[strongSwan] No matching peer config

Benjamin Häublein benjaminhaeublein at gmail.com
Mon Aug 10 19:02:07 CEST 2015


Hello Benjamin,

It's the same error if I leave out left/rightid. This changes nothing in
authentication.

Thank you
Benjamin

On Mon, Aug 10, 2015 at 6:59 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Benjamin,
>
> If you use right/leftsourceip on one side of the connection, you also need
> to do so on
> the other side. In your config, you use it on the "host", but not on the
> roadwarrior.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 10.08.2015 um 18:51 schrieb Benjamin Häublein:
> > Hello,
> > I'm new to this mailing list, so please give me notice if something in
> my mail
> > is not up to the usual standards.
> >
> > I have set up a strongswan host(5.2.1 on Debian Jessie) and a
> > roadwarrior(5.1.2 on Ubuntu 15.04) with authentication by certificates.
> > When I try connect I get "received AUTHENTICATION_FAILED notify error"
> and on
> > the host "no matching peer config found".
> > First of all: Connecting from an android client does work. Google tells
> me to
> > make sure I've included leftid and rightid with the DNs of the
> certificate.
> > I've done that.
> >
> > Configuration and logs follow.
> >
> > Thank you for your help
> > Benjamin
> >
> > The ipsec.conf of the host is as follows:
> >> config setup
> >>         strictcrlpolicy=no
> >>         charondebug="cfg 2, dmn 2, ike 2, net 2"
> >>
> >> conn %default
> >>
> >>         keyexchange=ikev2
> >>         ike=aes256-sha1-modp1024!
> >>         esp=aes256-sha1!
> >>         dpdaction=clear
> >>         dpddelay=300s
> >>         rekey=no
> >>         left=%any
> >>         leftsubnet=0.0.0.0/0
> >>         leftcert=vpnHostCert.pem
> >>         leftfirewall=yes
> >>         right=%any
> >>         rightsourceip=172.16.16.1/24
> >>
> >> conn IPSec-IKEv2
> >>         keyexchange=ikev2
> >>         auto=add
> >
> > of the roadwarrior:
> >> conn %default
> >>         keyexchange=ikev2
> >>
> >> conn pi
> >>
> >>         left=%any
> >>         leftcert=roadwarriorCert.pem
> >>         leftid=road at warrior
> >>         leftfirewall=yes
> >>         leftauth=pubkey
> >>         right=my.host.com
> >>         rightauth=pubkey
> >>         auto=add
> >
> > When I call "ipsec up pi"(I've replace M.Y.I.P):
> >> initiating IKE_SA pi[1] to M.Y.I.P
> >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> >> sending packet: from 192.168.1.20[500] to M.Y.I.P[500] (1212 bytes)
> >> received packet: from M.Y.I.P[500] to 192.168.1.20[500] (38 bytes)
> >> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> >> peer didn't accept DH group MODP_2048, it requested MODP_1024
> >> initiating IKE_SA pi[1] to M.Y.I.P
> >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> >> sending packet: from 192.168.1.20[500] to M.Y.I.P[500] (1084 bytes)
> >> received packet: from M.Y.I.P[500] to 192.168.1.20[500] (337 bytes)
> >> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ
> >> N(MULT_AUTH) ] local host is behind NAT, sending keep alives
> >> remote host is behind NAT
> >> received cert request for "C=DE, O=bla, CN=Pi strongSwan Root CA"
> >> sending cert request for "C=DE, O=bla, CN=Pi strongSwan Root CA"
> >> authentication of 'C=CH, O=strongSwan, CN=road at warrior' (myself) with
> >> RSA signature successful sending end entity cert "C=DE, O=bla,
> >> CN=road at warrior" establishing CHILD_SA pi
> >> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
> AUTH SA
> >> TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending
> >> packet: from 192.168.1.20[4500] to M.Y.I.P[4500] (1836 bytes)
> >> received packet: from M.Y.I.P[4500] to 192.168.1.20[4500] (76 bytes)
