[strongSwan] No matching peer config

Noel Kuntze noel at familie-kuntze.de
Mon Aug 10 18:59:28 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Benjamin,

If you use right/leftsourceip on one side of the connection, you also need to do so on
the other side. In your config, you use it on the "host", but not on the roadwarrior.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 10.08.2015 um 18:51 schrieb Benjamin Häublein:
> Hello,
> I'm new to this mailing list, so please give me notice if something in my mail
> is not up to the usual standards.
>
> I have set up a strongswan host(5.2.1 on Debian Jessie) and a
> roadwarrior(5.1.2 on Ubuntu 15.04) with authentication by certificates.
> When I try connect I get "received AUTHENTICATION_FAILED notify error" and on
> the host "no matching peer config found".
> First of all: Connecting from an android client does work. Google tells me to
> make sure I've included leftid and rightid with the DNs of the certificate.
> I've done that.
>
> Configuration and logs follow.
>
> Thank you for your help
> Benjamin
>
> The ipsec.conf of the host is as follows:
>> config setup
>>         strictcrlpolicy=no
>>         charondebug="cfg 2, dmn 2, ike 2, net 2"
>>
>> conn %default
>>
>>         keyexchange=ikev2
>>         ike=aes256-sha1-modp1024!
>>         esp=aes256-sha1!
>>         dpdaction=clear
>>         dpddelay=300s
>>         rekey=no
>>         left=%any
>>         leftsubnet=0.0.0.0/0
>>         leftcert=vpnHostCert.pem
>>         leftfirewall=yes
>>         right=%any
>>         rightsourceip=172.16.16.1/24
>>
>> conn IPSec-IKEv2
>>         keyexchange=ikev2
>>         auto=add
>
> of the roadwarrior:
>> conn %default
>>         keyexchange=ikev2
>>
>> conn pi
>>
>>         left=%any
>>         leftcert=roadwarriorCert.pem
>>         leftid=road at warrior
>>         leftfirewall=yes
>>         leftauth=pubkey
>>         right=my.host.com
>>         rightauth=pubkey
>>         auto=add
>
> When I call "ipsec up pi"(I've replace M.Y.I.P):
>> initiating IKE_SA pi[1] to M.Y.I.P
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from 192.168.1.20[500] to M.Y.I.P[500] (1212 bytes)
>> received packet: from M.Y.I.P[500] to 192.168.1.20[500] (38 bytes)
>> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
>> peer didn't accept DH group MODP_2048, it requested MODP_1024
>> initiating IKE_SA pi[1] to M.Y.I.P
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from 192.168.1.20[500] to M.Y.I.P[500] (1084 bytes)
>> received packet: from M.Y.I.P[500] to 192.168.1.20[500] (337 bytes)
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
>> N(MULT_AUTH) ] local host is behind NAT, sending keep alives
>> remote host is behind NAT
>> received cert request for "C=DE, O=bla, CN=Pi strongSwan Root CA"
>> sending cert request for "C=DE, O=bla, CN=Pi strongSwan Root CA"
>> authentication of 'C=CH, O=strongSwan, CN=road at warrior' (myself) with
>> RSA signature successful sending end entity cert "C=DE, O=bla,
>> CN=road at warrior" establishing CHILD_SA pi
>> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA
>> TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending
>> packet: from 192.168.1.20[4500] to M.Y.I.P[4500] (1836 bytes)
>> received packet: from M.Y.I.P[4500] to 192.168.1.20[4500] (76 bytes)
>> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> received AUTHENTICATION_FAILED notify error
