[strongSwan] Host-To-Host IKEV2 - no matching peer config found

Andreas Steffen andreas.steffen at strongswan.org
Wed Nov 10 19:45:19 CET 2010 

Hello Anthony,

on Tony1 you define

   leftid=@tony1.ezp.net

but this FQDN is not contained as a subjectAltName in your vpnCert.pem.
Therefore leftid falls back to the subject DistinguishedName default

C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=tony1.ezp.net,
E=me at myhost.mydomain

Since you define

   rightid=@tony1.ezp.net

on nnmain, the IKE_SA is bound to fail.

Workaround: Either generate your vpnCert.pem certificate with a
subjectAltName:

  subjectAltName=DNS:tony1.ezp.net

in openssl.cnf or define

rightid="C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=tony1.ezp.net,
E=me at myhost.mydomain"

on nnmain.

BTW - I recommend *not* to use the RDNs ST=, L=, and E=, thus making
      the subject DNs much more compact.

Regards

Andreas


On 11/10/2010 07:21 PM, Anthony Moon wrote:
> I’m trying to connect server nnmain to server tony1 but I get this error
> “11[CFG] looking for peer configs matching
> 173.45.168.24[nnmain.ezprovider.net]...66.199.171.245[C=US, ST=CA,
> L=SanFrancisco, O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain]
> 
> 11[CFG] no matching peer config found”
> 
>  
> 
> Here’s my configuration files (ipsec.conf)
> 
>  
> 
> Tony1:
> 
>  
> 
> config setup
> 
>     plutostart=no
> 
>     interfaces=%defaultroute
> 
>  
> 
> conn %default
> 
>     keyexchange=ikev2
> 
>     ike=aes256-sha1-modp1024!
> 
>     esp=aes256-sha1!
> 
>     dpdaction=clear
> 
>     dpddelay=300s
> 
>     rekey=no
> 
>  
> 
> conn net-to-net
> 
>         left=66.199.171.245
> 
>         leftcert=vpnCert.pem
> 
>         leftid=@tony1.ezp.net
> 
>         leftfirewall=yes
> 
>         right=173.45.168.24
> 
>         rightid=@nnmain.ezprovider.net
> 
>         auto=add
> 
>  
> 
> nnmain:
> 
>  
> 
>  
> 
> config setup
> 
>         crlcheckinterval=180
> 
>         strictcrlpolicy=no
> 
>         plutostart=no
> 
>  
> 
> conn %default
> 
>         ikelifetime=60m
> 
>         keylife=20m
> 
>         rekeymargin=3m
> 
>         keyingtries=1
> 
>         keyexchange=ikev2
> 
>         mobike=no
> 
>  
> 
> conn net-net
> 
>         left=173.45.168.24
> 
>         leftcert=nnmain.pem
> 
>         leftid=@nnmain.ezprovider.net
> 
>         leftfirewall=yes
> 
>         right=66.199.171.245
> 
>         rightid=@tony1.ezp.net
> 
>         auto=add
> 
>  
> 
>  
> 
> And here’s the connection logs:
> 
>  
> 
> Tony1:
> 
>  
> 
> 01[CFG] received stroke: initiate 'net-to-net'
> 
> 10[IKE] initiating IKE_SA net-to-net[1] to 173.45.168.24
> 
> 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> 
> 10[NET] sending packet: from 66.199.171.245[500] to 173.45.168.24[500]
> 
> 12[NET] received packet: from 173.45.168.24[500] to 66.199.171.245[500]
> 
> 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> 
> 12[IKE] received cert request for "C=US, ST=CA, L=SanFrancisco,
> O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"
> 
> 12[IKE] sending cert request for "C=US, ST=CA, L=SanFrancisco,
> O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"
> 
> 12[IKE] authentication of 'C=US, ST=CA, L=SanFrancisco, O=Fort-Funston,
> CN=tony1.ezp.net, E=me at myhost.mydomain' (myself) with RSA signature
> successful
> 
> 12[IKE] sending end entity cert "C=US, ST=CA, L=SanFrancisco,
> O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"
> 
> 12[IKE] establishing CHILD_SA net-to-net
> 
> 12[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi
> TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> 
> 12[NET] sending packet: from 66.199.171.245[4500] to 173.45.168.24[4500]
> 
> 05[NET] received packet: from 173.45.168.24[4500] to 66.199.171.245[4500]
> 
> 05[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 
> 05[IKE] received AUTHENTICATION_FAILED notify error
> 
>  
> 
> Nnmain:
> 
>  
> 
>  
> 
> charon (14675) started after 120 ms
> 
> 05[CFG] received stroke: add connection 'net-net'
> 
> 05[CFG]   loaded certificate "C=US, ST=CA, L=SanFrancisco,
> O=Fort-Funston, CN=nnmain.ezprovider.net, E=hello at yeah.ca" from 'nnmain.pem'
> 
> 05[CFG]   id 'nnmain.ezprovider.net' not confirmed by certificate,
> defaulting to 'C=US, ST=CA, L=SanFrancisco, O=Fort-Funston,
> CN=nnmain.ezprovider.net, E=hello at yeah.ca'
> 
> 05[CFG] added configuration 'net-net'
> 
> 10[NET] received packet: from 66.199.171.245[500] to 173.45.168.24[500]
> 
> 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 
> 10[IKE] 66.199.171.245 is initiating an IKE_SA
> 
> 10[IKE] sending cert request for "C=US, ST=CA, L=SanFrancisco,
> O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"
> 
> 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> 
> 10[NET] sending packet: from 173.45.168.24[500] to 66.199.171.245[500]
> 
> 11[NET] received packet: from 66.199.171.245[4500] to 173.45.168.24[4500]
> 
> 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> 
> 11[IKE] received cert request for "C=US, ST=CA, L=SanFrancisco,
> O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"
> 
> 11[IKE] received end entity cert "C=US, ST=CA, L=SanFrancisco,
> O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain"
> 
> 11[CFG] looking for peer configs matching
> 173.45.168.24[nnmain.ezprovider.net]...66.199.171.245[C=US, ST=CA,
> L=SanFrancisco, O=Fort-Funston, CN=tony1.ezp.net, E=me at myhost.mydomain]
> 
> 11[CFG] no matching peer config found
> 
> 11[IKE] peer supports MOBIKE
> 
> 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 
> 11[NET] sending packet: from 173.45.168.24[4500] to 66.199.171.245[4500]
> 
>  
> 
>  
> 
> What am I doing wrong?
> 
> -- 
> 
> Anthony Moon
> 
> EZProvider Networks, Inc.
> 
> http://ezp.net
> 
> 1.888.397.7853 x203
> 
>  
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list