[strongSwan] No matching peer config

Benjamin Häublein benjaminhaeublein at gmail.com
Mon Aug 10 18:51:22 CEST 2015 

Hello,
I'm new to this mailing list, so please give me notice if something in my mail 
is not up to the usual standards.

I have set up a strongswan host(5.2.1 on Debian Jessie) and a 
roadwarrior(5.1.2 on Ubuntu 15.04) with authentication by certificates. 
When I try connect I get "received AUTHENTICATION_FAILED notify error" and on 
the host "no matching peer config found".
First of all: Connecting from an android client does work. Google tells me to 
make sure I've included leftid and rightid with the DNs of the certificate. 
I've done that.

Configuration and logs follow.

Thank you for your help
Benjamin 

The ipsec.conf of the host is as follows:
> config setup
>         strictcrlpolicy=no
>         charondebug="cfg 2, dmn 2, ike 2, net 2"
> 
> conn %default
> 
>         keyexchange=ikev2
>         ike=aes256-sha1-modp1024!
>         esp=aes256-sha1!
>         dpdaction=clear
>         dpddelay=300s
>         rekey=no
>         left=%any
>         leftsubnet=0.0.0.0/0
>         leftcert=vpnHostCert.pem
>         leftfirewall=yes
>         right=%any
>         rightsourceip=172.16.16.1/24
>
> conn IPSec-IKEv2 
>         keyexchange=ikev2
>         auto=add

of the roadwarrior:
> conn %default
>         keyexchange=ikev2
> 
> conn pi
> 
>         left=%any
>         leftcert=roadwarriorCert.pem
>         leftid=road at warrior
>         leftfirewall=yes
>         leftauth=pubkey
>         right=my.host.com
>         rightauth=pubkey
>         auto=add

When I call "ipsec up pi"(I've replace M.Y.I.P):
> initiating IKE_SA pi[1] to M.Y.I.P
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.1.20[500] to M.Y.I.P[500] (1212 bytes)
> received packet: from M.Y.I.P[500] to 192.168.1.20[500] (38 bytes)
> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> peer didn't accept DH group MODP_2048, it requested MODP_1024
> initiating IKE_SA pi[1] to M.Y.I.P
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.1.20[500] to M.Y.I.P[500] (1084 bytes)
> received packet: from M.Y.I.P[500] to 192.168.1.20[500] (337 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
> N(MULT_AUTH) ] local host is behind NAT, sending keep alives
> remote host is behind NAT
> received cert request for "C=DE, O=bla, CN=Pi strongSwan Root CA"
> sending cert request for "C=DE, O=bla, CN=Pi strongSwan Root CA"
> authentication of 'C=CH, O=strongSwan, CN=road at warrior' (myself) with
> RSA signature successful sending end entity cert "C=DE, O=bla,
> CN=road at warrior" establishing CHILD_SA pi
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA
> TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending
> packet: from 192.168.1.20[4500] to M.Y.I.P[4500] (1836 bytes)
> received packet: from M.Y.I.P[4500] to 192.168.1.20[4500] (76 bytes)
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> establishing connection 'pi' failed

The logs of the host are:
> Aug 10 18:34:21 02[NET] <49> received packet: from 37.49.112.130[500] to
> 192.168.1.3[500] (1212 bytes) 
> Aug 10 18:34:21 02[ENC] <49> parsed
> IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
> Aug 10 18:34:21 02[IKE] <49> 37.49.112.130 is initiating an IKE_SA
> Aug 10 18:34:21 02[IKE] <49> local host is behind NAT, sending keep alives
> Aug 10 18:34:21 02[IKE] <49> remote host is behind NAT
> Aug 10 18:34:21 02[IKE] <49> DH group MODP_2048 inacceptable, requesting
> MODP_1024 
> Aug 10 18:34:21 02[ENC] <49> generating IKE_SA_INIT response 0 [
> N(INVAL_KE) ] 
> Aug 10 18:34:21 02[NET] <49> sending packet: from 192.168.1.3[500] to
> 37.49.112.130[500] (38 bytes) 
> Aug 10 18:34:22 11[NET] <50> received packet: from 37.49.112.130[500] to
> 192.168.1.3[500] (1084 bytes) 
> Aug 10 18:34:22 11[ENC] <50> parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ] 
> Aug 10 18:34:22 11[IKE] <50> 37.49.112.130 is initiating an IKE_SA
> Aug 10 18:34:22 11[IKE] <50> local host is behind NAT, sending keep alives
> Aug 10 18:34:22 11[IKE] <50> remote host is behind NAT
> Aug 10 18:34:22 11[IKE] <50> sending cert request for "C=DE, O=benjamin,
> CN=Pi strongSwan Root CA" 
> Aug 10 18:34:22 11[ENC] <50> generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 
> Aug 10 18:34:22 11[NET] <50> sending packet: from 192.168.1.3[500] to
> 37.49.112.130[500] (337 bytes) 
> Aug 10 18:34:22 13[NET] <50> received packet: from 37.49.112.130[33056] to
> 192.168.1.3[4500] (1836 bytes) 
> Aug 10 18:34:22 13[ENC] <50> parsed IKE_AUTH request 1 [ IDi CERT
> N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) ] 
> Aug 10 18:34:22 13[IKE] <50> received cert request for "C=DE, O=benjamin, 
> CN=Pi strongSwan Root CA" 
> Aug 10 18:34:22 13[IKE] <50> received end entity cert "C=CH, O=strongSwan,
> CN=benjaminh at fairphone" 
> Aug 10 18:34:22 13[CFG] <50> looking for peer configs matching
> 192.168.1.3[benjaminh.duckdns.org]...37.49.112.130[C=CH,
> O=strongSwan, CN=benjaminh at fairphone] 
> Aug 10 18:34:22 13[CFG] <50> no matching peer config found
> Aug 10 18:34:22 13[IKE] <50> peer supports MOBIKE
> Aug 10 18:34:22 13[ENC] <50> generating IKE_AUTH response 1 [ N(AUTH_FAILED)
> ] 
> Aug 10 18:34:22 13[NET] <50> sending packet: from 192.168.1.3[4500] to
> 37.49.112.130[33056] (76 bytes)

More information about the Users mailing list