[Swan-dev] Is it possible to have multiple roaming user to connect with one IPSec server using certificate in ikev2 mode for libreswan

jeffchen jeffchen at ruggedcom.com
Wed Apr 30 16:55:03 EEST 2014 

I am trying to use certificate to connect multiple roaming user with one 
IPSec server (each side is running libreswan 3.8).
It failed when I use ikev2 mode. If I use ikev1 mode (by removing the 
line ikev2=insist), it works fine.

Below is my configuration. Is there anything wrong in the configuration 
to make it work in ikev2 mode? Thanks.

Server Side:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
         nat_traversal=no
         nhelpers=1
         oe=off
         plutorestartoncrash=no
         protostack=netkey

conn R2-R9
         authby=rsasig
         auto=add
         phase2=esp
         ikev2=insist
         left=192.168.22.2
         leftcert=R4
         leftid="C=CA, ST=Ontario, O=RuggedCom, CN=R4, E=R4 at example.com"
         leftnexthop=%defaultroute
         leftsubnet=192.168.21.0/24
         pfs=no
         right=%any
         rightid=%fromcert
         rightupdown="ipsec _updown --route yes"
         type=tunnel

Client Side:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
         nat_traversal=no
         nhelpers=1
         oe=off
         plutorestartoncrash=no
         protostack=netkey

conn R2-R9
         connaddrfamily=ipv4
         authby=rsasig
         auto=start
         phase2=esp
         ikev2=insist
         left=192.168.22.2
         leftid="C=CA, ST=Ontario, O=RuggedCom, CN=R4, E=R4 at example.com"
         leftsubnet=192.168.21.0/24
         pfs=no
         right=192.168.34.9
         rightcert=R9
         rightid="C=CA, ST=Ontario, O=RuggedCom, CN=R9, E=R9 at example.com"
         rightnexthop=%defaultroute
         rightupdown="ipsec _updown --route yes"
         type=tunnel

The tunnel is established successfully in ikev1 mode. But failed in 
ikev2 mode. It gives the following error message in ikev2 mode:

Apr 30 09:44:17 rrjc2 pluto[5068]: | found connection: R2-R9
Apr 30 09:44:17 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: 
transition from state STATE_IKEv2_START to state STATE_PARENT_R1
Apr 30 09:44:17 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: 
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128 
integ=sha1_96 prf=oakley_sha group=modp2048}
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: IKEv2 
mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, O=RuggedCom, CN=R9, 
E=R9 at example.com'
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: no crl 
from issuer "C=CA, ST=Ontario, O=RuggedCom, CN=CA, E=ca at example.com" 
found (strict=no)
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: no RSA 
public key known for '%fromcert'
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: RSA 
authentication failed
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9 #1: sending  
notification v2N_AUTHENTICATION_FAILED to 192.168.34.9:500
Apr 30 09:44:18 rrjc2 pluto[5068]: | ikev2_parent_inI2outR2_tail 
returned STF_FATAL
Apr 30 09:44:18 rrjc2 pluto[5068]: "R2-R9"[1] 192.168.34.9: deleting 
connection "R2-R9" instance with peer 192.168.34.9 {isakmp=#0/ipsec=#0}

-- 
Jeff Chen

More information about the Swan-dev mailing list