<div dir="ltr">Hi,<div>I am trying to establish strongswan between two ubuntu 14.04 machines.</div><div>I can get things to work if I specify both the leftID and the rightID on both server and client. </div><div><br></div><div>What I need though is the following:</div><div>1) I will be copying the server self-signed certificate directly to the client machine and vice-versa. I understand this is not 100% secure, but I am going to have to go this way.</div><div>2) Those self-signed certificates will be generated with "server" on server machine and "client" on client machine as the subject Alt Name.</div><div>3) For security, I'd like to set rightID on client to be "server" while the rightID on server would be %any.</div><div><br></div><div>However, this throws a AUTH_FAILED error on the server:</div><div>looking for peer configs matching 10.10.10.10[server]...105.105.105.105[client]<br></div><div><div>no matching peer config found</div></div><div><br></div><div><br></div><div>My server ipsec.conf:</div><div><br></div><div><div><div>conn %default</div><div> ikelifetime=60m</div><div> keylife=20m</div><div> rekeymargin=3m</div><div> keyingtries=1</div><div> keyexchange=ikev2</div><div> authby=rsasig</div><div><br></div><div>conn gcp</div><div> type=transport</div><div> left=10.10.10.10 #(NAT)<br></div><div> leftid=server</div><div> leftcert=server_cert.pem</div><div> leftsendcert=always<br></div><div> rightcert=client_cert.pem</div><div> right=105.105.105.105</div><div> rightid=%any<br></div><div> dpdaction=restart</div><div> dpddelay=60</div><div> dpdtimeout=768</div><div> auto=start</div></div><div><br></div><div><br></div><div>My client ipsec.conf:</div><div><br></div><div><div>conn %default</div><div> ikelifetime=60m</div><div> keylife=20m</div><div> rekeymargin=3m</div><div> keyingtries=1</div><div> keyexchange=ikev2</div><div> authby=rsasig</div><div><br></div><div>conn gcp</div><div> type=transport</div><div> left=20.20.20.20 #(NAT)</div><div> leftid=client</div><div> leftcert=client_cert.pem</div><div> leftsendcert=always</div><div> rightcert=server_cert.pem</div><div> right=106.106.106.106</div><div> rightid=%any</div><div> dpdaction=restart</div><div> dpddelay=60</div><div> dpdtimeout=768</div><div> auto=start</div></div><div><br></div><div>What am I missing? Why is the server not able to find peer config when rightid has been specified as %any? I hope I am not missing something basic/obvious.</div><div><br></div><div>Thanks.</div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><span style="font-size:12.8px">Piyush Agarwal</span><br></div><div><span style="color:rgb(17,17,17)"><font face="arial, helvetica, sans-serif" size="2">Life can only be understood backwards; but it must be lived forwards.</font></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div></div>