[strongSwan] No matching peer config

Noel Kuntze noel at familie-kuntze.de
Mon Aug 10 19:08:18 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Benjamin,

Read my last email again.

Your problem is not authentication, this is obvious from the message on the
responder:
> the host "no matching peer config found".
I'm talking about rightsourceip/leftsourceip.
The settings for that need to match (read the man page for ipsec.conf).

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 10.08.2015 um 19:02 schrieb Benjamin Häublein:
> Hello Benjamin,
>
> It's the same error if I leave out left/rightid. This changes nothing in authentication.
>
> Thank you
> Benjamin
>
> On Mon, Aug 10, 2015 at 6:59 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Benjamin,
>
> If you use right/leftsourceip on one side of the connection, you also need to do so on
> the other side. In your config, you use it on the "host", but not on the roadwarrior.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 10.08.2015 um 18:51 schrieb Benjamin Häublein:
> > Hello,
> > I'm new to this mailing list, so please give me notice if something in my mail
> > is not up to the usual standards.
>
> > I have set up a strongswan host(5.2.1 on Debian Jessie) and a
> > roadwarrior(5.1.2 on Ubuntu 15.04) with authentication by certificates.
> > When I try connect I get "received AUTHENTICATION_FAILED notify error" and on
> > the host "no matching peer config found".
> > First of all: Connecting from an android client does work. Google tells me to
> > make sure I've included leftid and rightid with the DNs of the certificate.
> > I've done that.
>
> > Configuration and logs follow.
>
> > Thank you for your help
> > Benjamin
>
> > The ipsec.conf of the host is as follows:
> >> config setup
> >>         strictcrlpolicy=no
> >>         charondebug="cfg 2, dmn 2, ike 2, net 2"
> >>
> >> conn %default
> >>
> >>         keyexchange=ikev2
> >>         ike=aes256-sha1-modp1024!
> >>         esp=aes256-sha1!
> >>         dpdaction=clear
> >>         dpddelay=300s
> >>         rekey=no
> >>         left=%any
> >>         leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> >>         leftcert=vpnHostCert.pem
> >>         leftfirewall=yes
> >>         right=%any
> >>         rightsourceip=172.16.16.1/24 <http://172.16.16.1/24>
> >>
> >> conn IPSec-IKEv2
> >>         keyexchange=ikev2
> >>         auto=add
>
> > of the roadwarrior:
> >> conn %default
> >>         keyexchange=ikev2
> >>
> >> conn pi
> >>
> >>         left=%any
> >>         leftcert=roadwarriorCert.pem
> >>         leftid=road at warrior
> >>         leftfirewall=yes
> >>         leftauth=pubkey
> >>         right=my.host.com <http://my.host.com>
> >>         rightauth=pubkey
> >>         auto=add
>
> > When I call "ipsec up pi"(I've replace M.Y.I.P):
> >> initiating IKE_SA pi[1] to M.Y.I.P
> >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> >> sending packet: from 192.168.1.20[500] to M.Y.I.P[500] (1212 bytes)
> >> received packet: from M.Y.I.P[500] to 192.168.1.20[500] (38 bytes)
> >> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> >> peer didn't accept DH group MODP_2048, it requested MODP_1024
> >> initiating IKE_SA pi[1] to M.Y.I.P
> >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> >> sending packet: from 192.168.1.20[500] to M.Y.I.P[500] (1084 bytes)
> >> received packet: from M.Y.I.P[500] to 192.168.1.20[500] (337 bytes)
> >> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
> >> N(MULT_AUTH) ] local host is behind NAT, sending keep alives
> >> remote host is behind NAT
> >> received cert request for "C=DE, O=bla, CN=Pi strongSwan Root CA"
> >> sending cert request for "C=DE, O=bla, CN=Pi strongSwan Root CA"
> >> authentication of 'C=CH, O=strongSwan, CN=road at warrior' (myself) with
> >> RSA signature successful sending end entity cert "C=DE, O=bla,
