Hi, I'm having trouble getting the network-manager-strongswan in Ubuntu karmic to work. The connection aborts with the error message "no matching config found for '192.168.0.1'...'C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro'".
To be honest, I'm a bit lost here, since the same certificates work using the traditional (non-network-manager) way ("ipsec up home"). Server: Ubuntu 9.04 Jaunty Jackalope, strongswan 4.2.9-1 Client: Ubuntu 9.10 Karmic Koala, network-manager-strongswan 1.1.1-2ubuntu1 -or- strongswan 4.2.9-1 I've got the feeling that theres just a small config glitch somewhere, but I can't tell where. Any hints would be greatly appreciated! Cheers, Robert ************************************************* * Here's the server config: * see also http://paste.debian.net/51293/ ************************************************* <snip> config setup plutostart=no ca strongswan cacert=/etc/ssl/home.ro/cacerts/cacert.pem auto=add conn roadwarrior left=192.168.0.1 leftsubnet=192.168.178.0/24 leftcert=/etc/ssl/home.ro/certs/server_cert.pem right=%any keyexchange=ikev2 auto=add </snip> ************************************************* * And the client's network-manager-strongswan settings: ************************************************* <snip> Gateway address: 192.168.0.1 Gateway certificate: cacert.pem Client authentication: Certificate/private key Client certificate: vm-ubuntu_cert.pem Client private key: vm-ubuntu_key.pem + Request an inner IP address - Enforce UDP encapsulation - Use IP compression </snip> ************************************************* * These are the client settings when using "ipsec up home": * see also http://paste.debian.net/51294/ ************************************************* <snip> config setup plutostart=no conn home left=%defaultroute leftcert=/home/loc/.ssh/vm-ubuntu_cert.pem right=192.168.0.1 rightsubnet=192.168.178.0/24 rightid="C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=openssl.home.ro" keyexchange = ikev2 auto=add </snip> ************************************************* * When using the network manager plugin, the server log reports: * see also http://paste.debian.net/51295/ ************************************************* <snip> Nov 11 16:55:45 cray charon: 17[NET] received packet: from 192.168.0.41[500] to 192.168.0.1[500] Nov 11 16:55:45 cray charon: 17[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 11 16:55:45 cray charon: 17[IKE] 192.168.0.41 is initiating an IKE_SA Nov 11 16:55:45 cray charon: 17[IKE] DH group ECP_192_BIT inacceptable, requesting MODP_2048_BIT Nov 11 16:55:45 cray charon: 17[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Nov 11 16:55:45 cray charon: 17[NET] sending packet: from 192.168.0.1[500] to 192.168.0.41[500] Nov 11 16:55:45 cray charon: 08[NET] received packet: from 192.168.0.41[500] to 192.168.0.1[500] Nov 11 16:55:45 cray charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 11 16:55:45 cray charon: 08[IKE] 192.168.0.41 is initiating an IKE_SA Nov 11 16:55:45 cray charon: 08[IKE] sending cert request for "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro" Nov 11 16:55:45 cray charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Nov 11 16:55:45 cray charon: 08[NET] sending packet: from 192.168.0.1[500] to 192.168.0.41[500] Nov 11 16:55:45 cray charon: 09[NET] received packet: from 192.168.0.41[4500] to 192.168.0.1[4500] Nov 11 16:55:45 cray charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Nov 11 16:55:45 cray charon: 09[IKE] received cert request for "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro" Nov 11 16:55:45 cray charon: 09[IKE] received end entity cert "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro" Nov 11 16:55:45 cray charon: 09[CFG] using certificate "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro" Nov 11 16:55:45 cray charon: 09[CFG] using trusted ca certificate "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro" Nov 11 16:55:45 cray charon: 09[CFG] checking certificate status of "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro" Nov 11 16:55:45 cray charon: 09[CFG] certificate status is not available Nov 11 16:55:45 cray charon: 09[IKE] authentication of 'C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro' with RSA signature successful Nov 11 16:55:45 cray charon: 09[IKE] peer supports MOBIKE Nov 11 16:55:45 cray charon: 09[IKE] no matching config found for '192.168.0.1'...'C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro' Nov 11 16:55:45 cray charon: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Nov 11 16:55:45 cray charon: 09[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.41[4500] </snip> ************************************************* * This is the server log when using "ipsec up home": * see also http://paste.debian.net/51296/ ************************************************* <snip> Nov 11 17:09:09 cray charon: 12[NET] received packet: from 192.168.0.41[500] to 192.168.0.1[500] Nov 11 17:09:09 cray charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 11 17:09:09 cray charon: 12[IKE] 192.168.0.41 is initiating an IKE_SA Nov 11 17:09:09 cray charon: 12[IKE] sending cert request for "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro" Nov 11 17:09:09 cray charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Nov 11 17:09:09 cray charon: 12[NET] sending packet: from 192.168.0.1[500] to 192.168.0.41[500] Nov 11 17:09:09 cray charon: 13[NET] received packet: from 192.168.0.41[4500] to 192.168.0.1[4500] Nov 11 17:09:09 cray charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Nov 11 17:09:09 cray charon: 13[IKE] received cert request for "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro" Nov 11 17:09:09 cray charon: 13[IKE] received end entity cert "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro" Nov 11 17:09:09 cray charon: 13[CFG] using certificate "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro" Nov 11 17:09:09 cray charon: 13[CFG] using trusted ca certificate "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro" Nov 11 17:09:09 cray charon: 13[CFG] checking certificate status of "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro" Nov 11 17:09:09 cray charon: 13[CFG] certificate status is not available Nov 11 17:09:09 cray charon: 13[IKE] authentication of 'C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro' with RSA signature successful Nov 11 17:09:09 cray charon: 13[CFG] found matching peer config "roadwarrior": C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=openssl.home.ro...%any with prio 21.5 Nov 11 17:09:09 cray charon: 13[IKE] peer supports MOBIKE Nov 11 17:09:09 cray charon: 13[IKE] authentication of 'C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=openssl.home.ro' (myself) with RSA signature successful Nov 11 17:09:09 cray charon: 13[IKE] scheduling reauthentication in 9945s Nov 11 17:09:09 cray charon: 13[IKE] maximum IKE_SA lifetime 10485s Nov 11 17:09:09 cray charon: 13[IKE] IKE_SA roadwarrior[5] established between 192.168.0.1[C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=openssl.home.ro]...192.168.0.41[C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro] Nov 11 17:09:09 cray charon: 13[IKE] sending end entity cert "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=openssl.home.ro" Nov 11 17:09:09 cray charon: 13[IKE] CHILD_SA roadwarrior{1} established with SPIs ccca36e3_i c7cae4e6_o and TS 192.168.178.0/24 === 192.168.0.41/32 Nov 11 17:09:09 cray charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Nov 11 17:09:09 cray charon: 13[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.41[4500] </snip> _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users