[strongSwan] Authentication FAILED
Noel Kuntze
noel at familie-kuntze.de
Thu Aug 6 04:42:02 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Hardik,
What's up with the reluctancy to read log files?
And why do you send logs from november?
> Nov 22 07:50:32 phyCORE-AM335x daemon.info <http://daemon.info> charon: 03[IKE] no IKE config found for 192.168.82.99...192.168.82.5, sending NO_PROPOSAL_CHOSEN
>conn host-host
> leftcert=moonCert.der
> right=192.168.82.111
> rightid="C=CH, O=strongSwan, CN=sun.strongswan.org <http://sun.strongswan.org>"
> auto=add
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 06.08.2015 um 04:29 schrieb Hardik Gohil:
> Hello,
>
> I am using strongswan-5.3 to connect host-host
>
> moon(192.168.82.99)<------------>sun(192.168.82.111)
>
> error for this:
>
> root at phyCORE-AM335x:~ ipsec up host-host
> initiating IKE_SA host-host[1] to 192.168.82.111
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> sending packet: from 192.168.82.99[500] to 192.168.82.111[500] (684 bytes)
> received packet: from 192.168.82.111[500] to 192.168.82.99[500] (481 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> received 1 cert requests for an unknown ca
> sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
> authentication of 'C=CH, O=strongSwan, CN=moon.strongswan.org <http://moon.strongswan.org>' (myself) with RSA_EMSA_PKCS1_SHA256 successful
> sending end entity cert "C=CH, O=strongSwan, CN=moon.strongswan.org <http://moon.strongswan.org>"
> establishing CHILD_SA host-host
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 192.168.82.99[500] to 192.168.82.111[500] (1884 bytes)
> received packet: from 192.168.82.111[500] to 192.168.82.99[500] (76 bytes)
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> establishing connection 'host-host' failed
>
> log messages:
> Nov 22 07:50:06 phyCORE-AM335x authpriv.info <http://authpriv.info> ipsec_starter[1389]: Starting strongSwan 5.3.2 IPsec [starter]...
> Nov 22 07:50:06 phyCORE-AM335x authpriv.info <http://authpriv.info> ipsec_starter[1389]: !! Your strongswan.conf contains manual plugin load options for charon.
> Nov 22 07:50:06 phyCORE-AM335x authpriv.info <http://authpriv.info> ipsec_starter[1389]: !! This is recommended for experts only, see
> Nov 22 07:50:06 phyCORE-AM335x authpriv.info <http://authpriv.info> ipsec_starter[1389]: !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.2.0-PD13.1.2, armv7l)
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[KNL] received netlink error: Operation not supported (95)
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[KNL] unable to create IPv4 routing table rule
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[KNL] received netlink error: Operation not supported (95)
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[KNL] unable to create IPv6 routing table rule
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[CFG] loaded ca certificate "C=CH, O=strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.der'
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.der'
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[LIB] loaded plugins: charon aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 00[JOB] spawning 16 worker threads
> Nov 22 07:50:06 phyCORE-AM335x authpriv.info <http://authpriv.info> ipsec_starter[1402]: charon (1403) started after 100 ms
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 08[CFG] received stroke: add connection 'host-host'
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 08[CFG] left nor right host is our side, assuming left=local
