hello.. thank for your valuable suggestion. i rectify my problem but still i am not able to establish Security Association
following are the results of "ipsec listall" at both end. result of "ipsec listall" at moon: List of X.509 End Entity Certificates: altNames: 192.168.3.3 subject: "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" issuer: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com" serial: 10:00:06 validity: not before Mar 10 22:04:25 2009, ok not after Mar 10 22:04:25 2011, ok pubkey: RSA 1024 bits, has private key keyid: 7e:35:20:c0:96:1e:c7:53:77:c2:44:3a:98:0a:84:96:7b:ad:9b:ee subjkey: c4:84:38:1c:2b:22:c4:39:6a:c7:6e:5d:9a:5e:06:3c:98:a3:25:37 authkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 List of X.509 CA Certificates: subject: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com" issuer: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com" serial: 00:d5:8c:82:99:da:6c:4e:99 validity: not before Mar 10 20:39:13 2009, ok not after Mar 09 20:39:13 2013, ok pubkey: RSA 2048 bits keyid: 6d:19:04:8c:44:f3:07:70:73:2d:04:d1:e9:b4:fa:93:0e:d0:8d:a6 subjkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 authkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 List of registered IKEv2 Algorithms: encryption: AES_CBC 3DES DES integrity: AES_XCBC_96 HMAC_SHA1_96 AUTH_HMAC_SHA1_128 AUTH_HMAC_SHA2_256_128 HMAC_MD5_96 AUTH_HMAC_SHA2_384_192 AUTH_HMAC_SHA2_512_256 hasher: HASH_SHA1 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5 prf: PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_CBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512 dh-group: MODP_2048_BIT MODP_1536_BIT MODP_3072_BIT MODP_4096_BIT MODP_6144_BIT MODP_8192_BIT MODP_1024_BIT MODP_768_BIT result of "ipsec listall" at sun : List of X.509 End Entity Certificates: altNames: 192.168.3.3 subject: "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" issuer: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com" serial: 10:00:06 validity: not before Mar 10 22:04:25 2009, ok not after Mar 10 22:04:25 2011, ok pubkey: RSA 1024 bits keyid: 7e:35:20:c0:96:1e:c7:53:77:c2:44:3a:98:0a:84:96:7b:ad:9b:ee subjkey: c4:84:38:1c:2b:22:c4:39:6a:c7:6e:5d:9a:5e:06:3c:98:a3:25:37 authkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 altNames: 192.168.3.4 subject: "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=abhishek, E= abhis...@gmail.com" issuer: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com" serial: 10:00:07 validity: not before Mar 11 17:24:59 2009, ok not after Mar 11 17:24:59 2011, ok pubkey: RSA 1024 bits, has private key keyid: a1:ae:79:92:34:f8:71:ec:19:fa:94:a6:9d:3b:72:f6:a5:70:8a:7a subjkey: ea:b7:c7:50:e6:8d:5e:8e:d7:40:20:87:22:49:8f:d9:3e:36:99:cb authkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 List of X.509 CA Certificates: subject: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com" issuer: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com" serial: 00:d5:8c:82:99:da:6c:4e:99 validity: not before Mar 10 20:39:13 2009, ok not after Mar 09 20:39:13 2013, ok pubkey: RSA 2048 bits keyid: 6d:19:04:8c:44:f3:07:70:73:2d:04:d1:e9:b4:fa:93:0e:d0:8d:a6 subjkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 authkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 List of registered IKEv2 Algorithms: encryption: AES_CBC 3DES DES integrity: HMAC_SHA1_96 AUTH_HMAC_SHA1_128 AUTH_HMAC_SHA2_256_128 HMAC_MD5_96 AUTH_HMAC_SHA2_384_192 AUTH_HMAC_SHA2_512_256 AES_XCBC_96 hasher: HASH_SHA1 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5 prf: PRF_KEYED_SHA1 PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512 PRF_AES128_CBC dh-group: MODP_2048_BIT MODP_1536_BIT MODP_3072_BIT MODP_4096_BIT MODP_6144_BIT MODP_8192_BIT MODP_1024_BIT MODP_768_BIT result of "ipsec up host-host" at moon: [r...@ishan certs]# ipsec up host-host initiating IKE_SA host-host[1] to 192.168.3.4 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 192.168.3.3[500] to 192.168.3.4[500] received packet: from 192.168.3.4[500] to 192.168.3.3[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] received cert request for unknown ca with keyid b8:66:6a:1c:34:b8:02:0e:d4:05:e3:14:59:89:e1:a9:3e:40:08:39 sending cert request for "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com" authentication of 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com' (myself) with RSA signature successful sending end entity cert "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com" establishing CHILD_SA host-host generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ] sending packet: from 192.168.3.3[4500] to 192.168.3.4[4500] received packet: from 192.168.3.4[4500] to 192.168.3.3[4500] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] received AUTHENTICATION_FAILED notify error plz tell me the error. thanx in advance.. with regards Abhishek Kumar On Tue, Mar 10, 2009 at 10:48 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi, > > it seems as if you messed up your public key infrastructure: > > your end entity certificate is > > 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=is...@gmail.com' > > but you no matching private key is found either because the private key > file defined in /etc/ipsec.secrets > > : RSA myKey.pem "<optional passphrase>" > > is not found in /etc/ipsec.d/private/ or if passphrase is wrong if the > key file is encrypted. Execute > > ipsec rereadsecrets > > and check for error messages in the log! Everything is ok if > > ipsec listcerts > > shows > > .., has private key > > in the listing of the end entity certificate. There is also something > wrong with your CA certificates. The peer requests an end entity > certificate from you issued by the unknown CA with the public key hash > > 01:fb:b7:53:45:4f:73:0a:5b:d0:d7:08:29:2c:8e:2a:3d:f0:90:70 > > whereas you have a CA certificate > > 'C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,CN=ishan, > e=is...@gmail.com' > > In principle it is possible to work with mixed CAs but this is probably > not what you had in mind. Usually both myCert.pem and peerCert.pem > are issued by the same CA. This common CA certificate must be stored > in /etc/ipsec.d/cacerts/. I doubt that > > 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=is...@gmail.com' > > is signed by the CA > > C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,CN=ishan, > e=is...@gmail.com' > > Best regards > > Andreas > > abhishek kumar wrote: > > hello .. > > i am new in using strongswan. plz help me setting host-host case.. I am > > getting problem in executing command "ipsec up host-host" > > > > RESULT IS: > > > > [r...@sun etc]# ipsec start > > Starting strongSwan 4.2.11 IPsec [starter]... > > > > [r...@moon etc]# ipsec restart > > Starting strongSwan 4.2.11 IPsec [starter]... > > > > [r...@moon etc]# sleep 1 > > > > [r...@ishan etc]# ipsec up host-host > > initiating IKE_SA host-host[4] to 192.168.3.4 > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > sending packet: from 192.168.3.3[500] to 192.168.3.4[500] > > received packet: from 192.168.3.4[500] to 192.168.3.3[500] > > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > CERTREQ ] > > received cert request for unknown ca with keyid > > 01:fb:b7:53:45:4f:73:0a:5b:d0:d7:08:29:2c:8e:2a:3d:f0:90:70 > > sending cert request for "C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise, > > CN=ishan, e=is...@gmail.com" > > no private key found for 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, > > CN=ishan, e=is...@gmail.com' > > generating authentication data failed > > > > plz let me know where the mistake might be.. > > > > thanx in advance.. > > > > with regard > > > > Abhishek Kumar > > ====================================================================== > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users