[strongSwan] Mac OS 10.10 Client to Linux Strongswan server HASH N(AUTH_FAILED) error
Jude Oliver
judeo at blansys.com
Mon Apr 18 17:00:43 CEST 2016
I am attempting to setup a RHEL 7 based Strongswan server, with Macintosh based clients, using ipsec (the built in OS X Cisco client), and I am unable to get this to behave so far.
It appears to be issue with the certs? I have regenerated them on both sides several times and that does not seem to be resolving my issue here.
Any insights into what I am missing in my setup, my hope is that this is just some simple newbie mistake I am doing.
My ipsec.conf file:
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
leftauth=psk
rightauth=psk
rightauth2=xauth
leftid=10.0.11.200
rightid=10.0.11.160
conn rw-carol
also=rw
right=10.0.11.0/24
auto=add
conn rw-dave
also=rw
right=10.0.11.0/24
auto=add
conn rw
left=10.0.11.200
leftsubnet=10.11.0.0/16
leftfirewall=yes
This is my ipsec.secrets file:
: RSA RH7Standard.vpnHostPrivateKey.der
: PSK “Password"
judeo %any : EAP "Password"
judeo %any : XAUTH "Password"
judeo %any : PSK "Password"
This is the error I am seeing in the logs:
Apr 18 09:45:41 RH7Standard charon: 10[IKE] 10.0.11.160 is initiating a Main Mode IKE_SA
Apr 18 09:45:41 RH7Standard charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]
Apr 18 09:45:41 RH7Standard charon: 10[NET] sending packet: from 10.0.11.200[500] to 10.0.11.160[500] (136 bytes)
Apr 18 09:45:41 RH7Standard strongswan: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.0-327.4.5.el7.x86_64, x86_64)
Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] openssl FIPS mode(2) - enabled
Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] created TUN device: ipsec0
Apr 18 09:45:41 RH7Standard strongswan: 00[NET] could not open socket: Address family not supported by protocol
Apr 18 09:45:41 RH7Standard strongswan: 00[NET] could not open IPv6 socket, IPv6 disabled
Apr 18 09:45:41 RH7Standard strongswan: 00[KNL] received netlink error: Address family not supported by protocol (97)
Apr 18 09:45:41 RH7Standard strongswan: 00[KNL] unable to create IPv6 routing table rule
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded ca certificate "C=US, O=BSI, CN=RH7Standard.blansys.com" from '/etc/strongswan/ipsec.d/cacerts/RH7Standard.SelfSigned.CA.cert.strongswanCert.der'
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded ca certificate "C=US, O=BSI, CN=RH7Standard.blansys.com" from '/etc/strongswan/ipsec.d/cacerts/RH7Standard.Converted.SelfSigned.CA.cert.pem'
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/aacerts' failed: No such file or directory
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/ocspcerts' failed: No such file or directory
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/acerts' failed: No such file or directory
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/crls' failed: No such file or directory
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/RH7Standard.vpnHostPrivateKey.der'
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded IKE secret for %any
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded EAP secret for judeo %any
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded EAP secret for judeo %any
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded IKE secret for judeo %any
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded 0 RADIUS server configurations
Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] MAP server certificate not defined
Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] TNC recommendation policy is 'default'
Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] loading IMVs from '/etc/tnc_config'
Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] missing PDP server name, PDP disabled
Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] loading IMCs from '/etc/tnc_config'
Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac ctr ccm curl sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp
Apr 18 09:45:41 RH7Standard strongswan: 00[JOB] spawning 16 worker threads
Apr 18 09:45:41 RH7Standard strongswan: 11[CFG] received stroke: add connection 'rw-carol'
Apr 18 09:45:41 RH7Standard strongswan: 11[CFG] added configuration 'rw-carol'
Apr 18 09:45:41 RH7Standard strongswan: 13[CFG] received stroke: add connection 'rw-dave'
Apr 18 09:45:41 RH7Standard strongswan: 13[CFG] added child to existing configuration 'rw-carol'
Apr 18 09:45:41 RH7Standard strongswan: 10[NET] received packet: from 10.0.11.160[500] to 10.0.11.200[500] (668 bytes)
Apr 18 09:45:41 RH7Standard strongswan: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received NAT-T (RFC 3947) vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received XAuth vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received Cisco Unity vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received FRAGMENTATION vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] received DPD vendor ID
Apr 18 09:45:41 RH7Standard strongswan: 10[IKE] 10.0.11.160 is initiating a Main Mode IKE_SA
Apr 18 09:45:41 RH7Standard strongswan: 10[ENC] generating ID_PROT response 0 [ SA V V V ]
Apr 18 09:45:41 RH7Standard charon: 11[NET] received packet: from 10.0.11.160[500] to 10.0.11.200[500] (292 bytes)
Apr 18 09:45:41 RH7Standard charon: 11[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 18 09:45:41 RH7Standard charon: 11[IKE] faking NAT situation to enforce UDP encapsulation
Apr 18 09:45:41 RH7Standard charon: 11[IKE] sending cert request for "C=US, O=BSI, CN=RH7Standard.blansys.com"
Apr 18 09:45:41 RH7Standard charon: 11[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Apr 18 09:45:41 RH7Standard charon: 11[NET] sending packet: from 10.0.11.200[500] to 10.0.11.160[500] (376 bytes)
Apr 18 09:45:42 RH7Standard charon: 12[NET] received packet: from 10.0.11.160[4500] to 10.0.11.200[4500] (1500 bytes)
Apr 18 09:45:42 RH7Standard charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Apr 18 09:45:42 RH7Standard charon: 12[IKE] ignoring certificate request without data
Apr 18 09:45:42 RH7Standard charon: 12[IKE] received end entity cert "C=US, O=BSI, CN=judeo at blansys.com"
Apr 18 09:45:42 RH7Standard charon: 12[CFG] looking for XAuthInitRSA peer configs matching 10.0.11.200...10.0.11.160[C=US, O=BSI, CN=judeo at blansys.com]
Apr 18 09:45:42 RH7Standard charon: 12[IKE] no peer config found
Apr 18 09:45:42 RH7Standard charon: 12[ENC] generating INFORMATIONAL_V1 request 2365044413 [ HASH N(AUTH_FAILED) ]
Apr 18 09:45:42 RH7Standard charon: 12[NET] sending packet: from 10.0.11.200[4500] to 10.0.11.160[4500] (92 bytes)
________________________________
Jude Oliver
Support
1100 Poydras St. Suite 1230
New Orleans, LA 70163
Main Office: 504-529-8869
Joliver at blansys.com
www.blanchardsystems.com<http://www.blanchardsystems.com/>
-----------------------------------------------------
Join Blanchard Systems
2016 Tips and Tricks Training Webinars
Check out the Blanchard Systems 2015 FREE monthly Tips & Tricks training webinars.
Click Here<http://www.blanchardsystems.com/events/> to view the schedule and register for one of our upcoming events.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160418/70c2df01/attachment-0001.html>
More information about the Users
mailing list