День добрый !

Проблема аутентификации между хостами.Plz help...

Туннель между swan1 и swan2
swan1 - 192.168.164.116
swan2 - 192.168.164.117
ikev2 - Протокол передачи ключей
Ключевая фраза при создании сертификатов - swan (Указал в конфиге
ipsec.secrets)

Сертификаты генерил по quick how-to (http://www.strongswan.org/docs/readme42.htm#section_3)

На 1 хосте (swan1)
1. openssl req -x509 -days 1460 -newkey rsa:2048 \
            -keyout sw1priKey.pem -out strongswanCert.pem

creates a 2048 bit RSA private key sw1priKey.pem and a self-signed CA certificate strongswanCert.pem with a validity of 4 years (1460 days).

2. Генерю сертификат хоста
openssl req -newkey rsa:1024 -keyout sw1hostKey.pem -out sw1Req.pem

generates a 1024 bit RSA private key hostKey.pem and a certificate request hostReq.pem which has to be signed by the CA.

3. Подписываем sw2Req.pem CA's private key
openssl ca -policy policy_anything -in sw2Req.pem -days 730 -out sw2Cert.pem

По аналогию делаю для второго хоста (swan2)

CA certificate один для обоих хостов.

В логах при попытке поднять туннель:

ipsec up host-host

Swan1

initiating IKE_SA host-host[1] to 192.168.164.117
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.164.116[500] to 192.168.164.117[500]
received packet: from 192.168.164.117[500] to 192.168.164.116[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
received cert request for "C=RU, ST=RU, L=RU, O=RU, OU=RU, CN=RU, E=RU@RU.RU"
sending cert request for "C=RU, ST=RU, L=RU, O=RU, OU=RU, CN=RU, E=RU@RU.RU"
no private key found for 'C=RU, ST=RU, O=RU, OU=RU, CN=RU, E=RU@RU.RU'
generating authentication data failed

Swan2

Mar 31 06:54:37 swan2 charon: 10[NET] received packet: from 192.168.164.116[500] to 192.168.164.117[500]
Mar 31 06:54:37 swan2 charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 31 06:54:37 swan2 charon: 10[IKE] 192.168.164.116 is initiating an IKE_SA
Mar 31 06:54:37 swan2 charon: 10[IKE] sending cert request for "C=RU, ST=RU, L=RU, O=RU, OU=RU, CN=RU, E=RU@RU.RU"
Mar 31 06:54:37 swan2 charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Mar 31 06:54:37 swan2 charon: 10[NET] sending packet: from 192.168.164.117[500] to 192.168.164.116[500]
Mar 31 06:55:07 swan2 charon: 11[JOB] deleting half open IKE_SA after timeout

####ipsec.conf####

******swan1*****

config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=no

conn чfault
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        mobike=no
        keyexchange=ikev2

conn host-host
        left=192.168.164.116
        leftcert=swa1Cert.pem
        leftfirewall=yes
        right=192.168.164.117
        type=transport
        auto=add

******swan2*****

config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=no

conn чfault
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        mobike=no
        keyexchange=ikev2

conn host-host
        left=192.168.164.117
        leftcert=sw2Cert.pem
        leftfirewall=yes
        right=192.168.164.116
        type=transport
        auto=add

####ipsec.secrets###

swan1

: RSA sw1priKey.pem "swan"

swan2

: RSA sw2priKey.pem "swan"

####ipsec listalgs####

swan1
List of registered IKEv2 Algorithms:

  encryption: AES_CBC 3DES DES DES_ECB
  integrity:  HMAC_SHA1_96 AUTH_HMAC_SHA1_128 AUTH_HMAC_SHA2_256_128 HMAC_MD5_96 AUTH_HMAC_SHA2_384_192 AUTH_HMAC_SHA2_512_256 AES_XCBC_96
  hasher:     HASH_SHA1 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5
  prf:        PRF_KEYED_SHA1 PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512 PRF_AES128_CBC
  dh-group:   MODP_2048_BIT MODP_1536_BIT MODP_3072_BIT MODP_4096_BIT MODP_6144_BIT MODP_8192_BIT MODP_1024_BIT MODP_768_BIT

swan2
List of registered IKEv2 Algorithms:

  encryption: AES_CBC 3DES DES DES_ECB
  integrity:  AES_XCBC_96 HMAC_SHA1_96 AUTH_HMAC_SHA1_128 AUTH_HMAC_SHA2_256_128 HMAC_MD5_96 AUTH_HMAC_SHA2_384_192 AUTH_HMAC_SHA2_512_256
  hasher:     HASH_SHA1 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5
  prf:        PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_CBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512
  dh-group:   MODP_2048_BIT MODP_1536_BIT MODP_3072_BIT MODP_4096_BIT MODP_6144_BIT MODP_8192_BIT MODP_1024_BIT MODP_768_BIT