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 08[CFG] loaded certificate "C=CH, O=strongSwan, CN=moon.strongswan.org <http://moon.strongswan.org>" from 'moonCert.der'
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 08[CFG] id '%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=moon.strongswan.org <http://moon.strongswan.org>'
> Nov 22 07:50:06 phyCORE-AM335x daemon.info <http://daemon.info> charon: 08[CFG] added configuration 'host-host'
> Nov 22 07:50:14 phyCORE-AM335x daemon.info <http://daemon.info> charon: 09[CFG] received stroke: initiate 'host-host'
> Nov 22 07:50:14 phyCORE-AM335x daemon.info <http://daemon.info> charon: 02[IKE] initiating IKE_SA host-host[1] to 192.168.82.111
> Nov 22 07:50:14 phyCORE-AM335x authpriv.info <http://authpriv.info> charon: 02[IKE] initiating IKE_SA host-host[1] to 192.168.82.111
> Nov 22 07:50:15 phyCORE-AM335x daemon.info <http://daemon.info> charon: 02[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> Nov 22 07:50:15 phyCORE-AM335x daemon.info <http://daemon.info> charon: 02[NET] sending packet: from 192.168.82.99[500] to 192.168.82.111[500] (684 bytes)
> Nov 22 07:50:15 phyCORE-AM335x daemon.info <http://daemon.info> charon: 11[NET] received packet: from 192.168.82.111[500] to 192.168.82.99[500] (481 bytes)
> Nov 22 07:50:15 phyCORE-AM335x daemon.info <http://daemon.info> charon: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> Nov 22 07:50:16 phyCORE-AM335x daemon.info <http://daemon.info> charon: 11[IKE] received 1 cert requests for an unknown ca
> Nov 22 07:50:16 phyCORE-AM335x daemon.info <http://daemon.info> charon: 11[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
> Nov 22 07:50:16 phyCORE-AM335x daemon.info <http://daemon.info> charon: 11[IKE] authentication of 'C=CH, O=strongSwan, CN=moon.strongswan.org <http://moon.strongswan.org>' (myself) with RSA_EMSA_PKCS1_SHA256 successful
> Nov 22 07:50:16 phyCORE-AM335x daemon.info <http://daemon.info> charon: 11[IKE] sending end entity cert "C=CH, O=strongSwan, CN=moon.strongswan.org <http://moon.strongswan.org>"
> Nov 22 07:50:16 phyCORE-AM335x daemon.info <http://daemon.info> charon: 11[IKE] establishing CHILD_SA host-host
> Nov 22 07:50:16 phyCORE-AM335x authpriv.info <http://authpriv.info> charon: 11[IKE] establishing CHILD_SA host-host
> Nov 22 07:50:16 phyCORE-AM335x daemon.info <http://daemon.info> charon: 11[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
> Nov 22 07:50:16 phyCORE-AM335x daemon.info <http://daemon.info> charon: 11[NET] sending packet: from 192.168.82.99[500] to 192.168.82.111[500] (1884 bytes)
> Nov 22 07:50:16 phyCORE-AM335x daemon.info <http://daemon.info> charon: 15[NET] received packet: from 192.168.82.111[500] to 192.168.82.99[500] (76 bytes)
> Nov 22 07:50:16 phyCORE-AM335x daemon.info <http://daemon.info> charon: 15[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Nov 22 07:50:16 phyCORE-AM335x daemon.info <http://daemon.info> charon: 15[IKE] received AUTHENTICATION_FAILED notify error
> Nov 22 07:50:32 phyCORE-AM335x daemon.info <http://daemon.info> charon: 03[NET] received packet: from 192.168.82.5[500] to 192.168.82.99[500] (312 bytes)
> Nov 22 07:50:32 phyCORE-AM335x daemon.info <http://daemon.info> charon: 03[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
> Nov 22 07:50:32 phyCORE-AM335x daemon.info <http://daemon.info> charon: 03[IKE] no IKE config found for 192.168.82.99...192.168.82.5, sending NO_PROPOSAL_CHOSEN
> Nov 22 07:50:32 phyCORE-AM335x daemon.info <http://daemon.info> charon: 03[ENC] generating INFORMATIONAL_V1 request 633227307 [ N(NO_PROP) ]
