[strongSwan] "no matching config found", strongSwan to strongSwan w/IKEv2 setup

Martin Willi martin at strongswan.org
Tue Oct 19 09:45:46 CEST 2010


Hi Jaime,

Some comments:

>     interfaces=%defaultroute

interfaces is ignored by the IKEv2 daemon.

>     left=%defaultroute

%defaultroute is resolved at startup by the ipsec starter. With IKEv2,
I'd use %any, which is resolved dynamically during the connect..

>     crlcheckinterval=3600
>     cachecrls=yes

CRL checking in IKEv2 is done on demand, and they are always cached.
	
> ca RootCA
>     auto=add
>     cacert=caroot.pem
> ca SubCA
>     auto=add
>     cacert=cacert.pem

CA certificates in ipsec.d/cacerts are loaded automatically, no need for
these ca sections.

>     leftsourceip=10.1.0.1

Is not required, the IKEv2 daemon can figure this out automatically.


Now to the problem:

> no matching config found for 
> 'C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org, E=test at vpntest.org'...
> 'C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2'

But your config is:

> rightid="C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org, E=test at vpntest.org"
> rightid="C=ES, O=VPN Test, OU=Test, CN=roadwarrior"

The client identity doesn't match. Double check that the client uses the
same identity that the server expects. This identity must be contained
in the clients certificate (either as DN or as subjectAltName). You can
also use wildcard matching ("C=ES, O=VPN Test, OU=Test, CN=*") for
multiple clients, or even accept any client with a cert under that ca
(rightid=%any).

Regards
Martin





More information about the Users mailing list