Please post the syslog entries and ipsec.conf from host sun. abhishek kumar wrote: > hello.. > thank for your valuable suggestion. i rectify my problem but still i am not > able to establish Security Association > > following are the results of "ipsec listall" at both end. > > result of "ipsec listall" at moon: > > List of X.509 End Entity Certificates: > > altNames: 192.168.3.3 > subject: "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= > ishansharm...@gmail.com" > issuer: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, > e=ishansharm...@gmail.com" > serial: 10:00:06 > validity: not before Mar 10 22:04:25 2009, ok > not after Mar 10 22:04:25 2011, ok > pubkey: RSA 1024 bits, has private key > keyid: 7e:35:20:c0:96:1e:c7:53:77:c2:44:3a:98:0a:84:96:7b:ad:9b:ee > subjkey: c4:84:38:1c:2b:22:c4:39:6a:c7:6e:5d:9a:5e:06:3c:98:a3:25:37 > authkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 > > List of X.509 CA Certificates: > > subject: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, > e=ishansharm...@gmail.com" > issuer: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, > e=ishansharm...@gmail.com" > serial: 00:d5:8c:82:99:da:6c:4e:99 > validity: not before Mar 10 20:39:13 2009, ok > not after Mar 09 20:39:13 2013, ok > pubkey: RSA 2048 bits > keyid: 6d:19:04:8c:44:f3:07:70:73:2d:04:d1:e9:b4:fa:93:0e:d0:8d:a6 > subjkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 > authkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 > > List of registered IKEv2 Algorithms: > > encryption: AES_CBC 3DES DES > integrity: AES_XCBC_96 HMAC_SHA1_96 AUTH_HMAC_SHA1_128 > AUTH_HMAC_SHA2_256_128 HMAC_MD5_96 AUTH_HMAC_SHA2_384_192 > AUTH_HMAC_SHA2_512_256 > hasher: HASH_SHA1 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5 > prf: PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_CBC > PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 > PRF_HMAC_SHA2_512 > dh-group: MODP_2048_BIT MODP_1536_BIT MODP_3072_BIT MODP_4096_BIT > MODP_6144_BIT MODP_8192_BIT MODP_1024_BIT MODP_768_BIT > > result of "ipsec listall" at sun : > > List of X.509 End Entity Certificates: > > altNames: 192.168.3.3 > subject: "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= > ishansharm...@gmail.com" > issuer: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, > e=ishansharm...@gmail.com" > serial: 10:00:06 > validity: not before Mar 10 22:04:25 2009, ok > not after Mar 10 22:04:25 2011, ok > pubkey: RSA 1024 bits > keyid: 7e:35:20:c0:96:1e:c7:53:77:c2:44:3a:98:0a:84:96:7b:ad:9b:ee > subjkey: c4:84:38:1c:2b:22:c4:39:6a:c7:6e:5d:9a:5e:06:3c:98:a3:25:37 > authkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 > > altNames: 192.168.3.4 > subject: "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=abhishek, E= > abhis...@gmail.com" > issuer: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, > e=ishansharm...@gmail.com" > serial: 10:00:07 > validity: not before Mar 11 17:24:59 2009, ok > not after Mar 11 17:24:59 2011, ok > pubkey: RSA 1024 bits, has private key > keyid: a1:ae:79:92:34:f8:71:ec:19:fa:94:a6:9d:3b:72:f6:a5:70:8a:7a > subjkey: ea:b7:c7:50:e6:8d:5e:8e:d7:40:20:87:22:49:8f:d9:3e:36:99:cb > authkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 > > List of X.509 CA Certificates: > > subject: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, > e=ishansharm...@gmail.com" > issuer: "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, > e=ishansharm...@gmail.com" > serial: 00:d5:8c:82:99:da:6c:4e:99 > validity: not before Mar 10 20:39:13 2009, ok > not after Mar 09 20:39:13 2013, ok > pubkey: RSA 2048 bits > keyid: 6d:19:04:8c:44:f3:07:70:73:2d:04:d1:e9:b4:fa:93:0e:d0:8d:a6 > subjkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 > authkey: f5:78:61:94:0a:5c:a5:e6:4e:43:d0:3b:f6:51:8f:48:7e:5b:63:48 > > List of registered IKEv2 Algorithms: > > encryption: AES_CBC 3DES DES > integrity: HMAC_SHA1_96 AUTH_HMAC_SHA1_128 AUTH_HMAC_SHA2_256_128 > HMAC_MD5_96 AUTH_HMAC_SHA2_384_192 AUTH_HMAC_SHA2_512_256 AES_XCBC_96 > hasher: HASH_SHA1 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5 > prf: PRF_KEYED_SHA1 PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 > PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512 PRF_AES128_CBC > dh-group: MODP_2048_BIT MODP_1536_BIT MODP_3072_BIT MODP_4096_BIT > MODP_6144_BIT MODP_8192_BIT MODP_1024_BIT MODP_768_BIT > > result of "ipsec up host-host" at moon: > > [r...