[strongSwan] Moving from OpenSwan to StrongSWAN AUTHENTICATION_FAILED notify error
Maqbool Patel
maqbool.patel at gmail.com
Tue Feb 14 17:03:08 CET 2017
I have done quite a bit of searching and playing around and I am still
stuck with this issue. Trying to see if I can get some help here. Thanks in
advance. I have posted this to StackOverFlow so the link is here.
http://stackoverflow.com/questions/42212151/moving-from-openswan-to-strongswan-authentication-failed-notify-error
I am converting a site from OpenSWAN to StrongSWAN. My Peer is a Cisco ASA
device, not sure of the model etc. The tunnel was up and running fine
between OpenSWAN and Cisco. We want to move to StrongSWAN (another story
why we are moving). I removed OpenSWAN and installed StrongSWAN (on Ubuntu)
was super easy. converted the ipsec.conf to StrongSWAN requirements. When I
start the tunnel i get "received AUTHENTICATION_FAILED notify error" error.
Same parameters worked for OpenSWAN so Ii thought this should be an easy
move. I dont have access to the Cisco ASA as it is our partners. I have
opened a ticket with them to help me but that ticket is in the queue. Was
wondering if anybody can shed some light on this problem.
root at ip-10-0-0-33:/home/deploy# ipsec up Baptist
initiating IKE_SA Baptist[1652] to 50.xx.xx.xx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.0.0.33[500] to 50.xx.xx.xx[500] (1000 bytes)
received packet: from 50.xx.xx.xx[500] to 10.0.0.33[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_1024, it requested ECP_521
initiating IKE_SA Baptist[1652] to 50.xx.xx.xx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.0.0.33[500] to 50.xx.xx.xx[500] (1004 bytes)
received packet: from 50.xx.xx.xx[500] to 10.0.0.33[500] (506 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP)
N(NATD_D_IP) CERTREQ V ]
local host is behind NAT, sending keep alives
received 2 cert requests for an unknown ca
authentication of '52.34.130.137' (myself) with pre-shared key
establishing CHILD_SA Baptist
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR
DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 10.0.0.33[4500] to 50.xx.xx.xx[4500] (576 bytes)
received packet: from 50.xx.xx.xx[4500] to 10.0.0.33[4500] (96 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'Baptist' failed
Here is my config file
config setup
strictcrlpolicy=no
charondebug=all
conn %default
left=%any
ikelifetime=86400s
keylife=28800s
authby=secret
keyexchange=ike
conn Baptist
left=10.0.0.33
leftsourceip=10.0.0.33
leftid=52.XX.XX.XX
leftsubnet=10.0.0.33/32
eap_identity=52.XX.XX.XX
right=50.YY.YY.YY
rightsubnet=10.17.10.66/32,10.13.210.2/32
auto=start
ike=aes256-sha1-mod1024
esp=aes256-sha1-mod1024
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
*EDIT*: My original OpenSWAN config file is below. BTW: I tried ike1, ike2
with StrongSWAN with same effect.
conn Baptist
type=tunnel
authby=secret
auto=start
forceencaps=yes
left=%defaultroute
leftid=52.XX.XX.XX
#leftsourceip=10.1.200.19
#leftsourceip=52.XX.XX.XX
leftsourceip=10.0.0.33
leftsubnets={10.0.0.33/32}
right=50.YY.YY.YY
rightid=50.YY.YY.YY
rightsubnets=10.17.10.66/32,10.13.210.2/32
ikelifetime=86400s
keylife=28800s
keyexchange=ike
ike=aes256-sha1;modp1024
phase2=esp
phase2alg=aes256-sha1
pfs=no
dpddelay=30
dpdtimeout=120
dpdaction=restart
-maqbool
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170214/3916841a/attachment.html>
More information about the Users
mailing list