I'm trying to initiate an IPSec connection (Site-to-Site) between a Debian 10 server with StrongSwan and a Nebula NSG200.
Let's assume:
- Debian server:
- Public IP : 50.50.50.45
- Private Network: 10.1.0.0/16
- Nebula NSG200:
- Public IP : 100.100.100.123
- Private Network : 10.40.0.0/24
But the authentication fail every time. I got the folowing messages in debian's logs.
I can't understand why the authentiaction failed !
...
charon: 13[NET] received packet: from 100.100.100.123[500] to 50.50.50.45[500] (480 bytes)
charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V ]
charon: 13[ENC] received unknown vendor ID: xx:xx:xx:xx:xx:...
charon: 13[ENC] received unknown vendor ID: yy:yy:yy:yy:yy:...
charon: 13[ENC] received unknown vendor ID: zz:zz:zz:zz:zz:...
charon: 13[IKE] 100.100.100.123 is initiating an IKE_SA
charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024
charon: 13[IKE] remote host is behind NAT
charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
charon: 13[NET] sending packet: from 50.50.50.45[500] to 100.100.100.123[500] (312 bytes)
charon: 14[NET] received packet: from 100.100.100.123[4500] to 50.50.50.45[4500] (320 bytes)
charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
charon: 14[IKE] received 1 cert requests for an unknown ca
charon: 14[CFG] looking for peer configs matching 50.50.50.45[%any]...100.100.100.123[10.0.1.250]
charon: 14[CFG] no matching peer config found
charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
charon: 14[NET] sending packet: from 50.50.50.45[4500] to 100.100.100.123[4500] (96 bytes)
...
StrongSwan side
/etc/ipsec.conf
:
config setup
charondebug="all"
uniqueids=yes
conn deb-to-neb
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=100.100.100.123
leftsubnet=10.40.0.1/24
right=50.50.50.45
rightsubnet=10.1.0.1/16
ike=aes256-sha512-modp1024!
esp=aes256-sha512!
aggressive=yes
keyingtries=%forever
ikelifetime=86400s
lifetime=3600s
dpdaction=restart
/etc/ipsec.secrets
:
100.100.100.123 50.50.50.45 : PSK "MySuperSecret"
50.50.50.45 100.100.100.123 : PSK "MySuperSecret"
Nebula side
- Phase 1
- IKE version : IKEv2
- Encryption : AES256
- Authentication : SHA512
- Diffie-Hellman Group : DH2
- Lifetime (seconds) : 86400
- Phase 2 (Set 1)
- Encryption : AES256
- Authentication : SHA512
- PFS Group : DH2
- Lifetime (seconds) : 3600