[strongSwan] "no matching config found", strongSwan to strongSwan w/IKEv2 setup

Jaime Vargas jaivarsa at gmail.com
Tue Oct 19 15:28:17 CEST 2010

> Now to the problem:
>> no matching config found for
>> 'C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org, E=test at vpntest.org'...
>> 'C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2'
> But your config is:
>> rightid="C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org, E=test at vpntest.org"
>> rightid="C=ES, O=VPN Test, OU=Test, CN=roadwarrior"
> The client identity doesn't match.

Sorry, assume they match. "usuario-ikev2" is the real user I'm using,
and I substituted it with "roadwarrior" in my email but obviously
forgot to do so in every instance. The problem is not there.

> Double check that the client uses the
> same identity that the server expects. This identity must be contained
> in the clients certificate (either as DN or as subjectAltName). You can
> also use wildcard matching ("C=ES, O=VPN Test, OU=Test, CN=*") for
> multiple clients, or even accept any client with a cert under that ca
> (rightid=%any).

I don't understand this. As for wildcard or rightid=%any, that is not
viable because the configuration MUST be unique for each user, so it
can assign their fixed IPs...so what might the problem be? Maybe the
roadwarrior is presenting the subjectAltName?

More information about the Users mailing list