Re: [strongSwan] ipsec up host-host

abhishek kumar Wed, 11 Mar 2009 06:11:34 -0700

hello..
thank for your valuable suggestion. i rectify my problem but still i am not
able to establish Security Association


following are the results of "ipsec listall" at both end.

result of "ipsec listall" at moon:

List of X.509 End Entity Certificates:

  altNames:  192.168.3.3
  subject:  "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
  issuer:   "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan,
e=ishansharm...@gmail.com"
  serial:    10:00:06
  validity:  not before Mar 10 22:04:25 2009, ok
             not after  Mar 10 22:04:25 2011, ok
  pubkey:    RSA 1024 bits, has private key
  keyid:     7e:35:20:c0:96:1e:c7:53:77:c2:44:3a:98:0a:84:96:7b:ad:9b:ee
  subjkey:   c4:84:38:1c:2b:22:c4:39:6a:c7:6e:5d:9a:5e:06:3c:98:a3:25:37
  authkey:   f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48

List of X.509 CA Certificates:

  subject:  "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan,
e=ishansharm...@gmail.com"
  issuer:   "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan,
e=ishansharm...@gmail.com"
  serial:    00:d5:8c:82:99:da:6c:4e:99
  validity:  not before Mar 10 20:39:13 2009, ok
             not after  Mar 09 20:39:13 2013, ok
  pubkey:    RSA 2048 bits
  keyid:     6d:19:04:8c:44:f3:07:70:73:2d:04:d1:e9:b4:fa:93:0e:d0:8d:a6
  subjkey:   f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48
  authkey:   f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48

List of registered IKEv2 Algorithms:

  encryption: AES_CBC 3DES DES
  integrity:  AES_XCBC_96 HMAC_SHA1_96 AUTH_HMAC_SHA1_128
AUTH_HMAC_SHA2_256_128 HMAC_MD5_96 AUTH_HMAC_SHA2_384_192
AUTH_HMAC_SHA2_512_256
  hasher:     HASH_SHA1 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5
  prf:        PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_CBC
PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384
PRF_HMAC_SHA2_512
  dh-group:   MODP_2048_BIT MODP_1536_BIT MODP_3072_BIT MODP_4096_BIT
MODP_6144_BIT MODP_8192_BIT MODP_1024_BIT MODP_768_BIT

result of "ipsec listall" at sun :

List of X.509 End Entity Certificates:

  altNames:  192.168.3.3
  subject:  "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
  issuer:   "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan,
e=ishansharm...@gmail.com"
  serial:    10:00:06
  validity:  not before Mar 10 22:04:25 2009, ok
             not after  Mar 10 22:04:25 2011, ok
  pubkey:    RSA 1024 bits
  keyid:     7e:35:20:c0:96:1e:c7:53:77:c2:44:3a:98:0a:84:96:7b:ad:9b:ee
  subjkey:   c4:84:38:1c:2b:22:c4:39:6a:c7:6e:5d:9a:5e:06:3c:98:a3:25:37
  authkey:   f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48

  altNames:  192.168.3.4
  subject:  "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=abhishek, E=
abhis...@gmail.com"
  issuer:   "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan,
e=ishansharm...@gmail.com"
  serial:    10:00:07
  validity:  not before Mar 11 17:24:59 2009, ok
             not after  Mar 11 17:24:59 2011, ok
  pubkey:    RSA 1024 bits, has private key
  keyid:     a1:ae:79:92:34:f8:71:ec:19:fa:94:a6:9d:3b:72:f6:a5:70:8a:7a
  subjkey:   ea:b7:c7:50:e6:8d:5e:8e:d7:40:20:87:22:49:8f:d9:3e:36:99:cb
  authkey:   f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48

List of X.509 CA Certificates:

  subject:  "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan,
e=ishansharm...@gmail.com"
  issuer:   "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan,
e=ishansharm...@gmail.com"
  serial:    00:d5:8c:82:99:da:6c:4e:99
  validity:  not before Mar 10 20:39:13 2009, ok
             not after  Mar 09 20:39:13 2013, ok
  pubkey:    RSA 2048 bits
  keyid:     6d:19:04:8c:44:f3:07:70:73:2d:04:d1:e9:b4:fa:93:0e:d0:8d:a6
  subjkey:   f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48
  authkey:   f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48

