[strongSwan] Getting "no matching config found" when using "network-manager-strongswan"

Wed, 11 Nov 2009 08:27:05 -0800 

Hi,
I'm having trouble getting the network-manager-strongswan in Ubuntu
karmic to work. The connection aborts with the error message "no
matching config found for '192.168.0.1'...'C=DE, ST=BW, L=Stuttgart,
O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro'".

To be honest, I'm a bit lost here, since the same certificates work
using the traditional (non-network-manager) way ("ipsec up home").

Server: Ubuntu 9.04 Jaunty Jackalope, strongswan 4.2.9-1
Client: Ubuntu 9.10 Karmic Koala, network-manager-strongswan
1.1.1-2ubuntu1 -or- strongswan 4.2.9-1

I've got the feeling that theres just a small config glitch somewhere,
but I can't tell where.

Any hints would be greatly appreciated!

Cheers,
Robert


*************************************************
* Here's the server config:
* see also http://paste.debian.net/51293/
*************************************************
<snip>
config setup
  plutostart=no

ca strongswan
  cacert=/etc/ssl/home.ro/cacerts/cacert.pem
  auto=add

conn roadwarrior
  left=192.168.0.1
  leftsubnet=192.168.178.0/24
  leftcert=/etc/ssl/home.ro/certs/server_cert.pem
  right=%any
  keyexchange=ikev2
  auto=add
</snip>

*************************************************
* And the client's network-manager-strongswan settings:
*************************************************
<snip>
Gateway address: 192.168.0.1
Gateway certificate: cacert.pem
Client authentication: Certificate/private key
Client certificate: vm-ubuntu_cert.pem
Client private key: vm-ubuntu_key.pem
+ Request an inner IP address
- Enforce UDP encapsulation
- Use IP compression
</snip>

*************************************************
* These are the client settings when using "ipsec up home":
* see also http://paste.debian.net/51294/
*************************************************
<snip>
config setup
  plutostart=no

conn home
  left=%defaultroute
  leftcert=/home/loc/.ssh/vm-ubuntu_cert.pem
  right=192.168.0.1
  rightsubnet=192.168.178.0/24
  rightid="C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department,
CN=openssl.home.ro"
  keyexchange = ikev2
  auto=add
</snip>


*************************************************
* When using the network manager plugin, the server log reports:
* see also http://paste.debian.net/51295/
*************************************************
<snip>
Nov 11 16:55:45 cray charon: 17[NET] received packet: from
192.168.0.41[500] to 192.168.0.1[500]
Nov 11 16:55:45 cray charon: 17[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 11 16:55:45 cray charon: 17[IKE] 192.168.0.41 is initiating an IKE_SA
Nov 11 16:55:45 cray charon: 17[IKE] DH group ECP_192_BIT inacceptable,
requesting MODP_2048_BIT
Nov 11 16:55:45 cray charon: 17[ENC] generating IKE_SA_INIT response 0 [
N(INVAL_KE) ]
Nov 11 16:55:45 cray charon: 17[NET] sending packet: from
192.168.0.1[500] to 192.168.0.41[500]
Nov 11 16:55:45 cray charon: 08[NET] received packet: from
192.168.0.41[500] to 192.168.0.1[500]
Nov 11 16:55:45 cray charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 11 16:55:45 cray charon: 08[IKE] 192.168.0.41 is initiating an IKE_SA
Nov 11 16:55:45 cray charon: 08[IKE] sending cert request for "C=DE,
ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
Nov 11 16:55:45 cray charon: 08[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Nov 11 16:55:45 cray charon: 08[NET] sending packet: from
192.168.0.1[500] to 192.168.0.41[500]
Nov 11 16:55:45 cray charon: 09[NET] received packet: from
192.168.0.41[4500] to 192.168.0.1[4500]
Nov 11 16:55:45 cray charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi
CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Nov 11 16:55:45 cray charon: 09[IKE] received cert request for "C=DE,
ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
Nov 11 16:55:45 cray charon: 09[IKE] received end entity cert "C=DE,
ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
Nov 11 16:55:45 cray charon: 09[CFG]   using certificate "C=DE, ST=BW,
L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
Nov 11 16:55:45 cray charon: 09[CFG]   using trusted ca certificate
"C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
Nov 11 16:55:45 cray charon: 09[CFG] checking certificate status of
"C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
Nov 11 16:55:45 cray charon: 09[CFG] certificate status is not available
Nov 11 16:55:45 cray charon: 09[IKE] authentication of 'C=DE, ST=BW,
L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro' with RSA
signature successful
Nov 11 16:55:45 cray charon: 09[IKE] peer supports MOBIKE
Nov 11 16:55:45 cray charon: 09[IKE] no matching config found for
'192.168.0.1'...'C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department,
CN=vm-ubuntu.home.ro'
Nov 11 16:55:45 cray charon: 09[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Nov 11 16:55:45 cray charon: 09[NET] sending packet: from
192.168.0.1[4500] to 192.168.0.41[4500]
</snip>

