[strongSwan] questions on syslog output; linux server/mac client RSA certificate auth

Martin Willi martin at strongswan.org
Wed Dec 17 10:08:52 CET 2014


> 14[CFG] looking for RSA signature peer configs matching vpn_ip...client_ip[C=US, O=ThatsUs, CN=myemailaddr]
> Would this be as expected?  I can't figure out why it isn't trying to
> match to the vpn host certificate.

Before looking for certificates, strongSwan looks for a configuration
that matches the proposed identities and authentication method. 

> 14[IKE] found 1 matching config, but none allows RSA signature authentication using Main Mode
> Can anyone tell me what this means?

It means that the daemon couldn't find a configuration for that client
that uses RSA authentication with Main Mode.

> 07[CFG]   rightauth=pubkey
> 07[CFG]   rightauth2=xauth-noauth

Your config uses XAuth, that is RSA followed by username/password
authentication. This is not the same as the client expects, try to
remove the rightauth2 line to use RSA authentication only.


More information about the Users mailing list