[strongSwan] Help with wildcard identifiers

bviper47 bviper47 at gmail.com
Fri Jun 13 18:48:25 CEST 2014


Greetings,

I am attempting to set up an IKEv1 RSA endpoint to serve Android and
iOS native clients. However, I wish to restrict connections to certain
distinguished names. (e.g. clients starting with "C=US, ST=State,
L=City, O=Company_1, OU=Sales" are allowed, but "C=US, ST=State,
L=City, O=Company_1, OU=Marketing" are not) Very much like this older
strongSwan 4.2 configuration guide is referencing
http://www.strongswan.org/docs/readme4.htm#section_4.6 and this guide
for iOS http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)#strongSwan-configuration-for-multiple-clients
. I am receiving a "no peer config found" error message. I am using
strongSwan 5.1.3 configured with "./configure --prefix=/usr
--sysconfdir=/etc --enable-xauth-noauth"

My ipsec.conf is the following:

config setup
        charondebug="ike 2, knl 2"
conn ios
        keyexchange=ikev1
        leftauth=rsa
        rightauth=rsa
        rightauth2=xauth-noauth
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=no
        leftcert=server.crt.pem
        right= %any
        rightid="C=US, ST=State, L=City, O=Company_1, OU=Sales, CN=*"
        rightsubnet=10.0.0.0/24
        rightsourceip=10.0.0.0/24
        auto=add

My full log can be found at http://pastebin.com/yN4v0aRX

I'm getting the following

Jun 13 11:20:23 ast-scodev-4 charon: 12[CFG] looking for XAuthInitRSA
peer configs matching 10.89.150.204...10.152.10.45[C=US, ST=State,
L=City, O=Company_2, OU=Marketing, CN=client_2]
Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] no peer config found
Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] queueing INFORMATIONAL task
Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] activating new tasks
Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE]   activating INFORMATIONAL task
Jun 13 11:20:23 ast-scodev-4 charon: 12[ENC] generating
INFORMATIONAL_V1 request 1377396233 [ HASH N(AUTH_FAILED) ]
Jun 13 11:20:23 ast-scodev-4 charon: 12[NET] sending packet: from
10.89.150.204[500] to 10.152.10.45[500] (92 bytes)
Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] IKE_SA (unnamed)[1] state
change: CONNECTING => DESTROYING

Please note that setting rightauth2=xauth-generic still results in the
same error.

Any suggestions?

Thanks


More information about the Users mailing list