*************************************************
* This is the server log when using "ipsec up home":
* see also http://paste.debian.net/51296/
*************************************************
<snip>
Nov 11 17:09:09 cray charon: 12[NET] received packet: from
192.168.0.41[500] to 192.168.0.1[500]
Nov 11 17:09:09 cray charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 11 17:09:09 cray charon: 12[IKE] 192.168.0.41 is initiating an IKE_SA
Nov 11 17:09:09 cray charon: 12[IKE] sending cert request for "C=DE,
ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
Nov 11 17:09:09 cray charon: 12[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Nov 11 17:09:09 cray charon: 12[NET] sending packet: from
192.168.0.1[500] to 192.168.0.41[500]
Nov 11 17:09:09 cray charon: 13[NET] received packet: from
192.168.0.41[4500] to 192.168.0.1[4500]
Nov 11 17:09:09 cray charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi
CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Nov 11 17:09:09 cray charon: 13[IKE] received cert request for "C=DE,
ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
Nov 11 17:09:09 cray charon: 13[IKE] received end entity cert "C=DE,
ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
Nov 11 17:09:09 cray charon: 13[CFG]   using certificate "C=DE, ST=BW,
L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
Nov 11 17:09:09 cray charon: 13[CFG]   using trusted ca certificate
"C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
Nov 11 17:09:09 cray charon: 13[CFG] checking certificate status of
"C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
Nov 11 17:09:09 cray charon: 13[CFG] certificate status is not available
Nov 11 17:09:09 cray charon: 13[IKE] authentication of 'C=DE, ST=BW,
L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro' with RSA
signature successful
Nov 11 17:09:09 cray charon: 13[CFG] found matching peer config
"roadwarrior": C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department,
CN=openssl.home.ro...%any with prio 21.5
Nov 11 17:09:09 cray charon: 13[IKE] peer supports MOBIKE
Nov 11 17:09:09 cray charon: 13[IKE] authentication of 'C=DE, ST=BW,
L=Stuttgart, O=LeRo, OU=IT Department, CN=openssl.home.ro' (myself) with
RSA signature successful
Nov 11 17:09:09 cray charon: 13[IKE] scheduling reauthentication in 9945s
Nov 11 17:09:09 cray charon: 13[IKE] maximum IKE_SA lifetime 10485s
Nov 11 17:09:09 cray charon: 13[IKE] IKE_SA roadwarrior[5] established
between 192.168.0.1[C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department,
CN=openssl.home.ro]...192.168.0.41[C=DE, ST=BW, L=Stuttgart, O=LeRo,
OU=IT Department, CN=vm-ubuntu.home.ro]
Nov 11 17:09:09 cray charon: 13[IKE] sending end entity cert "C=DE,
ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=openssl.home.ro"
Nov 11 17:09:09 cray charon: 13[IKE] CHILD_SA roadwarrior{1} established
with SPIs ccca36e3_i c7cae4e6_o and TS 192.168.178.0/24 === 192.168.0.41/32
Nov 11 17:09:09 cray charon: 13[ENC] generating IKE_AUTH response 1 [
IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR)
N(ADD_4_ADDR) ]
Nov 11 17:09:09 cray charon: 13[NET] sending packet: from
192.168.0.1[4500] to 192.168.0.41[4500]
</snip>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to