####ipsec listcacerts####
List of X.509 CA Certificates:

  subject:  "C=RU, ST=RU, L=RU, O=RU, OU=RU, CN=RU, E=RU@RU.RU"
  issuer:   "C=RU, ST=RU, L=RU, O=RU, OU=RU, CN=RU, E=RU@RU.RU"
  serial:    00:da:f2:b9:5b:c5:24:ea:eb
  validity:  not before Mar 30 11:28:05 2009, ok
             not after  Mar 29 11:28:05 2013, ok
  pubkey:    RSA 2048 bits, has private key
  keyid:     c1:9e:7d:c7:75:4c:ac:a4:9b:33:21:2c:fa:51:80:fb:ad:5c:42:8d
  subjkey:   af:2d:85:4e:4a:f8:40:72:45:06:74:ff:05:41:8e:2a:fb:74:d8:1e
  authkey:   af:2d:85:4e:4a:f8:40:72:45:06:74:ff:05:41:8e:2a:fb:74:d8:1e

####LOG####

swan2 (local)

ipsec start

Mar 31 06:51:55 swan2 charon: 01[DMN] starting charon (strongSwan Version 4.2.12)
Mar 31 06:51:55 swan2 charon: 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Mar 31 06:51:55 swan2 charon: 01[LIB]   loaded certificate file '/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem'
Mar 31 06:51:55 swan2 charon: 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Mar 31 06:51:55 swan2 charon: 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Mar 31 06:51:55 swan2 charon: 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Mar 31 06:51:55 swan2 charon: 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Mar 31 06:51:55 swan2 charon: 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Mar 31 06:51:55 swan2 charon: 01[CFG]   loaded private key file '/usr/local/etc/ipsec.d/private/sw2priKey.pem'
Mar 31 06:51:55 swan2 charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown  
Mar 31 06:51:55 swan2 charon: 01[KNL] listening on interfaces:
Mar 31 06:51:55 swan2 charon: 01[KNL]   eth0
Mar 31 06:51:55 swan2 charon: 01[KNL]     192.168.164.117
Mar 31 06:51:55 swan2 charon: 01[KNL]     fe80::204:75ff:fec9:cd60
Mar 31 06:51:55 swan2 charon: 01[JOB] spawning 16 worker threads
Mar 31 06:51:55 swan2 charon: 03[CFG] received stroke: add connection 'host-host'
Mar 31 06:51:55 swan2 charon: 03[LIB]   loaded certificate file '/usr/local/etc/ipsec.d/certs/sw2Cert.pem'
Mar 31 06:51:55 swan2 charon: 03[CFG]   peerid 192.168.164.117 not confirmed by certificate, defaulting to subject DN
Mar 31 06:51:55 swan2 charon: 03[CFG] added configuration 'host-host': 192.168.164.117[C=RU, ST=RU, L=RU, O=Internet Widgits Pty Ltd, OU=RU, CN=RU, E=RU@RU.RU]...192.168.164.116[192.168.164.116]

swan1 (remote)

Mar 31 08:12:07 swan1 charon: 01[DMN] starting charon (strongSwan Version 4.2.12)
Mar 31 08:12:07 swan1 charon: 01[LIB] loading plugin 'curl' failed: /usr/local/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared object file: No such file or directory
Mar 31 08:12:07 swan1 charon: 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Mar 31 08:12:07 swan1 charon: 01[LIB]   loaded certificate file '/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem'
Mar 31 08:12:07 swan1 charon: 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Mar 31 08:12:07 swan1 charon: 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Mar 31 08:12:07 swan1 charon: 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Mar 31 08:12:07 swan1 charon: 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Mar 31 08:12:07 swan1 charon: 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Mar 31 08:12:07 swan1 charon: 01[CFG]   loaded private key file '/usr/local/etc/ipsec.d/private/sw1priKey.pem'
Mar 31 08:12:07 swan1 charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown  
Mar 31 08:12:07 swan1 charon: 01[KNL] listening on interfaces:
Mar 31 08:12:07 swan1 charon: 01[KNL]   eth0
Mar 31 08:12:07 swan1 charon: 01[KNL]     192.168.164.116
Mar 31 08:12:07 swan1 charon: 01[KNL]     fe80::20c:6eff:fe4c:1476
Mar 31 08:12:07 swan1 charon: 01[JOB] spawning 16 worker threads
Mar 31 08:12:07 swan1 charon: 15[CFG] received stroke: add connection 'host-host'
Mar 31 08:12:07 swan1 charon: 15[LIB]   loaded certificate file '/usr/local/etc/ipsec.d/certs/swa1Cert.pem'
Mar 31 08:12:07 swan1 charon: 15[CFG]   peerid 192.168.164.116 not confirmed by certificate, defaulting to subject DN
Mar 31 08:12:07 swan1 charon: 15[CFG] added configuration 'host-host': 192.168.164.116[C=RU, ST=RU, O=RU, OU=RU, CN=RU, E=RU@RU.RU]...192.168.164.117[192.168.164.117]