[strongSwan] [Strongswan] Authentication based on X.509 using DN identification has failed and getting errors

Tobias Brunner tobias at strongswan.org
Fri Nov 2 11:43:23 CET 2012


> "strongswan(client) - Netgear(server)"

I suppose you meant "strongswan(server) - Netgear(client)" because...

> But according to RFC 4306, IDr payload is optional

(Please use RFC 5996 for future reference)  ...the IDr payload *is*
optional, but only in the IKE_AUTH *request*.  See page 11 of RFC 5996
for a description of the response.  It starts with:

  "The responder asserts its identity with the IDr payload, optionally
   sends one or more certificates..."

So, assuming you meant that the Netgear is the client and referring to
your earlier logs

> 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr ]
> ...
> 13[CFG] looking for peer configs matching[%any]...[]

the problem is that the IDi is empty ([]) the non-existence of IDr is
reflected as [%any].  Since you've configured

> rightid="C=CH, O=strongswan, CN=iss"

there won't be a match as the empty IDi does not match that CN.  So make
sure you configure that CN as local ID on the Netgear device.


More information about the Users mailing list