A new ipsec connection is not being raised, why?

A

alovanton2016-05-05 13:08:52

linux

alovanton, 2016-05-05 13:08:52

Error: unable to resolve %any, initiate aborted
tried to check-in and delete nonexisting IKE_SA
establishing connection 'IPsec' failed
Config:

conn IPsec
        left=45.58.46.74   / адрес внешнего интерфейса
        leftsubnet=0.0.0.0/0
        leftid=45.58.46.74
        leftcert=fullchain.pem
        leftauth=pubkey   / говорим, что мы авторизуемся у клиент с помощью сертификата RSA

        right=%any  / к нам можно подключиться с любого IP
        rightauth=pubkey
        rightdns=8.8.8.8
        auto=add  / подключение будет инициироваться клиентом
        keyexchange=ikev2
        type=tunnel

Logs

May  5 12:31:37 Devserver charon: 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May  5 12:31:37 Devserver charon: 08[NET] sending packet: from 45.58.46.74[4500] to 5.31.156.60[24018] (80 bytes)
May  5 12:31:37 Devserver charon: 08[IKE] IKE_SA (unnamed)[4] state change: CONNECTING => DESTROYING

As I understand it, authorization does not pass through the key.
What could be such a typical mistake?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

CityCat4, 2016-05-05
@CityCat4

Here is a variant of the config, specially tailored for connecting Windows clients from who knows where with authorization by certificates.

conn any-deltahwCA-rsa-shrewsoft
        auto=add
        left=195.60.хх.хх
        leftid="тут subject сертификата"
        leftauth=pubkey
        leftcert=logsrv.crt
        leftsubnet=10.0.1.0/24
        leftca="тут subject CA сертификата"
        leftfirewall=yes
        leftdns=10.0.1.233,10.0.1.234
        right=%any
        rightallowany=yes
        rightsourceip=10.0.1.28-10.0.1.30
        rightid="тут subject сертификата"
        rightcert=sleepycat.crt
        rightauth=pubkey
        rightca="тут subject CA сертификата"
        keyexchange=ikev1
        ike=aes128-sha-modp1024,aes192-sha-modp1024,aes256-sha-modp1024!
        esp=aes128-sha-modp1024,aes192-sha-modp1024,aes256-sha-modp1024

195.60.xx.xx - server external IP, 10.0.1.0/24 - internal network. Each client has its own certificate.