> >> CN=road at warrior" establishing CHILD_SA pi
> >> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA
> >> TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending
> >> packet: from 192.168.1.20[4500] to M.Y.I.P[4500] (1836 bytes)
> >> received packet: from M.Y.I.P[4500] to 192.168.1.20[4500] (76 bytes)
> >> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> >> received AUTHENTICATION_FAILED notify error
> >> establishing connection 'pi' failed
>
> > The logs of the host are:
> >> Aug 10 18:34:21 02[NET] <49> received packet: from 37.49.112.130[500] to
> >> 192.168.1.3[500] (1212 bytes)
> >> Aug 10 18:34:21 02[ENC] <49> parsed
> >> IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> >> Aug 10 18:34:21 02[IKE] <49> 37.49.112.130 is initiating an IKE_SA
> >> Aug 10 18:34:21 02[IKE] <49> local host is behind NAT, sending keep alives
> >> Aug 10 18:34:21 02[IKE] <49> remote host is behind NAT
> >> Aug 10 18:34:21 02[IKE] <49> DH group MODP_2048 inacceptable, requesting
> >> MODP_1024
> >> Aug 10 18:34:21 02[ENC] <49> generating IKE_SA_INIT response 0 [
> >> N(INVAL_KE) ]
> >> Aug 10 18:34:21 02[NET] <49> sending packet: from 192.168.1.3[500] to
> >> 37.49.112.130[500] (38 bytes)
> >> Aug 10 18:34:22 11[NET] <50> received packet: from 37.49.112.130[500] to
> >> 192.168.1.3[500] (1084 bytes)
> >> Aug 10 18:34:22 11[ENC] <50> parsed IKE_SA_INIT request 0 [ SA KE No
> >> N(NATD_S_IP) N(NATD_D_IP) ]
> >> Aug 10 18:34:22 11[IKE] <50> 37.49.112.130 is initiating an IKE_SA
> >> Aug 10 18:34:22 11[IKE] <50> local host is behind NAT, sending keep alives
> >> Aug 10 18:34:22 11[IKE] <50> remote host is behind NAT
> >> Aug 10 18:34:22 11[IKE] <50> sending cert request for "C=DE, O=benjamin,
> >> CN=Pi strongSwan Root CA"
> >> Aug 10 18:34:22 11[ENC] <50> generating IKE_SA_INIT response 0 [ SA KE No
> >> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> >> Aug 10 18:34:22 11[NET] <50> sending packet: from 192.168.1.3[500] to
> >> 37.49.112.130[500] (337 bytes)
> >> Aug 10 18:34:22 13[NET] <50> received packet: from 37.49.112.130[33056] to
> >> 192.168.1.3[4500] (1836 bytes)
> >> Aug 10 18:34:22 13[ENC] <50> parsed IKE_AUTH request 1 [ IDi CERT
> >> N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
> >> N(MULT_AUTH) N(EAP_ONLY) ]
> >> Aug 10 18:34:22 13[IKE] <50> received cert request for "C=DE, O=benjamin,
> >> CN=Pi strongSwan Root CA"
> >> Aug 10 18:34:22 13[IKE] <50> received end entity cert "C=CH, O=strongSwan,
> >> CN=benjaminh at fairphone"
> >> Aug 10 18:34:22 13[CFG] <50> looking for peer configs matching
> >> 192.168.1.3[benjaminh.duckdns.org <http://benjaminh.duckdns.org>]...37.49.112.130[C=CH,
> >> O=strongSwan, CN=benjaminh at fairphone]
> >> Aug 10 18:34:22 13[CFG] <50> no matching peer config found
> >> Aug 10 18:34:22 13[IKE] <50> peer supports MOBIKE
> >> Aug 10 18:34:22 13[ENC] <50> generating IKE_AUTH response 1 [ N(AUTH_FAILED)
> >> ]
> >> Aug 10 18:34:22 13[NET] <50> sending packet: from 192.168.1.3[4500] to
> >> 37.49.112.130[33056] (76 bytes)
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVyNqCAAoJEDg5KY9j7GZYiiYP/0hPT5FDFtGMVe4+yt261u2U
TAmpmZNKUfy38dy9vdnsgEoJVQqOtaHdRlKfC62oaMI/e0/fc4YNEAxCgikZeIK/
h9xF0KOmY9MrZ9bHcG6I8Wh5OHFegEpVEz8U3RMwNvtLkL1lXiG85YcqYyyBzgpy
2G2+HMIAtRDARxYNK9SjOssyhfOzHtOCyexkOfKEzW04E8hSgqxYOnEP4MBICF1i
WEeGdVF1aMPQ06C6Xdzs9XBanKVjgKTPMFsUWxXP++06hSdTxNzpjdn6/ex/Q986
4ZOthmDzrlkcha1nUx2JcIFQYb2MrFL4Jac0r2VKyIBpSqhji8ezSHghVGT+vrQI
wSA7MvBMdJk2KteObv+D7TtENk3VjYH5A/0V79C41bGOmpXNk/JaJcWhktDUtzkl
3FcIklluVuu8XyS7jr7NirfgtYGLd2C06cXtrxKDX5DL69TjZtOJMdqpmosYQvjW
L9kVxfErDPjLlNSowShuxswLbESFNELM2OWWx0vthZxTWdUnTDVtX2dDRt1nOnVr
m+ZKts6qAoxK9WBahpGgluY1tjH41jaM+r87Uj5KnQwKQzLHhXq2jkcZoxMbTw9w
2bwWZHI5L9ZdCkFKtxCNy9NRFXyhhNLjjXSGOb3jigcpm+ltrLDzQtwo/oe1Tk/l
JYmDsbEj8mixL/7/bXOX
=i1Ft
-----END PGP SIGNATURE-----

More information about the Users mailing list