> >> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> >> received AUTHENTICATION_FAILED notify error
> >> establishing connection 'pi' failed
> >
> > The logs of the host are:
> >> Aug 10 18:34:21 02[NET] <49> received packet: from 37.49.112.130[500] to
> >> 192.168.1.3[500] (1212 bytes)
> >> Aug 10 18:34:21 02[ENC] <49> parsed
> >> IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> >> Aug 10 18:34:21 02[IKE] <49> 37.49.112.130 is initiating an IKE_SA
> >> Aug 10 18:34:21 02[IKE] <49> local host is behind NAT, sending keep
> alives
> >> Aug 10 18:34:21 02[IKE] <49> remote host is behind NAT
> >> Aug 10 18:34:21 02[IKE] <49> DH group MODP_2048 inacceptable, requesting
> >> MODP_1024
> >> Aug 10 18:34:21 02[ENC] <49> generating IKE_SA_INIT response 0 [
> >> N(INVAL_KE) ]
> >> Aug 10 18:34:21 02[NET] <49> sending packet: from 192.168.1.3[500] to
> >> 37.49.112.130[500] (38 bytes)
> >> Aug 10 18:34:22 11[NET] <50> received packet: from 37.49.112.130[500] to
> >> 192.168.1.3[500] (1084 bytes)
> >> Aug 10 18:34:22 11[ENC] <50> parsed IKE_SA_INIT request 0 [ SA KE No
> >> N(NATD_S_IP) N(NATD_D_IP) ]
> >> Aug 10 18:34:22 11[IKE] <50> 37.49.112.130 is initiating an IKE_SA
> >> Aug 10 18:34:22 11[IKE] <50> local host is behind NAT, sending keep
> alives
> >> Aug 10 18:34:22 11[IKE] <50> remote host is behind NAT
> >> Aug 10 18:34:22 11[IKE] <50> sending cert request for "C=DE, O=benjamin,
> >> CN=Pi strongSwan Root CA"
> >> Aug 10 18:34:22 11[ENC] <50> generating IKE_SA_INIT response 0 [ SA KE
> No
> >> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> >> Aug 10 18:34:22 11[NET] <50> sending packet: from 192.168.1.3[500] to
> >> 37.49.112.130[500] (337 bytes)
> >> Aug 10 18:34:22 13[NET] <50> received packet: from 37.49.112.130[33056]
> to
> >> 192.168.1.3[4500] (1836 bytes)
> >> Aug 10 18:34:22 13[ENC] <50> parsed IKE_AUTH request 1 [ IDi CERT
> >> N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
> >> N(MULT_AUTH) N(EAP_ONLY) ]
> >> Aug 10 18:34:22 13[IKE] <50> received cert request for "C=DE,
> O=benjamin,
> >> CN=Pi strongSwan Root CA"
> >> Aug 10 18:34:22 13[IKE] <50> received end entity cert "C=CH,
> O=strongSwan,
> >> CN=benjaminh at fairphone"
> >> Aug 10 18:34:22 13[CFG] <50> looking for peer configs matching
> >> 192.168.1.3[benjaminh.duckdns.org]...37.49.112.130[C=CH,
> >> O=strongSwan, CN=benjaminh at fairphone]
> >> Aug 10 18:34:22 13[CFG] <50> no matching peer config found
> >> Aug 10 18:34:22 13[IKE] <50> peer supports MOBIKE
> >> Aug 10 18:34:22 13[ENC] <50> generating IKE_AUTH response 1 [
> N(AUTH_FAILED)
> >> ]
> >> Aug 10 18:34:22 13[NET] <50> sending packet: from 192.168.1.3[4500] to
> >> 37.49.112.130[33056] (76 bytes)
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVyNhuAAoJEDg5KY9j7GZYm5EP/i2iBEeK1/EXfNY8yCRQ+Nl0
> oan3EpDFuLrmcRztkbGMfEE6LsVQ9RydewjxyRF52XfSFw9HhVCP2Q5j4FrS+Ncl
> Z7sFr8D7V4pmfr1BbzS/tBOGhKA3bmO735dp1T3lIl6Yt+N3CDpTOh4BqA/lShl4
> 1ZjVqx55OmqfSPv6Ozr/9Uone4/CWLWdsLi2MhF76s2yjituY5YVKmaIEGi9+uBL
> sCxvX3JPpFqrJ2oZv/eqrQVAsBKTR12Mvqx95y5R5ZIiPqjbJtWD6r1yVf2dSX+l
> o4kYUtTdpXOYJLbIoDKsCdE7EO+0Ychpzy2KXd5MLk4Uvn5TtCP/ZiG7cnHHytcB
> NR7ZWQvAt67rLGLy1Jzdt3Abj4fptz7Q5/FwdzsxRDmraHEduUCPawkcfGux4rx5
> IbHeg9tWlrTL+R76l/HLBvPiFFIkwJW/QH7LMPMRXIbrb19QviqENlkX3aEFdoam
> LFil4hzronsYM8tmdrauUfbBL+Wlv5woDqY2ePJOdUnVWVIUjyO7KLK7B1vJofK+
> BX9aXrSUzn/FlVCftvoBiwyM2WRYVVna+T+sAYU4Qi2JKCQBqKwbkP70fsRYDueJ
> LOIvG3wuFdKdcUZ9zqC5kzu0a+aeAt1S02lZxunLo82zRR1lgc+438zTCz52btwt
> QdLC6w/whtvvXLz8cbSU
> =Xc3w
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150810/4c380b81/attachment-0001.html>


More information about the Users mailing list