>> establishing connection 'pi' failed
>
> The logs of the host are:
>> Aug 10 18:34:21 02[NET] <49> received packet: from 37.49.112.130[500] to
>> 192.168.1.3[500] (1212 bytes)
>> Aug 10 18:34:21 02[ENC] <49> parsed
>> IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Aug 10 18:34:21 02[IKE] <49> 37.49.112.130 is initiating an IKE_SA
>> Aug 10 18:34:21 02[IKE] <49> local host is behind NAT, sending keep alives
>> Aug 10 18:34:21 02[IKE] <49> remote host is behind NAT
>> Aug 10 18:34:21 02[IKE] <49> DH group MODP_2048 inacceptable, requesting
>> MODP_1024
>> Aug 10 18:34:21 02[ENC] <49> generating IKE_SA_INIT response 0 [
>> N(INVAL_KE) ]
>> Aug 10 18:34:21 02[NET] <49> sending packet: from 192.168.1.3[500] to
>> 37.49.112.130[500] (38 bytes)
>> Aug 10 18:34:22 11[NET] <50> received packet: from 37.49.112.130[500] to
>> 192.168.1.3[500] (1084 bytes)
>> Aug 10 18:34:22 11[ENC] <50> parsed IKE_SA_INIT request 0 [ SA KE No
>> N(NATD_S_IP) N(NATD_D_IP) ]
>> Aug 10 18:34:22 11[IKE] <50> 37.49.112.130 is initiating an IKE_SA
>> Aug 10 18:34:22 11[IKE] <50> local host is behind NAT, sending keep alives
>> Aug 10 18:34:22 11[IKE] <50> remote host is behind NAT
>> Aug 10 18:34:22 11[IKE] <50> sending cert request for "C=DE, O=benjamin,
>> CN=Pi strongSwan Root CA"
>> Aug 10 18:34:22 11[ENC] <50> generating IKE_SA_INIT response 0 [ SA KE No
>> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> Aug 10 18:34:22 11[NET] <50> sending packet: from 192.168.1.3[500] to
>> 37.49.112.130[500] (337 bytes)
>> Aug 10 18:34:22 13[NET] <50> received packet: from 37.49.112.130[33056] to
>> 192.168.1.3[4500] (1836 bytes)
>> Aug 10 18:34:22 13[ENC] <50> parsed IKE_AUTH request 1 [ IDi CERT
>> N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
>> N(MULT_AUTH) N(EAP_ONLY) ]
>> Aug 10 18:34:22 13[IKE] <50> received cert request for "C=DE, O=benjamin,
>> CN=Pi strongSwan Root CA"
>> Aug 10 18:34:22 13[IKE] <50> received end entity cert "C=CH, O=strongSwan,
>> CN=benjaminh at fairphone"
>> Aug 10 18:34:22 13[CFG] <50> looking for peer configs matching
>> 192.168.1.3[benjaminh.duckdns.org]...37.49.112.130[C=CH,
>> O=strongSwan, CN=benjaminh at fairphone]
>> Aug 10 18:34:22 13[CFG] <50> no matching peer config found
>> Aug 10 18:34:22 13[IKE] <50> peer supports MOBIKE
>> Aug 10 18:34:22 13[ENC] <50> generating IKE_AUTH response 1 [ N(AUTH_FAILED)
>> ]
>> Aug 10 18:34:22 13[NET] <50> sending packet: from 192.168.1.3[4500] to
>> 37.49.112.130[33056] (76 bytes)
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVyNhuAAoJEDg5KY9j7GZYm5EP/i2iBEeK1/EXfNY8yCRQ+Nl0
oan3EpDFuLrmcRztkbGMfEE6LsVQ9RydewjxyRF52XfSFw9HhVCP2Q5j4FrS+Ncl
Z7sFr8D7V4pmfr1BbzS/tBOGhKA3bmO735dp1T3lIl6Yt+N3CDpTOh4BqA/lShl4
1ZjVqx55OmqfSPv6Ozr/9Uone4/CWLWdsLi2MhF76s2yjituY5YVKmaIEGi9+uBL
sCxvX3JPpFqrJ2oZv/eqrQVAsBKTR12Mvqx95y5R5ZIiPqjbJtWD6r1yVf2dSX+l
o4kYUtTdpXOYJLbIoDKsCdE7EO+0Ychpzy2KXd5MLk4Uvn5TtCP/ZiG7cnHHytcB
NR7ZWQvAt67rLGLy1Jzdt3Abj4fptz7Q5/FwdzsxRDmraHEduUCPawkcfGux4rx5
IbHeg9tWlrTL+R76l/HLBvPiFFIkwJW/QH7LMPMRXIbrb19QviqENlkX3aEFdoam
LFil4hzronsYM8tmdrauUfbBL+Wlv5woDqY2ePJOdUnVWVIUjyO7KLK7B1vJofK+
BX9aXrSUzn/FlVCftvoBiwyM2WRYVVna+T+sAYU4Qi2JKCQBqKwbkP70fsRYDueJ
LOIvG3wuFdKdcUZ9zqC5kzu0a+aeAt1S02lZxunLo82zRR1lgc+438zTCz52btwt
QdLC6w/whtvvXLz8cbSU
=Xc3w
-----END PGP SIGNATURE-----

More information about the Users mailing list