[strongSwan] "no matching config found", strongSwan to strongSwan w/IKEv2 setup

Andreas Steffen andreas.steffen at strongswan.org
Tue Oct 19 16:35:13 CEST 2010


Hello Jaime,

which strongSwan version are you using? There was a bug concerning
the ASN.1 encoding of the Email RDN (E=) in right|leftid introduced
with version 4.2.15 which was fixed with version 4.3.4. This bug
causes the comparison between the ID defined by rightid and the subject
DN defined by the certificate to fail. The debian lenny distribution
originally had version 4.2.4 but there have been backports to newer
versions later on.

Regards

Andreas

On 19.10.2010 15:28, Jaime Vargas wrote:
>> Now to the problem:
>>
>>> no matching config found for
>>> 'C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org, E=test at vpntest.org'...
>>> 'C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2'
>>
>> But your config is:
>>
>>> rightid="C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org, E=test at vpntest.org"
>>> rightid="C=ES, O=VPN Test, OU=Test, CN=roadwarrior"
>>
>> The client identity doesn't match.
> 
> Sorry, assume they match. "usuario-ikev2" is the real user I'm using,
> and I substituted it with "roadwarrior" in my email but obviously
> forgot to do so in every instance. The problem is not there.
> 
>> Double check that the client uses the
>> same identity that the server expects. This identity must be contained
>> in the clients certificate (either as DN or as subjectAltName). You can
>> also use wildcard matching ("C=ES, O=VPN Test, OU=Test, CN=*") for
>> multiple clients, or even accept any client with a cert under that ca
>> (rightid=%any).
>>
> 
> I don't understand this. As for wildcard or rightid=%any, that is not
> viable because the configuration MUST be unique for each user, so it
> can assign their fixed IPs...so what might the problem be? Maybe the
> roadwarrior is presenting the subjectAltName?
> 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list