hello..
plz help in establishing SA.
Here is syslog of both moon(ishan) and sun(abhishek) with there respective
ipsec.conf and syslog
ishan (moon): ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=600
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn host-host
left=192.168.3.3
leftcert=ishanCert.pem
leftid="C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
right=192.168.3.4
rightid="C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=abhishek, E=
abhis...@gmail.com"
auto=add
--------------------------------------------------------------
abhishek sun: ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=600
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn host-host
left=192.168.3.3 #remote
leftid="C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
right=192.168.3.4 #local
rightcert=abhishekCert.pem
auto=add
----------------------------------------------------------------
syslog for moon(ishan)
Mar 11 06:40:08 ishan charon: 01[DMN] starting charon (strongSwan Version
4.2.11)
Mar 11 06:40:08 ishan charon: 01[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
Mar 11 06:40:08 ishan charon: 01[LIB] missing passphrase
Mar 11 06:40:08 ishan charon: 01[LIB] failed to create a builder for
credential type CRED_CERTIFICATE, subtype (1)
Mar 11 06:40:08 ishan charon: 01[LIB] loaded certificate file
'/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem'
Mar 11 06:40:08 ishan charon: 01[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
Mar 11 06:40:08 ishan charon: 01[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
Mar 11 06:40:08 ishan charon: 01[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
Mar 11 06:40:08 ishan charon: 01[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'
Mar 11 06:40:08 ishan charon: 01[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'
Mar 11 06:40:08 ishan charon: 01[CFG] loaded private key file
'/usr/local/etc/ipsec.d/private/ishanKey.pem'
Mar 11 06:40:09 ishan charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5
fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown
Mar 11 06:40:09 ishan charon: 01[KNL] listening on interfaces:
Mar 11 06:40:09 ishan charon: 01[KNL] eth0
Mar 11 06:40:09 ishan charon: 01[KNL] 192.168.3.3
Mar 11 06:40:09 ishan charon: 01[KNL] fe80::221:9bff:fed7:2de8
Mar 11 06:40:09 ishan charon: 01[KNL] wmaster0
Mar 11 06:40:09 ishan charon: 01[KNL] wlan0
Mar 11 06:40:09 ishan charon: 01[KNL] virbr0
Mar 11 06:40:09 ishan charon: 01[KNL] 192.168.122.1
Mar 11 06:40:09 ishan charon: 01[KNL] fe80::d406:13ff:fe0a:39c8
Mar 11 06:40:09 ishan charon: 01[JOB] spawning 16 worker threads
Mar 11 06:40:09 ishan charon: 03[CFG] received stroke: add connection
'host-host'
Mar 11 06:40:09 ishan charon: 03[LIB] loaded certificate file
'/usr/local/etc/ipsec.d/certs/ishanCert.pem'
Mar 11 06:40:09 ishan charon: 03[CFG] peerid C=AU, O=Mincom Pty. Ltd.,
OU=rvce, CN=ishan, e=ishansharm...@gmail.com not confirmed by certificate,
defaulting to subject DN
Mar 11 06:40:09 ishan charon: 03[CFG] added configuration 'host-host':
192.168.3.3[C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com]...192.168.3.4[c=au, O=Mincom Pty. Ltd., OU=rvce,
CN=abhishek, e=abhis...@gmail.com]
Mar 11 06:40:09 ishan charon: 10[CFG] received stroke: initiate 'host-host'
Mar 11 06:40:09 ishan charon: 10[IKE] initiating IKE_SA host-host[1] to
192.168.3.4
Mar 11 06:40:09 ishan charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 11 06:40:09 ishan charon: 10[NET] sending packet: from 192.168.3.3[500]
to 192.168.3.4[500]
Mar 11 06:40:09 ishan charon: 12[NET] received packet: from 192.168.3.4[500]
to 192.168.3.3[500]
Mar 11 06:40:09 ishan charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Mar 11 06:40:09 ishan charon: 12[IKE] received cert request for "C=AU,
ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
Mar 11 06:40:09 ishan charon: 12[IKE] sending cert request for "C=AU,
ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
Mar 11 06:40:09 ishan charon: 12[IKE] authentication of 'C=AU, ST=QLD,
O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com' (myself)
with RSA signature successful
Mar 11 06:40:09 ishan charon: 12[IKE] sending end entity cert "C=AU, ST=QLD,
