[strongSwan] questions on syslog output; linux server/mac client RSA certificate auth

Martin Willi martin at strongswan.org
Wed Dec 17 10:08:52 CET 2014


Cindy,

> 14[CFG] looking for RSA signature peer configs matching vpn_ip...client_ip[C=US, O=ThatsUs, CN=myemailaddr]
> 
> Would this be as expected?  I can't figure out why it isn't trying to
> match to the vpn host certificate.

Before looking for certificates, strongSwan looks for a configuration
that matches the proposed identities and authentication method. 

> 14[IKE] found 1 matching config, but none allows RSA signature authentication using Main Mode
> 
> Can anyone tell me what this means?

It means that the daemon couldn't find a configuration for that client
that uses RSA authentication with Main Mode.

> 07[CFG]   rightauth=pubkey
> 07[CFG]   rightauth2=xauth-noauth

Your config uses XAuth, that is RSA followed by username/password
authentication. This is not the same as the client expects, try to
remove the rightauth2 line to use RSA authentication only.

Regards
Martin



More information about the Users mailing list