[strongSwan] Cert question

Gary Smith gary.smith at holdstead.com
Thu Feb 24 20:04:24 CET 2011


> The error message
> 
> : 15[IKE] received AUTHENTICATION_FAILED notify error
> 
> means that the authentication failed on the remote side.
> Please check the logs of the peer.
> 
> Andreas

Andreas,

I've sorted a few things on this end. It appears that TinyCA was putting the email address as the altName by default so there was no match. Anyway, that issue has been fixed.  

I received an error on connect this time saying that it couldn't validate each others cert so I copied the left cert to the right machine, and vice versa and tweaked the .conf file to look like this:

conn fre-lin
        left=x.x.x.x
        leftcert=left-cert.pem
        leftid=@left
        leftsubnet=leftlocal/21
        leftfirewall=yes
        right=y.y.y.y
        rightcert=right-cert.pem
        rightid=@right
        rightsubnet=rightlocal/21
        auto=add

Is this the correct way to handle the problem of finding the correct cert for the right (by explicitly adding it to the connection)?

I can ping both sides of the tunnel now (that is the local vpn internal IP) so I guess it's working.

Gary Smith





More information about the Users mailing list