O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com"
Mar 11 06:40:09 ishan charon: 12[IKE] establishing CHILD_SA host-host
Mar 11 06:40:09 ishan charon: 12[ENC] generating IKE_AUTH request 1 [ IDi
CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Mar 11 06:40:09 ishan charon: 12[NET] sending packet: from 192.168.3.3[4500]
to 192.168.3.4[4500]
Mar 11 06:40:09 ishan charon: 13[NET] received packet: from
192.168.3.4[4500] to 192.168.3.3[4500]
Mar 11 06:40:09 ishan charon: 13[ENC] parsed IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Mar 11 06:40:09 ishan charon: 13[IKE] received AUTHENTICATION_FAILED notify
error
------------------------------------------------------------------------------------------------------
syslog from sun (abhishek)
Mar 12 00:56:24 abhishek charon: 01[DMN] starting charon (strongSwan Version
4.2.11)
Mar 12 00:56:24 abhishek charon: 01[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
Mar 12 00:56:24 abhishek charon: 01[LIB] missing passphrase
Mar 12 00:56:24 abhishek charon: 01[LIB] failed to create a builder for
credential type CRED_CERTIFICATE, subtype (1)
Mar 12 00:56:24 abhishek charon: 01[LIB] loaded certificate file
'/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem'
Mar 12 00:56:24 abhishek charon: 01[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
Mar 12 00:56:24 abhishek charon: 01[CFG] loading ocsp signer certificates
from '/usr/local/etc/ipsec.d/ocspcerts'
Mar 12 00:56:24 abhishek charon: 01[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
Mar 12 00:56:24 abhishek charon: 01[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'
Mar 12 00:56:24 abhishek charon: 01[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'
Mar 12 00:56:24 abhishek charon: 01[CFG] loaded private key file
'/usr/local/etc/ipsec.d/private/abhishekKey.pem'
Mar 12 00:56:24 abhishek charon: 01[DMN] loaded plugins: aes des sha1 sha2
md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
Mar 12 00:56:24 abhishek charon: 01[KNL] listening on interfaces:
Mar 12 00:56:24 abhishek charon: 01[KNL] eth0
Mar 12 00:56:24 abhishek charon: 01[KNL] 192.168.3.4
Mar 12 00:56:24 abhishek charon: 01[KNL] fe80::213:d3ff:febe:69d1
Mar 12 00:56:24 abhishek charon: 01[JOB] spawning 16 worker threads
Mar 12 00:56:24 abhishek charon: 16[CFG] received stroke: add connection
'host-host'
Mar 12 00:56:24 abhishek charon: 16[LIB] loaded certificate file
'/usr/local/etc/ipsec.d/certs/abhishekCert.pem'
Mar 12 00:56:24 abhishek charon: 16[CFG] added configuration 'host-host':
192.168.3.4[192.168.3.4]...192.168.3
.3[C=AU, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com]
Mar 12 00:56:28 abhishek charon: 07[NET] received packet: from
192.168.3.3[500] to 192.168.3.4[500]
Mar 12 00:56:28 abhishek charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 12 00:56:28 abhishek charon: 07[IKE] 192.168.3.3 is initiating an IKE_SA
Mar 12 00:56:28 abhishek charon: 07[IKE] sending cert request for "C=AU,
ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
Mar 12 00:56:28 abhishek charon: 07[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Mar 12 00:56:28 abhishek charon: 07[NET] sending packet: from
192.168.3.4[500] to 192.168.3.3[500]
Mar 12 00:56:28 abhishek charon: 08[NET] received packet: from
192.168.3.3[4500] to 192.168.3.4[4500]
Mar 12 00:56:28 abhishek charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi
CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Mar 12 00:56:28 abhishek charon: 08[IKE] received cert request for "C=AU,
ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
Mar 12 00:56:28 abhishek charon: 08[IKE] received end entity cert "C=AU,
ST=QLD, O=Mincom Pty. Ltd., OU=rvce,CN=ishan, e=ishansharm...@gmail.com"
Mar 12 00:56:28 abhishek charon: 08[CFG] using certificate "C=AU, ST=QLD,
O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com"
Mar 12 00:56:28 abhishek charon: 08[CFG] using trusted ca certificate
"C=AU, ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
Mar 12 00:56:28 abhishek charon: 08[CFG] checking certificate status of
"C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
