[strongSwan] strongswan error: "no matching peer config found"

Martin Willi martin at strongswan.org
Wed Mar 6 09:39:42 CET 2013

Hi Justin,

> ==== SERVER ipsec.conf ====
> [...]
>   leftcert=cert.pem
>   leftid=%any

In strongswan, it is required that you define a leftid that is contained
in your certificate, either as subject or as subjectAltName. This is
certainly not the case for %any, hence the daemon overrides leftid with
the certificate subject (see startup log).

> ==== CLIENT ipsec.conf ====
> [...]
>   right=msi-strongswan.simorg.msi

Your client however doesn't define a rightid, defaulting to right, which
is the IP for msi-strongswan.simorg.msi.

To fix the issue, use a leftid on the server that is contained in the
certificate. On the client, configure the same as rightid. Alternatively
you can define rightid=%any on the client, but this implies that your
connection can be authenticated by any responder that has a valid
certificate under your CA.

Best regards

More information about the Users mailing list