hello.. plz help in establishing SA. Here is syslog of both moon(ishan) and sun(abhishek) with there respective ipsec.conf and syslog ishan (moon): ipsec.conf # ipsec.conf - strongSwan IPsec configuration file
config setup crlcheckinterval=600 strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=192.168.3.3 leftcert=ishanCert.pem leftid="C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" right=192.168.3.4 rightid="C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=abhishek, E= abhis...@gmail.com" auto=add -------------------------------------------------------------- abhishek sun: ipsec.conf # ipsec.conf - strongSwan IPsec configuration file config setup crlcheckinterval=600 strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=192.168.3.3 #remote leftid="C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" right=192.168.3.4 #local rightcert=abhishekCert.pem auto=add ---------------------------------------------------------------- syslog for moon(ishan) Mar 11 06:40:08 ishan charon: 01[DMN] starting charon (strongSwan Version 4.2.11) Mar 11 06:40:08 ishan charon: 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Mar 11 06:40:08 ishan charon: 01[LIB] missing passphrase Mar 11 06:40:08 ishan charon: 01[LIB] failed to create a builder for credential type CRED_CERTIFICATE, subtype (1) Mar 11 06:40:08 ishan charon: 01[LIB] loaded certificate file '/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem' Mar 11 06:40:08 ishan charon: 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Mar 11 06:40:08 ishan charon: 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Mar 11 06:40:08 ishan charon: 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Mar 11 06:40:08 ishan charon: 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' Mar 11 06:40:08 ishan charon: 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' Mar 11 06:40:08 ishan charon: 01[CFG] loaded private key file '/usr/local/etc/ipsec.d/private/ishanKey.pem' Mar 11 06:40:09 ishan charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown Mar 11 06:40:09 ishan charon: 01[KNL] listening on interfaces: Mar 11 06:40:09 ishan charon: 01[KNL] eth0 Mar 11 06:40:09 ishan charon: 01[KNL] 192.168.3.3 Mar 11 06:40:09 ishan charon: 01[KNL] fe80::221:9bff:fed7:2de8 Mar 11 06:40:09 ishan charon: 01[KNL] wmaster0 Mar 11 06:40:09 ishan charon: 01[KNL] wlan0 Mar 11 06:40:09 ishan charon: 01[KNL] virbr0 Mar 11 06:40:09 ishan charon: 01[KNL] 192.168.122.1 Mar 11 06:40:09 ishan charon: 01[KNL] fe80::d406:13ff:fe0a:39c8 Mar 11 06:40:09 ishan charon: 01[JOB] spawning 16 worker threads Mar 11 06:40:09 ishan charon: 03[CFG] received stroke: add connection 'host-host' Mar 11 06:40:09 ishan charon: 03[LIB] loaded certificate file '/usr/local/etc/ipsec.d/certs/ishanCert.pem' Mar 11 06:40:09 ishan charon: 03[CFG] peerid C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com not confirmed by certificate, defaulting to subject DN Mar 11 06:40:09 ishan charon: 03[CFG] added configuration 'host-host': 192.168.3.3[C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com]...192.168.3.4[c=au, O=Mincom Pty. Ltd., OU=rvce, CN=abhishek, e=abhis...@gmail.com] Mar 11 06:40:09 ishan charon: 10[CFG] received stroke: initiate 'host-host' Mar 11 06:40:09 ishan charon: 10[IKE] initiating IKE_SA host-host[1] to 192.168.3.4 Mar 11 06:40:09 ishan charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Mar 11 06:40:09 ishan charon: 10[NET] sending packet: from 192.168.3.3[500] to 192.168.3.4[500] Mar 11 06:40:09 ishan charon: 12[NET] received packet: from 192.168.3.4[500] to 192.168.3.3[500] Mar 11 06:40:09 ishan charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Mar 11 06:40:09 ishan charon: 12[IKE] received cert request for "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" Mar 11 06:40:09 ishan charon: 12[IKE] sending cert request for "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" Mar 11 06:40:09 ishan charon: 12[IKE] authentication of 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com' (myself) with