Mar 12 00:56:28 abhishek charon: 08[CFG] certificate status is not available
Mar 12 00:56:28 abhishek charon: 08[IKE] authentication of 'C=AU, ST=QLD,
O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com' with RSA
signature successful
Mar 12 00:56:28 abhishek charon: 08[IKE] peer supports MOBIKE
Mar 12 00:56:28 abhishek charon: 08[IKE] no matching config found for 'C=AU,
O=Mincom Pty. Ltd., OU=rvce, CN=abhishek, e=abhis...@gmail.com'...'C=AU,
ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=ishansharm...@gmail.com'
Mar 12 00:56:28 abhishek charon: 08[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Mar 12 00:56:28 abhishek charon: 08[NET] sending packet: from
192.168.3.4[4500] to 192.168.3.3[4500]
Mar 12 00:56:34 abhishek charon: 16[CFG] received stroke: initiate
'host-host'
Mar 12 00:56:34 abhishek charon: 12[IKE] initiating IKE_SA host-host[2] to
192.168.3.3
Mar 12 00:56:34 abhishek charon: 12[ENC] generating IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 12 00:56:34 abhishek charon: 12[NET] sending packet: from
192.168.3.4[500] to 192.168.3.3[500]
Mar 12 00:56:34 abhishek charon: 14[NET] received packet: from
192.168.3.3[500] to 192.168.3.4[500]
Mar 12 00:56:34 abhishek charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Mar 12 00:56:34 abhishek charon: 14[IKE] received cert request for "C=AU,
ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
Mar 12 00:56:34 abhishek charon: 14[IKE] sending cert request for "C=AU,
ST=QLD, L=Newbury, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, E=
ishansharm...@gmail.com"
Mar 12 00:56:34 abhishek charon: 14[IKE] authentication of '192.168.3.4'
(myself) with RSA signature successful
Mar 12 00:56:34 abhishek charon: 14[IKE] sending end entity cert "C=AU,
ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=abhishek, e=abhis...@gmail.com"
Mar 12 00:56:34 abhishek charon: 14[IKE] establishing CHILD_SA host-host
Mar 12 00:56:34 abhishek charon: 14[ENC] generating IKE_AUTH request 1 [ IDi
CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar 12 00:56:34 abhishek charon: 14[NET] sending packet: from
192.168.3.4[4500] to 192.168.3.3[4500]
Mar 12 00:56:34 abhishek charon: 05[NET] received packet: from
192.168.3.3[4500] to 192.168.3.4[4500]
Mar 12 00:56:34 abhishek charon: 05[ENC] parsed IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Mar 12 00:56:34 abhishek charon: 05[IKE] received AUTHENTICATION_FAILED
notify error
thanks for clearing the concept of defaultroute..
with regards
Abhishek Kumar
On Thu, Mar 12, 2009 at 3:40 AM, Daniel Mentz <
danielml+mailinglists.strongs...@sent.com<danielml%2bmailinglists.strongs...@sent.com>
> wrote:
> abhishek kumar wrote:
>
>> I did the same thing u told. but in that case it is showing same "received
>> AUTHENTICATION_FAILED notify error".
>>
>
> Please post the logfiles and config files of the both peers like you did
> before. I need to know *why* the authentication failed. You'll find that
> information in syslog entries on the other peer.
>
>
> as shown in README (quick start-> host-host) left should be i.e.
>> left=%defaultroute. what does this mean.
>> Is it default route (gateway)? if it is wrong plz tell me how to remove
>> the error "no default route - cannot cope with %defaultroute!!! " at the
>> time when i start ipsec i.e. "ipsec start".
>> actually i remove this error by setting up sun(abhishek) etho as
>> 192.168.3.4/255.255.255.0 <http://192.168.3.4/255.255.255.0> (default
>> route: 192.168.3.4). and moon(ishan) eth0 as 192.168.3.3/255.255.255.0 <
>> http://192.168.3.3/255.255.255.0> (default route 192.168.3.3). is this a
>> wrong setup?
>>
>
> Do not set up a default route just for this purpose. %defaultroute means:
> Find out to which interface the default route points and use the IP address
> of that interface. I'm unsure if this explanation is 100% correct but I
> think you get an idea of what's %defaulroute for. I guess it's usually used
> for hosts thet get a different IP addresse every time they reconnect to
> their ISP. %defaultroute saves them from changing the config file everytime
> their IP address changes.
>
> Daniel
>
>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