> Nov 22 07:50:32 phyCORE-AM335x daemon.info <http://daemon.info> charon: 03[NET] sending packet: from 192.168.82.99[500] to 192.168.82.5[500] (40 bytes)
> Nov 22 07:51:12 phyCORE-AM335x daemon.info <http://daemon.info> charon: 08[NET] received packet: from 192.168.82.5[500] to 192.168.82.99[500] (312 bytes)
> Nov 22 07:51:12 phyCORE-AM335x daemon.info <http://daemon.info> charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
> Nov 22 07:51:12 phyCORE-AM335x daemon.info <http://daemon.info> charon: 08[IKE] no IKE config found for 192.168.82.99...192.168.82.5, sending NO_PROPOSAL_CHOSEN
> Nov 22 07:51:12 phyCORE-AM335x daemon.info <http://daemon.info> charon: 08[ENC] generating INFORMATIONAL_V1 request 2444041484 [ N(NO_PROP) ]
> Nov 22 07:51:12 phyCORE-AM335x daemon.info <http://daemon.info> charon: 08[NET] sending packet: from 192.168.82.99[500] to 192.168.82.5[500] (40 bytes)
> Nov 22 07:51:52 phyCORE-AM335x daemon.info <http://daemon.info> charon: 09[NET] received packet: from 192.168.82.5[500] to 192.168.82.99[500] (312 bytes)
> Nov 22 07:51:52 phyCORE-AM335x daemon.info <http://daemon.info> charon: 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
> Nov 22 07:51:52 phyCORE-AM335x daemon.info <http://daemon.info> charon: 09[IKE] no IKE config found for 192.168.82.99...192.168.82.5, sending NO_PROPOSAL_CHOSEN
> Nov 22 07:51:52 phyCORE-AM335x daemon.info <http://daemon.info> charon: 09[ENC] generating INFORMATIONAL_V1 request 3535449560 [ N(NO_PROP) ]
> Nov 22 07:51:52 phyCORE-AM335x daemon.info <http://daemon.info> charon: 09[NET] sending packet: from 192.168.82.99[500] to 192.168.82.5[500] (40 bytes)
> Nov 22 07:52:32 phyCORE-AM335x daemon.info <http://daemon.info> charon: 03[NET] received packet: from 192.168.82.5[500] to 192.168.82.99[500] (312 bytes)
> Nov 22 07:52:32 phyCORE-AM335x daemon.info <http://daemon.info> charon: 03[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
> Nov 22 07:52:32 phyCORE-AM335x daemon.info <http://daemon.info> charon: 03[IKE] no IKE config found for 192.168.82.99...192.168.82.5, sending NO_PROPOSAL_CHOSEN
> Nov 22 07:52:32 phyCORE-AM335x daemon.info <http://daemon.info> charon: 03[ENC] generating INFORMATIONAL_V1 request 1995267650 [ N(NO_PROP) ]
> Nov 22 07:52:32 phyCORE-AM335x daemon.info <http://daemon.info> charon: 03[NET] sending packet: from 192.168.82.99[500] to 192.168.82.5[500] (40 bytes)
>
>
> moon config:
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> mobike=no
> keyexchange=ikev2
>
> conn host-host
> leftcert=moonCert.der
> right=192.168.82.111
> rightid="C=CH, O=strongSwan, CN=sun.strongswan.org <http://sun.strongswan.org>"
> auto=add
>
> root at phyCORE-AM335x:~ cat /etc/ipsec.secrets
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
> : RSA moonKey.der
>
>
> Please help me.
>
>
>
>
>
>
> Regards,
> Hardik A Gohil
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVwsl6AAoJEDg5KY9j7GZYTxkP/3vbLKY3r6DrdAgc+OOXvIA5
lfYg2OHfknVNoSD2fbgXOMKj8/ghJXfgHSaVmA05zasA706f5ro7LQ9yUBqpFf75
OWSwBmL2/k7pNoaOTUNcn0lJtqSm8jjT7tSLWN0r8xJnypmxQNhFSOiZ0+o9xlCt
qXvTLHmlJO7kvIEzGd8lV0RnZRAzSFNHYLrBAbRbnlECjsD5lc4kwpWKsmzH9Y6e
iJ89nysR60SqZoBhrJ9kgFhIwUXXcm2PaHKW0fVZcor9Nx+2hvKnQ3TwHYZG5Xs/
D+OZuFORmT4Wpk/UHkQML81TmvKOGmY6TETquLbmwOtBu2dh3BhPIaU/qgs/uQtt
DHN1zZkkILzITD4z4tNzY9g/ep8zCtx+JcCHr7UpK2p/fQu6ZSexC3Bp2eshuDbk
XJajSAm8tn0r65BLSSUcn6zgNuqMP4eo/FYRTnwNWA1vx2WAq38A+e3HuK330gnY
2QOvUfzScmjPVCv7pFyVXgpywkR27i7VIYbM48/dfEV3BQ2DeKsd0KIWWJmMZI25
3I7XrsWOX8jhdXzN3EZpSJ6uNX0xnv+a2R8NA4Hk7mPQThwVDXKdMUeitDuQe5yL
39NgBQ/Zu4sAawnxaElnFi48QSsS0fl20Vd+vTCM12zlMiGxIF4wg4aM49ze8oDY
P7Ak30rptY2AzmPXfhAG
=LMVI
-----END PGP SIGNATURE-----
More information about the Users
mailing list