RSA signature successful Mar 11 06:40:09 ishan charon: 12[IKE] sending end entity cert "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com" Mar 11 06:40:09 ishan charon: 12[IKE] establishing CHILD_SA host-host Mar 11 06:40:09 ishan charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ] Mar 11 06:40:09 ishan charon: 12[NET] sending packet: from 192.168.3.3[4500] to 192.168.3.4[4500] Mar 11 06:40:09 ishan charon: 13[NET] received packet: from 192.168.3.4[4500] to 192.168.3.3[4500] Mar 11 06:40:09 ishan charon: 13[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Mar 11 06:40:09 ishan charon: 13[IKE] received AUTHENTICATION_FAILED notify error ------------------------------------------------------------------------------------------------------ syslog from sun (abhishek) Mar 12 00:56:24 abhishek charon: 01[DMN] starting charon (strongSwan Version 4.2.11) Mar 12 00:56:24 abhishek charon: 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Mar 12 00:56:24 abhishek charon: 01[LIB] missing passphrase Mar 12 00:56:24 abhishek charon: 01[LIB] failed to create a builder for credential type CRED_CERTIFICATE, subtype (1) Mar 12 00:56:24 abhishek charon: 01[LIB] loaded certificate file '/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem' Mar 12 00:56:24 abhishek charon: 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Mar 12 00:56:24 abhishek charon: 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Mar 12 00:56:24 abhishek charon: 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Mar 12 00:56:24 abhishek charon: 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' Mar 12 00:56:24 abhishek charon: 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' Mar 12 00:56:24 abhishek charon: 01[CFG] loaded private key file '/usr/local/etc/ipsec.d/private/abhishekKey.pem' Mar 12 00:56:24 abhishek charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown Mar 12 00:56:24 abhishek charon: 01[KNL] listening on interfaces: Mar 12 00:56:24 abhishek charon: 01[KNL] eth0 Mar 12 00:56:24 abhishek charon: 01[KNL] 192.168.3.4 Mar 12 00:56:24 abhishek charon: 01[KNL] fe80::213:d3ff:febe:69d1 Mar 12 00:56:24 abhishek charon: 01[JOB] spawning 16 worker threads Mar 12 00:56:24 abhishek charon: 16[CFG] received stroke: add connection 'host-host' Mar 12 00:56:24 abhishek charon: 16[LIB] loaded certificate file '/usr/local/etc/ipsec.d/certs/abhishekCert.pem' Mar 12 00:56:24 abhishek charon: 16[CFG] added configuration 'host-host': 192.168.3.4[192.168.3.4]...192.168.3 .3[C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com] Mar 12 00:56:28 abhishek charon: 07[NET] received packet: from 192.168.3.3[500] to 192.168.3.4[500] Mar 12 00:56:28 abhishek charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Mar 12 00:56:28 abhishek charon: 07[IKE] 192.168.3.3 is initiating an IKE_SA Mar 12 00:56:28 abhishek charon: 07[IKE] sending cert request for "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" Mar 12 00:56:28 abhishek charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Mar 12 00:56:28 abhishek charon: 07[NET] sending packet: from 192.168.3.4[500] to 192.168.3.3[500] Mar 12 00:56:28 abhishek charon: 08[NET] received packet: from 192.168.3.3[4500] to 192.168.3.4[4500] Mar 12 00:56:28 abhishek charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ] Mar 12 00:56:28 abhishek charon: 08[IKE] received cert request for "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" Mar 12 00:56:28 abhishek charon: 08[IKE] received end entity cert "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce,CN=ishan, e=ishansharm...@gmail.com" Mar 12 00:56:28 abhishek charon: 08[CFG] using certificate "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com" Mar 12 00:56:28 abhishek charon: 08[CFG] using trusted ca certificate "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" Mar 12 00:56:28 abhishek charon: 08[CFG] checking certificate status of "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" Mar 12 00:56:28 abhishek charon: 08[CFG] certificate status is not available Mar 12 00:56:28 abhishek charon: 08[IKE] authentication of 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com' with RSA signature successful Mar 12 00:56:28 abhishek charon: 08[IKE] peer supports MOBIKE Mar 12 00:56:28 abhishek charon: 08[IKE] no matching config found for 'C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=abhishek, e=abhis...