORE-AM335x authpriv.info charon: 02[IKE] initiating
IKE_SA host-host[1] to 192.168.82.111
Nov 22 07:50:15 phyCORE-AM335x daemon.info charon: 02[ENC] generating
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Nov 22 07:50:15 phyCORE-AM335x daemon.info charon: 02[NET] sending packet:
from 192.168.82.99[500] to 192.168.82.111[500] (684 bytes)
Nov 22 07:50:15 phyCORE-AM335x daemon.info charon: 11[NET] received packet:
from 192.168.82.111[500] to 192.168.82.99[500] (481 bytes)
Nov 22 07:50:15 phyCORE-AM335x daemon.info charon: 11[ENC] parsed
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(HASH_ALG) N(MULT_AUTH) ]
Nov 22 07:50:16 phyCORE-AM335x daemon.info charon: 11[IKE] received 1 cert
requests for an unknown ca
Nov 22 07:50:16 phyCORE-AM335x daemon.info charon: 11[IKE] sending cert
request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Nov 22 07:50:16 phyCORE-AM335x daemon.info charon: 11[IKE] authentication
of 'C=CH, O=strongSwan, CN=moon.strongswan.org' (myself) with
RSA_EMSA_PKCS1_SHA256 successful
Nov 22 07:50:16 phyCORE-AM335x daemon.info charon: 11[IKE] sending end
entity cert "C=CH, O=strongSwan, CN=moon.strongswan.org"
Nov 22 07:50:16 phyCORE-AM335x daemon.info charon: 11[IKE] establishing
CHILD_SA host-host
Nov 22 07:50:16 phyCORE-AM335x authpriv.info charon: 11[IKE] establishing
CHILD_SA host-host
Nov 22 07:50:16 phyCORE-AM335x daemon.info charon: 11[ENC] generating
IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
Nov 22 07:50:16 phyCORE-AM335x daemon.info charon: 11[NET] sending packet:
from 192.168.82.99[500] to 192.168.82.111[500] (1884 bytes)
Nov 22 07:50:16 phyCORE-AM335x daemon.info charon: 15[NET] received packet:
from 192.168.82.111[500] to 192.168.82.99[500] (76 bytes)
Nov 22 07:50:16 phyCORE-AM335x daemon.info charon: 15[ENC] parsed IKE_AUTH
response 1 [ N(AUTH_FAILED) ]
Nov 22 07:50:16 phyCORE-AM335x daemon.info charon: 15[IKE] received
AUTHENTICATION_FAILED notify error
Nov 22 07:50:32 phyCORE-AM335x daemon.info charon: 03[NET] received packet:
from 192.168.82.5[500] to 192.168.82.99[500] (312 bytes)
Nov 22 07:50:32 phyCORE-AM335x daemon.info charon: 03[ENC] parsed ID_PROT
request 0 [ SA V V V V V V V ]
Nov 22 07:50:32 phyCORE-AM335x daemon.info charon: 03[IKE] no IKE config
found for 192.168.82.99...192.168.82.5, sending NO_PROPOSAL_CHOSEN
Nov 22 07:50:32 phyCORE-AM335x daemon.info charon: 03[ENC] generating
INFORMATIONAL_V1 request 633227307 [ N(NO_PROP) ]
Nov 22 07:50:32 phyCORE-AM335x daemon.info charon: 03[NET] sending packet:
from 192.168.82.99[500] to 192.168.82.5[500] (40 bytes)
Nov 22 07:51:12 phyCORE-AM335x daemon.info charon: 08[NET] received packet:
from 192.168.82.5[500] to 192.168.82.99[500] (312 bytes)
Nov 22 07:51:12 phyCORE-AM335x daemon.info charon: 08[ENC] parsed ID_PROT
request 0 [ SA V V V V V V V ]
Nov 22 07:51:12 phyCORE-AM335x daemon.info charon: 08[IKE] no IKE config
found for 192.168.82.99...192.168.82.5, sending NO_PROPOSAL_CHOSEN
Nov 22 07:51:12 phyCORE-AM335x daemon.info charon: 08[ENC] generating
INFORMATIONAL_V1 request 2444041484 [ N(NO_PROP) ]
Nov 22 07:51:12 phyCORE-AM335x daemon.info charon: 08[NET] sending packet:
from 192.168.82.99[500] to 192.168.82.5[500] (40 bytes)
Nov 22 07:51:52 phyCORE-AM335x daemon.info charon: 09[NET] received packet:
from 192.168.82.5[500] to 192.168.82.99[500] (312 bytes)
Nov 22 07:51:52 phyCORE-AM335x daemon.info charon: 09[ENC] parsed ID_PROT
request 0 [ SA V V V V V V V ]
Nov 22 07:51:52 phyCORE-AM335x daemon.info charon: 09[IKE] no IKE config
found for 192.168.82.99...192.168.82.5, sending NO_PROPOSAL_CHOSEN
Nov 22 07:51:52 phyCORE-AM335x daemon.info charon: 09[ENC] generating
INFORMATIONAL_V1 request 3535449560 [ N(NO_PROP) ]
Nov 22 07:51:52 phyCORE-AM335x daemon.info charon: 09[NET] sending packet:
from 192.168.82.99[500] to 192.168.82.5[500] (40 bytes)
Nov 22 07:52:32 phyCORE-AM335x daemon.info charon: 03[NET] received packet:
from 192.168.82.5[500] to 192.168.82.99[500] (312 bytes)
Nov 22 07:52:32 phyCORE-AM335x daemon.info charon: 03[ENC] parsed ID_PROT
request 0 [ SA V V V V V V V ]
Nov 22 07:52:32 phyCORE-AM335x daemon.info charon: 03[IKE] no IKE config
found for 192.168.82.99...192.168.82.5, sending NO_PROPOSAL_CHOSEN
Nov 22 07:52:32 phyCORE-AM335x daemon.info charon: 03[ENC] generating
INFORMATIONAL_V1 request 1995267650 [ N(NO_PROP) ]
Nov 22 07:52:32 phyCORE-AM335x daemon.info charon: 03[NET] sending packet:
from 192.168.82.99[500] to 192.168.82.5[500] (40 bytes)

moon config:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    mobike=no
    keyexchange=ikev2

conn host-host
    leftcert=moonCert.der
    right=192.168.82.111
    rightid="C=CH, O=strongSwan, CN=sun.strongswan.org"
    auto=add

root at phyCORE-AM335x:~ cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA moonKey.der

Please help me.

Regards,
Hardik A Gohil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150806/7007e84f/attachment-0001.html>