[Swan-dev] Is it possible to have multiple roaming user to connect with one IPSec server using certificate in ikev2 mode for libreswan
jeffchen
jeffchen at ruggedcom.com
Wed Apr 30 16:55:03 EEST 2014
I am trying to use certificate to connect multiple roaming user with one
IPSec server (each side is running libreswan 3.8).
It failed when I use ikev2 mode. If I use ikev1 mode (by removing the
line ikev2=insist), it works fine.
Below is my configuration. Is there anything wrong in the configuration
to make it work in ikev2 mode? Thanks.
Server Side:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=no
nhelpers=1
oe=off
plutorestartoncrash=no
protostack=netkey
conn R2-R9
authby=rsasig
auto=add
phase2=esp
ikev2=insist
left=192.168.22.2
leftcert=R4
leftid="C=CA, ST=Ontario, O=RuggedCom, CN=R4, E=R4 at example.com"
leftnexthop=%defaultroute
leftsubnet=192.168.21.0/24
pfs=no
right=%any
rightid=%fromcert
rightupdown="ipsec _updown --route yes"
type=tunnel
Client Side:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=no
nhelpers=1
oe=off
plutorestartoncrash=no
protostack=netkey
conn R2-R9
connaddrfamily=ipv4
authby=rsasig
auto=start
phase2=esp
ikev2=insist
left=192.168.22.2
leftid="C=CA, ST=Ontario, O=RuggedCom, CN=R4, E=R4 at example.com"
leftsubnet=192.168.21.0/24
pfs=no
right=192.168.34.9
rightcert=R9
rightid="C=CA, ST=Ontario, O=RuggedCom, CN=R9, E=R9 at example.com"
rightnexthop=%defaultroute
rightupdown="ipsec _updown --route yes"
type=tunnel
The tunnel is established successfully in ikev1 mode. But failed in
ikev2 mode. It gives the following error message in ikev2 mode:
Apr 30 09:44:17 rrjc2 pluto[5068]: | found connection: R2-R9
Apr 30 09:44:17 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1:
transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Apr 30 09:44:17 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128
integ=sha1_96 prf=oakley_sha group=modp2048}
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: IKEv2
mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, O=RuggedCom, CN=R9,
E=R9 at example.com'
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: no crl
from issuer "C=CA, ST=Ontario, O=RuggedCom, CN=CA, E=ca at example.com"
found (strict=no)
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: no RSA
public key known for '%fromcert'
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: RSA
authentication failed
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: sending
notification v2N_AUTHENTICATION_FAILED to 192.168.34.9:500
Apr 30 09:44:18 rrjc2 pluto[5068]: | ikev2_parent_inI2outR2_tail
returned STF_FATAL
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9: deleting
connection "R2-R9" instance with peer 192.168.34.9 {isakmp=#0/ipsec=#0}
--
Jeff Chen
More information about the Swan-dev
mailing list