[strongSwan] Help with wildcard identifiers

Noel Kuntze noel at familie-kuntze.de
Fri Jun 13 18:52:28 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

Your rightid setting does not match the DN of the certificate.
rightid="C=US, ST=State, L=City, O=Company_1, OU=Sales, CN=*"
DN=" C=US, ST=State, L=City, O=Company_2, OU=Marketing"

The organization part of the id does not match the organization part of the DN of the certificate.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 13.06.2014 18:48, schrieb bviper47:
> Greetings,
>
> I am attempting to set up an IKEv1 RSA endpoint to serve Android and
> iOS native clients. However, I wish to restrict connections to certain
> distinguished names. (e.g. clients starting with "C=US, ST=State,
> L=City, O=Company_1, OU=Sales" are allowed, but "C=US, ST=State,
> L=City, O=Company_1, OU=Marketing" are not) Very much like this older
> strongSwan 4.2 configuration guide is referencing
> http://www.strongswan.org/docs/readme4.htm#section_4.6 and this guide
> for iOS http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)#strongSwan-configuration-for-multiple-clients
> . I am receiving a "no peer config found" error message. I am using
> strongSwan 5.1.3 configured with "./configure --prefix=/usr
> --sysconfdir=/etc --enable-xauth-noauth"
>
> My ipsec.conf is the following:
>
> config setup
>         charondebug="ike 2, knl 2"
> conn ios
>         keyexchange=ikev1
>         leftauth=rsa
>         rightauth=rsa
>         rightauth2=xauth-noauth
>         left=%defaultroute
>         leftsubnet=0.0.0.0/0
>         leftfirewall=no
>         leftcert=server.crt.pem
>         right= %any
>         rightid="C=US, ST=State, L=City, O=Company_1, OU=Sales, CN=*"
>         rightsubnet=10.0.0.0/24
>         rightsourceip=10.0.0.0/24
>         auto=add
>
> My full log can be found at http://pastebin.com/yN4v0aRX
>
> I'm getting the following
>
> Jun 13 11:20:23 ast-scodev-4 charon: 12[CFG] looking for XAuthInitRSA
> peer configs matching 10.89.150.204...10.152.10.45[C=US, ST=State,
> L=City, O=Company_2, OU=Marketing, CN=client_2]
> Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] no peer config found
> Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] queueing INFORMATIONAL task
> Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] activating new tasks
> Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE]   activating INFORMATIONAL task
> Jun 13 11:20:23 ast-scodev-4 charon: 12[ENC] generating
> INFORMATIONAL_V1 request 1377396233 [ HASH N(AUTH_FAILED) ]
> Jun 13 11:20:23 ast-scodev-4 charon: 12[NET] sending packet: from
> 10.89.150.204[500] to 10.152.10.45[500] (92 bytes)
> Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] IKE_SA (unnamed)[1] state
> change: CONNECTING => DESTROYING
>
> Please note that setting rightauth2=xauth-generic still results in the
> same error.
>
> Any suggestions?
>
> Thanks
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTmyxMAAoJEDg5KY9j7GZYPbwP/iN72CDVKfoY5bawkL8E/cVS
wt9dTu4JynxEcMr81mLiXpFem7akz35KcTBBxWm6a/bkWGPav4/V/HHKXnhHooZv
TkYWpwfqgJv9wBB0srD7qBr3IcRSG6KCBM+abIlehSSclJ/7UQYKb9wWmQljg3aT
bmpNk8C6lF2TpxScTstowbbgvpOWQp0eyphHN0zPo2F22SrCkAkhZdoNYYfzF7CQ
eOrtvO9s+PLKRKE2zF/yQlPmI3HVx5OWvhFiOoDHrFfqfucNNp1aI+8n3EbWpI+g
4y5kPHVo9dt+nXEO/7VVESBluIyPy8LGPkfBt9eH9+2YHceMxNfUZKt9GAeo4OrR
Fzz+2JMqKNNB0V0TjgvoAIBDMuzic5/BK3wOYK8n6ti7ztvPAGn1nQhp5ppvjjVd
aOyy1gIlAvwEOTYbb+Pt9mXe9nccRutFwN5yXCoUzfgXZlInOnmt21bm+CiHC9UT
DDJQV5KGh4p6u7wntUCjmDeoByGePPMLww7cBU2OlcPc2kt5ry1xWNKRut15fLYh
a1CPb/zBPc4Vjn3GcxEPpaqRIKlOcU+P0IdiUpFydix0S0HVqVOHs02O8PDBYj3B
jJSxNo1tgQu4AKFUEUHpzhqtP9D4n+lOOM7X8FI02IkDsUo0SmjW2bJTi2PZI+xy
OQnXEVAZg1BpiztLeuTa
=Bg/y
-----END PGP SIGNATURE-----

More information about the Users mailing list