[strongSwan] Failed to make a tunnel with public key auth

Alarig Le Lay alarig at swordarmor.fr
Thu Dec 17 17:45:42 CET 2015


Hi,

I would like to make a tunnel and to auth my peer with his public key.
All goes right as long as I don’t try to ping him.

This is my conf:
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
conn andi
        right=$peer_ip
        left=91.224.149.198
        type=transport
        keyexchange=ikev1
        ike=aes128-sha256-modp2048!
        esp=aes128-sha1-modp2048!
        authby=pubkey
        leftrsasigkey=/etc/ipsec.d/public/mykey.pub
        rightrsasigkey=/etc/ipsec.d/public/andi.pub
        leftprotoport=gre
        rightprotoport=gre
        auto=route
        keyingtries=%forever

This is his conf:
conn dn42-alarig
	rightresasigkey=/etc/ipsec.d/public/alarig.pem
	left = $peer_ip
	right=91.224.149.198
conn %default
	keyexchange=ikev1
	dpdaction=restart
	ike=aes128-sha256-modp2048!
	ikelifetime=28800s
	authby=pubkey
	left = 2a01:4f8:201:6344::1
	leftrsasigkey=/etc/ipsec.d/public/boolean.pem
	esp=aes128-sha1-modp2048!
	lifetime=3600s
	type=transport
	rightprotoport=gre
	# startup
	keyingtries=%forever
	leftsubnet=%dynamic[gre]
	rightsubnet=%dynamic[gre]

This is the log when I up the tunnel:
Dec 16 22:36:27 ttn charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.2.0-4-686-pae, i686)
Dec 16 22:36:27 ttn charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Dec 16 22:36:27 ttn charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Dec 16 22:36:27 ttn charon: 00[CFG]   loaded certificate "C=FR, ST=Bretagne, O=SwordArMor, OU=dn42, CN=ttn.dn42, E=root at swordarmor.fr" from '/etc/ipsec.d/aacerts/ttn.dn42.crt'
Dec 16 22:36:27 ttn charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Dec 16 22:36:27 ttn charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Dec 16 22:36:27 ttn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Dec 16 22:36:27 ttn charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Dec 16 22:36:27 ttn charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
Dec 16 22:36:27 ttn charon: 00[CFG]   loaded IKE secret for tunnel at ttn.dn42
Dec 16 22:36:27 ttn charon: 00[CFG]   loaded IKE secret for tunnel at drscott.swordarmor.dn42
Dec 16 22:36:27 ttn charon: 00[CFG]   loaded IKE secret for 91.224.149.198 193.192.62.189
Dec 16 22:36:27 ttn charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/mykey.pem'
Dec 16 22:36:27 ttn charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Dec 16 22:36:27 ttn charon: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)
Dec 16 22:36:27 ttn charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Dec 16 22:36:27 ttn charon: 00[JOB] spawning 16 worker threads
Dec 16 22:36:27 ttn charon: 11[CFG] received stroke: add connection 'andi'
Dec 16 22:36:27 ttn charon: 11[CFG]   loaded RSA public key for "91.224.149.198" from '/etc/ipsec.d/public/mykey.pub'
Dec 16 22:36:27 ttn charon: 11[CFG]   loaded RSA public key for "$peer_ip" from '/etc/ipsec.d/public/andi.pub'
Dec 16 22:36:27 ttn charon: 11[CFG] added configuration 'andi'
Dec 16 22:36:27 ttn charon: 12[CFG] received stroke: route 'andi'
Dec 16 22:36:32 ttn charon: 15[KNL] unable to receive from rt event socket

And this is the log when I try to ping him through the gre interface:
Dec 17 17:43:40 ttn charon: 11[KNL] creating acquire job for policy 91.224.149.198/32[gre] === $peer_ip/32[gre] with reqid {1}
Dec 17 17:43:40 ttn charon: 11[IKE] initiating Main Mode IKE_SA andi[1] to $peer_ip
Dec 17 17:43:40 ttn charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V ]
Dec 17 17:43:40 ttn charon: 11[NET] sending packet: from 91.224.149.198[500] to $peer_ip[500] (156 bytes)
Dec 17 17:43:40 ttn charon: 13[NET] received packet: from $peer_ip[500] to 91.224.149.198[500] (136 bytes)
Dec 17 17:43:40 ttn charon: 13[ENC] parsed ID_PROT response 0 [ SA V V V ]
Dec 17 17:43:40 ttn charon: 13[IKE] received XAuth vendor ID
Dec 17 17:43:40 ttn charon: 13[IKE] received DPD vendor ID
Dec 17 17:43:40 ttn charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
Dec 17 17:43:40 ttn charon: 13[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 17 17:43:40 ttn charon: 13[NET] sending packet: from 91.224.149.198[500] to $peer_ip[500] (396 bytes)
Dec 17 17:43:40 ttn charon: 14[NET] received packet: from $peer_ip[500] to 91.224.149.198[500] (396 bytes)
Dec 17 17:43:40 ttn charon: 14[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 17 17:43:40 ttn charon: 14[IKE] authentication of '91.224.149.198' (myself) successful
Dec 17 17:43:40 ttn charon: 14[ENC] generating ID_PROT request 0 [ ID SIG ]
Dec 17 17:43:40 ttn charon: 14[NET] sending packet: from 91.224.149.198[500] to $peer_ip[500] (572 bytes)
Dec 17 17:43:40 ttn charon: 15[NET] received packet: from $peer_ip[500] to 91.224.149.198[500] (108 bytes)
Dec 17 17:43:40 ttn charon: 15[ENC] parsed INFORMATIONAL_V1 request 2553897319 [ HASH N(AUTH_FAILED) ]
Dec 17 17:43:40 ttn charon: 15[IKE] received AUTHENTICATION_FAILED error notify


Do you have any idea about this?

Thanks,
-- 
Alarig Le Lay
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151217/1d6c5b30/attachment.pgp>


More information about the Users mailing list