[strongSwan] Using StrongSwan for IPSec VPN on CentOS 7 - no matching peer config found.

Josh jvpn at use.startmail.com
Mon Jan 4 04:25:33 CET 2016 

update: after enabling more verbosity on CFG channel I see that

peer config match local: 0 (ID_FQDN -> ....)

how do I find out what is local ID_FQDN that charon is trying to compare 
with?

I tried several options like IP address, fqdn from certificate, a string 
'C=CH, O=fqdn-ca, CN=fqdn' (without quotes) taken from log message

strongswan: 08[CFG]   id 'fqdn' not confirmed by certificate, defaulting 
to 'C=CH, O=fqdn-ca, CN=fqdn'

Regards,
Josh.

On 01/03/2016 07:10 PM, Josh wrote:
> I am trying to move a working strongswan eap-tls configuration from 
> pfsense to CentOS 7.
> Started from 
> https://www.vultr.com/docs/using-strongswan-for-ipsec-vpn-on-centos-7
> removed all entries except for config, conn %default and conn 
> IpsecIKEv2, adjusting conn IpsecIKEv2 to the following
>
> conn IpsecIKEv2
>     rightauth=eap-tls
>     keyexchange=ikev2
>     leftauth=pubkey
>     leftsendcert=always
>     auto=add
>
> pfsense working ipsec.conf looks like
>
> cat ipsec.conf
> # This file is automatically generated. Do not edit
> config setup
>     uniqueids = yes
>
> conn con1
>     fragmentation = yes
>     keyexchange = ikev2
>     reauth = yes
>     forceencaps = no
>     mobike = no
>     rekey = yes
>     installpolicy = yes
>     type = tunnel
>     dpdaction = clear
>     dpddelay = 10s
>     dpdtimeout = 60s
>     auto = add
>     left = nnn.nnn.nnn.nnn
>     right = %any
>     leftid = fqdn:pfsense.org.name
>     ikelifetime = 28800s
>     lifetime = 3600s
>     rightsourceip = 192.168.142.0/24
>     ike = 3des-sha1-modp1024!
>     esp = 
> aes256-sha1,aes256-sha256,aes192-sha1,aes192-sha256,aes128-sha1,aes128-sha256,3des-sha1,3des-sha256!
>     eap_identity=%identity
>     leftauth=pubkey
>     rightauth=eap-tls
>     leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
>     leftsendcert=always
> rightca="/C=US/ST=FL/L=City/O=Org_Inc/emailAddress=ca at Org.name/CN=Org-internal-ca/" 
>
>     leftsubnet = 0.0.0.0/0
>
>
> pfsense configuration was created by consulting
> https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS
> and
> https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
>
> pfsense configuration works with both modes.
>
> but on CentOS, (even when I copy ipsec.conf from pfsense, adjusting IP 
> and certificate, as a whole)
>
> Jan  3 18:15:14 hostname charon: 07[CFG] looking for peer configs 
> matching nnn.nnn.nnn.nnn[server_name]...nnn.nnn.nnn.nnn[client_name]
> Jan  3 18:15:14 hostname charon: 07[CFG] no matching peer config found
>
> where server_name is CN from server certificate and client_name - from 
> client.
>
> Is there a working configuration for connecting iOS 9.x to CentOS 
> strongswan already described somewhere?
>
> Regards,
> Josh.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list