[strongSwan] "no matching config found", strongSwan to strongSwan w/IKEv2 setup
Martin Willi
martin at strongswan.org
Tue Oct 19 09:45:46 CEST 2010
Hi Jaime,
Some comments:
> interfaces=%defaultroute
interfaces is ignored by the IKEv2 daemon.
> left=%defaultroute
%defaultroute is resolved at startup by the ipsec starter. With IKEv2,
I'd use %any, which is resolved dynamically during the connect..
> crlcheckinterval=3600
> cachecrls=yes
CRL checking in IKEv2 is done on demand, and they are always cached.
> ca RootCA
> auto=add
> cacert=caroot.pem
> ca SubCA
> auto=add
> cacert=cacert.pem
CA certificates in ipsec.d/cacerts are loaded automatically, no need for
these ca sections.
> leftsourceip=10.1.0.1
Is not required, the IKEv2 daemon can figure this out automatically.
Now to the problem:
> no matching config found for
> 'C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org, E=test at vpntest.org'...
> 'C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2'
But your config is:
> rightid="C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org, E=test at vpntest.org"
> rightid="C=ES, O=VPN Test, OU=Test, CN=roadwarrior"
The client identity doesn't match. Double check that the client uses the
same identity that the server expects. This identity must be contained
in the clients certificate (either as DN or as subjectAltName). You can
also use wildcard matching ("C=ES, O=VPN Test, OU=Test, CN=*") for
multiple clients, or even accept any client with a cert under that ca
(rightid=%any).
Regards
Martin
More information about the Users
mailing list