[strongSwan] IKE-Auth Problem

Michael Schwartzkopff ms at sys4.de
Tue Jan 12 13:27:24 CET 2021


On 12.01.21 12:00, fatcharly at gmx.de wrote:
> Hi,
>
> Im using a strongswan-5.7.2-1.el7.x86_64 on a CentOS Linux release 7.9.2009 (Core)as a vpn-gateway with already some working connections. I got some problems with a connection which want's to switch over to certificate authentication.
> this is what I get when I start the connection:
>
> [root at tig strongswan]# strongswan up connection_RLP_test
> initiating IKE_SA lotto_RLP_test[19] to xxx.xxx.xxx.44
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from xxx.xxx.xxx.20[500] to xxx.xxx.xxx.44[500] (464 bytes)
> received packet: from xxx.xxx.xxx.44[500] to xxx.xxx.xxx.20[500] (469 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(HTTP_CERT_LOOK) ]
> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
> received cert request for "C=de, O=connection RLP, CN=RLP CA 2015"
> received 3 cert requests for an unknown ca
> sending cert request for "C=de, O=connection RLP, CN=RLP CA 2015"
> authentication of 'C=DE, ST=local, L=local, O=bay , OU=bay1, CN=vpn.gateway.de, E=tecs at gateway.de' (myself) with RSA signature successful
> sending end entity cert "C=DE, ST=local, L=local, O=bay GmbH, OU=bay1, CN=vpn.gateway.de, E=tecs at gateway.de"
> establishing CHILD_SA connection_RLP_test{24}
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from xxx.xxx.xxx.20[500] to xxx.xxx.xxx.44[500] (1840 bytes)
> received packet: from xxx.xxx.xxx.44[500] to xxx.xxx.xxx.20[500] (96 bytes)
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> establishing connection 'connection_RLP_test' failed
>
> What is the problem, what can I do to solve it ?
>
> Any suggestions are welcome
>
> stay save and healthy
>
> fatcharly


Authentication on the other side failed. See logs of the other side.

the other side sends you an information, that the auth failed. No chance
on your side, to find out why. My wild suggestion: Perhaps the other
side does not trust the CA that signed your server certificate. Or the
cert chain is broken, or something else.



Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210112/ffd80247/attachment.sig>


More information about the Users mailing list