[strongSwan] no IDr configured, fall back on IP address

lejeczek peljasz at yahoo.co.uk
Fri Jan 18 15:18:22 CET 2019 

hi guys,

I've had this working, the config which is now failing, I can easily
blame strongswan update my distro sent down.

I've had my certs okey but now (I admit I've not used this tunnel in
long time) this connection fails and it seems due to some cert issues.

But am I right to blame some change in my strongswan package? What can
be the problem?

Here is some log:

..

13[MGR] checkin of IKE_SA successful
13[MGR] checkout IKEv2 SA by message with SPIs 82396af750960ac0_i
17f4b42410718369_r
13[MGR] IKE_SA (unnamed)[1] successfully checked out
13[NET] received packet: from 172.24.46.236[4500] to
172.24.154.202[4500] (708 bytes)
13[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
13[ENC] received fragment #2 of 2, reassembled fragmented IKE message
(1872 bytes)
13[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR DNS)
SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH)
N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
13[IKE] received cert request for "C=shire, O=xx.
CN=priv.xx.xx.priv.xx.xx.x"
13[IKE] received end entity cert "C=shire, O=xx.
CN=sucker at priv.xx.xx.priv.xx.xx.x"
13[CFG] looking for peer configs matching
172.24.154.202[%any]...172.24.46.236[C=shire, O=xx.
CN=sucker at priv.xx.xx.priv.xx.xx.x]
13[CFG]   candidate "IPSec-IKEv2", match: 1/1/28 (me/other/ike)
13[CFG]   candidate "IPSec-IKEv2-EAP", match: 1/1/28 (me/other/ike)
13[CFG] selected peer config 'IPSec-IKEv2'
13[CFG]   using certificate "C=shire, O=xx.
CN=sucker at priv.xx.xx.priv.xx.xx.x"
13[CFG]   certificate "C=shire, O=xx. CN=sucker at priv.xx.xx.priv.xx.xx.x"
key: 2048 bit RSA
13[CFG]   using trusted ca certificate "C=shire, O=xx.
CN=priv.xx.xx.priv.xx.xx.x"
13[CFG] checking certificate status of "C=shire, O=xx.
CN=sucker at priv.xx.xx.priv.xx.xx.x"
13[CFG] ocsp check skipped, no ocsp found
13[CFG] certificate status is not available
13[CFG]   certificate "C=shire, O=xx. CN=priv.xx.xx.priv.xx.xx.x" key:
4096 bit RSA
13[CFG]   reached self-signed root ca with a path length of 0
13[IKE] authentication of 'C=shire, O=xx.
CN=sucker at priv.xx.xx.priv.xx.xx.x' with RSA_EMSA_PKCS1_SHA2_256 successful
13[IKE] processing INTERNAL_IP4_ADDRESS attribute
13[IKE] processing INTERNAL_IP4_DNS attribute
13[IKE] peer supports MOBIKE
13[IKE] got additional MOBIKE peer address: 10.0.16.8
13[IKE] got additional MOBIKE peer address: 10.5.10.49
13[CFG] no IDr configured, fall back on IP address
13[IKE] no priv key found for '172.24.154.202'
13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
13[NET] sending packet: from 172.24.154.202[4500] to 172.24.46.236[4500]
(80 bytes)
13[MGR] checkin and destroy IKE_SA IPSec-IKEv2[1]
13[IKE] IKE_SA IPSec-IKEv2[1] state change: CONNECTING => DESTROYING
13[MGR] checkin and destroy of IKE_SA successful

many thanks, L.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190118/8eb92d76/attachment.key>

More information about the Users mailing list