@ishan certs]# ipsec up host-host > initiating IKE_SA host-host[1] to 192.168.3.4 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > sending packet: from 192.168.3.3[500] to 192.168.3.4[500] > received packet: from 192.168.3.4[500] to 192.168.3.3[500] > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] > received cert request for unknown ca with keyid > b8:66:6a:1c:34:b8:02:0e:d4:05:e3:14:59:89:e1:a9:3e:40:08:39 > sending cert request for "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., > OU=rvce, CN=ishan, e=ishansharm...@gmail.com" > authentication of 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= > ishansharm...@gmail.com' (myself) with RSA signature successful > sending end entity cert "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, > CN=ishan, e=ishansharm...@gmail.com" > establishing CHILD_SA host-host > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr > N(MOBIKE_SUP) N(ADD_4_ADDR) ] > sending packet: from 192.168.3.3[4500] to 192.168.3.4[4500] > received packet: from 192.168.3.4[4500] to 192.168.3.3[4500] > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] > received AUTHENTICATION_FAILED notify error > > plz tell me the error. > > thanx in advance.. > > with regards > > Abhishek Kumar > > > On Tue, Mar 10, 2009 at 10:48 AM, Andreas Steffen < > andreas.stef...@strongswan.org> wrote: > >> Hi, >> >> it seems as if you messed up your public key infrastructure: >> >> your end entity certificate is >> >> 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=is...@gmail.com' >> >> but you no matching private key is found either because the private key >> file defined in /etc/ipsec.secrets >> >> : RSA myKey.pem "<optional passphrase>" >> >> is not found in /etc/ipsec.d/private/ or if passphrase is wrong if the >> key file is encrypted. Execute >> >> ipsec rereadsecrets >> >> and check for error messages in the log! Everything is ok if >> >> ipsec listcerts >> >> shows >> >> .., has private key >> >> in the listing of the end entity certificate. There is also something >> wrong with your CA certificates. The peer requests an end entity >> certificate from you issued by the unknown CA with the public key hash >> >> 01:fb:b7:53:45:4f:73:0a:5b:d0:d7:08:29:2c:8e:2a:3d:f0:90:70 >> >> whereas you have a CA certificate >> >> 'C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,CN=ishan, >> e=is...@gmail.com' >> >> In principle it is possible to work with mixed CAs but this is probably >> not what you had in mind. Usually both myCert.pem and peerCert.pem >> are issued by the same CA. This common CA certificate must be stored >> in /etc/ipsec.d/cacerts/. I doubt that >> >> 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=is...@gmail.com' >> >> is signed by the CA >> >> C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,CN=ishan, >> e=is...@gmail.com' >> >> Best regards >> >> Andreas >> >> abhishek kumar wrote: >>> hello .. >>> i am new in using strongswan. plz help me setting host-host case.. I am >>> getting problem in executing command "ipsec up host-host" >>> >>> RESULT IS: >>> >>> [r...@sun etc]# ipsec start >>> Starting strongSwan 4.2.11 IPsec [starter]... >>> >>> [r...@moon etc]# ipsec restart >>> Starting strongSwan 4.2.11 IPsec [starter]... >>> >>> [r...@moon etc]# sleep 1 >>> >>> [r...@ishan etc]# ipsec up host-host >>> initiating IKE_SA host-host[4] to 192.168.3.4 >>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] >>> sending packet: from 192.168.3.3[500] to 192.168.3.4[500] >>> received packet: from 192.168.3.4[500] to 192.168.3.3[500] >>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> CERTREQ ] >>> received cert request for unknown ca with keyid >>> 01:fb:b7:53:45:4f:73:0a:5b:d0:d7:08:29:2c:8e:2a:3d:f0:90:70 >>> sending cert request for "C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise, >>> CN=ishan, e=is...@gmail.com" >>> no private key found for 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, >>> CN=ishan, e=is...@gmail.com' >>> generating authentication data failed >>> >>> plz let me know where the mistake might be.. >>> >>> thanx in advance.. >>> >>> with regard >>> >>> Abhishek Kumar >> ====================================================================== >> Andreas Steffen andreas.stef...@strongswan.org >> strongSwan - the Linux VPN Solution! www.strongswan.org >> Institute for Internet Technologies and Applications >> University of Applied Sciences Rapperswil >> CH-8640 Rapperswil (Switzerland) >> ===========================================================[ITA-HSR]== >> > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
