date:20100331

[strongSwan] received AUTHENTICATION_FAILED notify error

2010-03-31 Thread Abbhishek Misra

Hello listreaders,

(started a new thread as these are fresh settings)

I moved on to a shared key with both ends instead of certificates.

Its still not comming up due to   AUTHENTICATION_FAILED notify error

below are my new settings

plm56:~/abhishek # cat  /etc/ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
crlcheckinterval=600
strictcrlpolicy=yes
plutostart=no
charondebug=all
cachecrls=yes
nat_traversal=yes

conn charontest
left=9.182.176.61
right=9.182.176.56
type=transport
keyexchange=ikev2
mobike=no
auto=add
authby=secret
ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024

plm56:~/abhishek # cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

9.182.176.61 9.182.176.56 : PSK abcdefg12345
plm56:~/abhishek #


plm61:~/abhishek # rm /etc/ipsec.conf
plm61:~/abhishek # rm /etc/ipsec.secrets
plm61:~/abhishek #
plm61:~/abhishek # scp plm56:/etc/ipsec.conf /etc/ipsec.conf
ipsec.conf
100%  449 0.4KB/s   00:00
plm61:~/abhishek # scp plm56:/etc/ipsec.secrets /etc/ipsec.secrets
ipsec.secrets
100%  101 0.1KB/s   00:00
plm61:~/abhishek #

started ipsec on both ends

plm61:~/abhishek # ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.3.4 IPsec [starter]...
plm61:~/abhishek #
plm61:~/abhishek #
plm61:~/abhishek # ipsec up charontest
initiating IKE_SA charontest[1] to 9.182.176.56
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 9.182.176.61[500] to 9.182.176.56[500]
received packet: from 9.182.176.56[500] to 9.182.176.61[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH)
]
authentication of '9.182.176.61' (myself) with pre-shared key
establishing CHILD_SA charontest
generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr
N(MULT_AUTH) ]
sending packet: from 9.182.176.61[500] to 9.182.176.56[500]
received packet: from 9.182.176.56[500] to 9.182.176.61[500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
plm61:~/abhishek #
plm61:~/abhishek #

plm61:~/abhishek # ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.3.4):
  uptime: 5 minutes, since Mar 31 20:17:24 2010
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 hmac xcbc
stroke kernel-netlink updown
Listening IP addresses:
  9.182.176.61
Connections:
  charontest:  9.182.176.61...9.182.176.56
  charontest:   local:  [9.182.176.61] uses pre-shared key authentication
  charontest:   remote: [9.182.176.56] uses any authentication
  charontest:crl:   status must be GOOD
  charontest:   child:  dynamic === dynamic
Security Associations:
  none
plm61:~/abhishek #

log messages also do not have any additional info

let me knows your views on this.

reagrds
Abhishek

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] IPV6 'connection' bug? (in 4.3.3 with linux 2.6.21)

2010-03-31 Thread Yong Choo

Hi all,
I progressed much further.
I had to manually load additional modules for IPV6 operation (For IPv4 
type, ipsec automatically loads 'ah4, esp4, tunnel4, xfrm4_tunnel')
modprobe ah6
modprobe esp6
modprobe tunnel6
modprobe xfrm6_tunnel

Are there any other modules that I need to load for IPV6?



Yong Choo wrote:
 Hi,
 I'm getting the following errors on my linux 2.6.21 based using 
 strongswan 4.3.3 version:
 Any Help would be appreciated! (The host that I'm communicating with has 
 2.6.27 and it has no problem)

 I configured/checked all required IPV6 kernel protocols in linux 2.6.21 
 as defined in the installation document url also.

 eCCM-root-/etc ipsec up enb12v6
 initiating IKE_SA enb12v6[1] to fd00::410:172:21:10:181
 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
 sending packet: from fd00::410:172:21:10:12[500] to 
 fd00::410:172:21:10:181[500]
 received packet: from fd00::410:172:21:10:181[500] to 
 fd00::410:172:21:10:12[500]
 parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
 N(MULT_AUTH) ]
 authentication of 'fd00::410:172:21:10:12' (myself) with pre-shared key
 establishing CHILD_SA enb12v6
 generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) ]
 sending packet: from fd00::410:172:21:10:12[500] to 
 fd00::410:172:21:10:181[500]
 received packet: from fd00::410:172:21:10:181[500] to 
 fd00::410:172:21:10:12[500]
 parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
 authentication of 'fd00::410:172:21:10:181' with pre-shared key successful
 scheduling rekeying in 50s
 maximum IKE_SA lifetime 370s
 IKE_SA enb12v6[1] established between 
 fd00::410:172:21:10:12[fd00::410:172:21:10:12]...fd00::410:172:21:10:181[fd00::410:172:21:10:181]
 received netlink error: Protocol not supported (93)
 unable to add SAD entry with SPI c05a60aa
 received netlink error: Protocol not supported (93)
 unable to add SAD entry with SPI c48cd085
 unable to install inbound and outbound IPsec SA (SAD) in kernel


 The ipsec.conf has the following entries:

 config setup
   plutostart=no

 conn %default
   auth=esp
   dpdaction=restart
   dpddelay=50s
   esp=aes128-sha1-modp1024,3des-sha1-modp1024
   forceencaps=no
   ike=aes128-sha-modp1024,3des-sha-modp1024
   ikelifetime=500s
   installpolicy=yes
   keyexchange=ikev2
   keyingtries=%forever
   keylife=400s
   mobike=no
   pfs=yes
   reauth=no
   rekey=yes
   rekeymargin=320s
   type=tunnel
   leftauth=psk
   rightauth=psk

 config setup
   plutostart=no

 conn %default
   auth=esp
   dpdaction=restart
   dpddelay=50s
   esp=aes128-sha1-modp1024,3des-sha1-modp1024
   forceencaps=no
   ike=aes128-sha-modp1024,3des-sha-modp1024
   ikelifetime=500s
   installpolicy=yes
   keyexchange=ikev2
   keyingtries=%forever
   keylife=400s
   mobike=no
   pfs=yes
   reauth=no
   rekey=yes
   rekeymargin=320s
   type=tunnel
   leftauth=psk
   rightauth=psk

 conn enb12v4
   left=135.112.41.22
   right=135.112.40.181
   auto=add
 conn enb12v6
   left=fd00:::410:172:21:10:12
   #leftsourceip=fd00:::410:172:21:10:12
   leftsubnet=fd00::12/64
   right=fd00:::410:172:21:10:181
   rightsubnet=fd00::181/64
   auto=add

 conn enb12v6
   left=fd00:::410:172:21:10:12
   #leftsourceip=fd00:::410:172:21:10:12
   leftsubnet=fd00::12/64
   right=fd00:::410:172:21:10:181
   rightsubnet=fd00::181/64

   auto=add






 ___
 Users mailing list
 Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/listinfo/users
   


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] received AUTHENTICATION_FAILED notify error

Re: [strongSwan] IPV6 'connection' bug? (in 4.3.3 with linux 2.6.21)

2 matches

Site Navigation

Mail list logo

Footer information