[strongSwan] Using StrongSwan for IPSec VPN on CentOS 7 - no matching peer config found.

Josh jvpn at use.startmail.com
Mon Jan 4 01:10:38 CET 2016 

I am trying to move a working strongswan eap-tls configuration from 
pfsense to CentOS 7.
Started from 
https://www.vultr.com/docs/using-strongswan-for-ipsec-vpn-on-centos-7
removed all entries except for config, conn %default and conn 
IpsecIKEv2, adjusting conn IpsecIKEv2 to the following

conn IpsecIKEv2
     rightauth=eap-tls
     keyexchange=ikev2
     leftauth=pubkey
     leftsendcert=always
     auto=add

pfsense working ipsec.conf looks like

cat ipsec.conf
# This file is automatically generated. Do not edit
config setup
     uniqueids = yes

conn con1
     fragmentation = yes
     keyexchange = ikev2
     reauth = yes
     forceencaps = no
     mobike = no
     rekey = yes
     installpolicy = yes
     type = tunnel
     dpdaction = clear
     dpddelay = 10s
     dpdtimeout = 60s
     auto = add
     left = nnn.nnn.nnn.nnn
     right = %any
     leftid = fqdn:pfsense.org.name
     ikelifetime = 28800s
     lifetime = 3600s
     rightsourceip = 192.168.142.0/24
     ike = 3des-sha1-modp1024!
     esp = 
aes256-sha1,aes256-sha256,aes192-sha1,aes192-sha256,aes128-sha1,aes128-sha256,3des-sha1,3des-sha256!
     eap_identity=%identity
     leftauth=pubkey
     rightauth=eap-tls
     leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
     leftsendcert=always
rightca="/C=US/ST=FL/L=City/O=Org_Inc/emailAddress=ca at Org.name/CN=Org-internal-ca/"
     leftsubnet = 0.0.0.0/0


pfsense configuration was created by consulting
https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS
and
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

pfsense configuration works with both modes.

but on CentOS, (even when I copy ipsec.conf from pfsense, adjusting IP 
and certificate, as a whole)

Jan  3 18:15:14 hostname charon: 07[CFG] looking for peer configs 
matching nnn.nnn.nnn.nnn[server_name]...nnn.nnn.nnn.nnn[client_name]
Jan  3 18:15:14 hostname charon: 07[CFG] no matching peer config found

where server_name is CN from server certificate and client_name - from 
client.

Is there a working configuration for connecting iOS 9.x to CentOS 
strongswan already described somewhere?

Regards,
Josh.

More information about the Users mailing list