@gmail.com'...'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com' Mar 12 00:56:28 abhishek charon: 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Mar 12 00:56:28 abhishek charon: 08[NET] sending packet: from 192.168.3.4[4500] to 192.168.3.3[4500] Mar 12 00:56:34 abhishek charon: 16[CFG] received stroke: initiate 'host-host' Mar 12 00:56:34 abhishek charon: 12[IKE] initiating IKE_SA host-host[2] to 192.168.3.3 Mar 12 00:56:34 abhishek charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Mar 12 00:56:34 abhishek charon: 12[NET] sending packet: from 192.168.3.4[500] to 192.168.3.3[500] Mar 12 00:56:34 abhishek charon: 14[NET] received packet: from 192.168.3.3[500] to 192.168.3.4[500] Mar 12 00:56:34 abhishek charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Mar 12 00:56:34 abhishek charon: 14[IKE] received cert request for "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" Mar 12 00:56:34 abhishek charon: 14[IKE] sending cert request for "C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E= ishansharm...@gmail.com" Mar 12 00:56:34 abhishek charon: 14[IKE] authentication of '192.168.3.4' (myself) with RSA signature successful Mar 12 00:56:34 abhishek charon: 14[IKE] sending end entity cert "C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=abhishek, e=abhis...@gmail.com" Mar 12 00:56:34 abhishek charon: 14[IKE] establishing CHILD_SA host-host Mar 12 00:56:34 abhishek charon: 14[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Mar 12 00:56:34 abhishek charon: 14[NET] sending packet: from 192.168.3.4[4500] to 192.168.3.3[4500] Mar 12 00:56:34 abhishek charon: 05[NET] received packet: from 192.168.3.3[4500] to 192.168.3.4[4500] Mar 12 00:56:34 abhishek charon: 05[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Mar 12 00:56:34 abhishek charon: 05[IKE] received AUTHENTICATION_FAILED notify error thanks for clearing the concept of defaultroute.. with regards Abhishek Kumar On Thu, Mar 12, 2009 at 3:40 AM, Daniel Mentz < danielml+mailinglists.strongs...@sent.com<danielml%2bmailinglists.strongs...@sent.com> > wrote: > abhishek kumar wrote: > >> I did the same thing u told. but in that case it is showing same "received >> AUTHENTICATION_FAILED notify error". >> > > Please post the logfiles and config files of the both peers like you did > before. I need to know *why* the authentication failed. You'll find that > information in syslog entries on the other peer. > > > as shown in README (quick start-> host-host) left should be i.e. >> left=%defaultroute. what does this mean. >> Is it default route (gateway)? if it is wrong plz tell me how to remove >> the error "no default route - cannot cope with %defaultroute!!! " at the >> time when i start ipsec i.e. "ipsec start". >> actually i remove this error by setting up sun(abhishek) etho as >> 192.168.3.4/255.255.255.0 <http://192.168.3.4/255.255.255.0> (default >> route: 192.168.3.4). and moon(ishan) eth0 as 192.168.3.3/255.255.255.0 < >> http://192.168.3.3/255.255.255.0> (default route 192.168.3.3). is this a >> wrong setup? >> > > Do not set up a default route just for this purpose. %defaultroute means: > Find out to which interface the default route points and use the IP address > of that interface. I'm unsure if this explanation is 100% correct but I > think you get an idea of what's %defaulroute for. I guess it's usually used > for hosts thet get a different IP addresse every time they reconnect to > their ISP. %defaultroute saves them from changing the config file everytime > their IP address changes. > > Daniel > > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users