[strongSwan] Question on IKEv2

Chris Arnold carnold at electrichendrix.com
Fri Apr 6 16:55:20 CEST 2012


>>Hello
Hi Kimmo. Thanks for the reply!!

>>I'm no strongswan developer, here's my best guess:

>> authentication of 'sonicwall id' with pre-shared key successful
>> constraint check failed: identity 'sonicwall id' required
>> selected peer config 'teknerds' inacceptable
>> no alternative config found

>>        rightid=@sonicwall.id

>>Sonicwall sends something (DN, IP address, FQDN, email) as it's ID and
>>you need to configure that ID to your ipsec.conf.
Sonicwall sends it Unique ID which by default is the device serial number. That can be changed but in our case, it is the serial number. I have that ID set in the VPN policy on the sonicwall. I also have that set in the strongswan ipsec.conf (verified many times to be correct) and the ipsecsecrets.conf file (also verified many times).

>>I'm guessing that Sonicwall sends it's IP address but you have
>>configured something else, such as  rightid=@sonicwall.yourdomain.xx.
>>which is FQDN.
>>In this case, you shoud configure IP address as ID.
I changed it to the sonicwall ip address in the vpn policy on the sonicwall and the ipsec.conf and ipsecsecrets.conf. Stop/start ipsec and receive the same output as before. Also, the sonicwall sees the tunnel as up but ipsec statusall does not. I googled this and found this:
https://lists.strongswan.org/pipermail/users/2012-January/007048.html
In this he states he misconfigured the certs to show fqdn and not email address. I used pki tool to generate the certs and keys. How do i tell what my certs are configured for?




More information about the Users mailing list