[strongSwan] Question on IKEv2

Kimmo Koivisto koippa at gmail.com
Fri Apr 6 18:05:39 CEST 2012 

Hello Chris

Are you using two configurations to test, one configured to use psk
(password) and one to use certificates?

You have this in your ipsec.conf:

authby=secret

, which means that you are using pre shared key (password) and not certificates.

Use authby=rsasig when using ikev1 and leftauth=pubkey when using ikev2

See ipsec.conf man page, look at authby and leftauth parameters.


Regards,
Kimmo




2012/4/6 Chris Arnold <carnold at electrichendrix.com>:
>>>Hello
> Hi Kimmo. Thanks for the reply!!
>
>>>I'm no strongswan developer, here's my best guess:
>
>>> authentication of 'sonicwall id' with pre-shared key successful
>>> constraint check failed: identity 'sonicwall id' required
>>> selected peer config 'teknerds' inacceptable
>>> no alternative config found
>
>>>        rightid=@sonicwall.id
>
>>>Sonicwall sends something (DN, IP address, FQDN, email) as it's ID and
>>>you need to configure that ID to your ipsec.conf.
> Sonicwall sends it Unique ID which by default is the device serial number. That can be changed but in our case, it is the serial number. I have that ID set in the VPN policy on the sonicwall. I also have that set in the strongswan ipsec.conf (verified many times to be correct) and the ipsecsecrets.conf file (also verified many times).
>
>>>I'm guessing that Sonicwall sends it's IP address but you have
>>>configured something else, such as  rightid=@sonicwall.yourdomain.xx.
>>>which is FQDN.
>>>In this case, you shoud configure IP address as ID.
> I changed it to the sonicwall ip address in the vpn policy on the sonicwall and the ipsec.conf and ipsecsecrets.conf. Stop/start ipsec and receive the same output as before. Also, the sonicwall sees the tunnel as up but ipsec statusall does not. I googled this and found this:
> https://lists.strongswan.org/pipermail/users/2012-January/007048.html
> In this he states he misconfigured the certs to show fqdn and not email address. I used pki tool to generate the certs and keys. How do i tell what my certs are configured for?
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list