List of registered IKEv2 Algorithms:

  encryption: AES_CBC 3DES DES
  integrity:  HMAC_SHA1_96 AUTH_HMAC_SHA1_128 AUTH_HMAC_SHA2_256_128
HMAC_MD5_96 AUTH_HMAC_SHA2_384_192 AUTH_HMAC_SHA2_512_256 AES_XCBC_96
  hasher:     HASH_SHA1 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5
  prf:        PRF_KEYED_SHA1 PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5
PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512 PRF_AES128_CBC
  dh-group:   MODP_2048_BIT MODP_1536_BIT MODP_3072_BIT MODP_4096_BIT
MODP_6144_BIT MODP_8192_BIT MODP_1024_BIT MODP_768_BIT

result of "ipsec up host-host" at moon:

[r...@ishan certs]# ipsec up host-host
initiating IKE_SA host-host[1] to 192.168.3.4
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.3.3[500] to 192.168.3.4[500]
received packet: from 192.168.3.4[500] to 192.168.3.3[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
received cert request for unknown ca with keyid
b8:66:6a:1c:34:b8:02:0e:d4:05:e3:14:59:89:e1:a9:3e:40:08:39
sending cert request for "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd.,
OU=rvce, CN=ishan, e=ishansharm...@gmail.com"
authentication of 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com' (myself) with RSA signature successful
sending end entity cert "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce,
CN=ishan, e=ishansharm...@gmail.com"
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) ]
sending packet: from 192.168.3.3[4500] to 192.168.3.4[4500]
received packet: from 192.168.3.4[4500] to 192.168.3.3[4500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error

plz tell me the error.

thanx in advance..

with regards

Abhishek Kumar


On Tue, Mar 10, 2009 at 10:48 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi,
>
> it seems as if you messed up your public key infrastructure:
>
> your end entity certificate is
>
> 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=is...@gmail.com'
>
> but you no matching private key is found either because the private key
> file defined in /etc/ipsec.secrets
>
>  : RSA myKey.pem "<optional passphrase>"
>
> is not found in /etc/ipsec.d/private/ or if passphrase is wrong if the
> key file is encrypted. Execute
>
>  ipsec rereadsecrets
>
> and check for error messages in the log! Everything is ok if
>
>  ipsec listcerts
>
> shows
>
>  .., has private key
>
> in the listing of the end entity certificate. There is also something
> wrong with your CA certificates. The peer requests an end entity
> certificate from you issued by the unknown CA with the public key hash
>
> 01:fb:b7:53:45:4f:73:0a:5b:d0:d7:08:29:2c:8e:2a:3d:f0:90:70
>
> whereas you have a CA certificate
>
> 'C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,CN=ishan,
>  e=is...@gmail.com'
>
> In principle it is possible to work with mixed CAs but this is probably
> not what you had in mind. Usually both myCert.pem and peerCert.pem
> are issued by the same CA. This common CA certificate must be stored
> in /etc/ipsec.d/cacerts/. I doubt that
>
> 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=is...@gmail.com'
>
> is signed by the CA
>
> C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,CN=ishan,
>  e=is...@gmail.com'
>
> Best regards
>
> Andreas
>
> abhishek kumar wrote:
> > hello ..
> > i am new in using strongswan. plz help me setting host-host case.. I am
> > getting problem in executing command "ipsec up host-host"
> >
> > RESULT IS:
> >
> > [r...@sun etc]# ipsec start
> > Starting strongSwan 4.2.11 IPsec [starter]...
> >
> > [r...@moon etc]# ipsec restart
> > Starting strongSwan 4.2.11 IPsec [starter]...
> >
> > [r...@moon etc]# sleep 1
> >
> > [r...@ishan etc]# ipsec up host-host
> > initiating IKE_SA host-host[4] to 192.168.3.4
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 192.168.3.3[500] to 192.168.3.4[500]
> > received packet: from 192.168.3.4[500] to 192.168.3.3[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ ]
> > received cert request for unknown ca with keyid
> > 01:fb:b7:53:45:4f:73:0a:5b:d0:d7:08:29:2c:8e:2a:3d:f0:90:70
> > sending cert request for "C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,
> > CN=ishan, e=is...@gmail.com"
> > no private key found for 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce,
> > CN=ishan, e=is...@gmail.com'
> > generating authentication data failed
> >
> > plz let me know where the mistake might be..
> >
> > thanx in advance..
> >
> > with regard
> >
> > Abhishek Kumar
>
> ======================================================================
> Andreas Steffen                         andreas.stef...@strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] ipsec up host-host

Reply via email to