[strongSwan] Using StrongSwan for IPSec VPN on CentOS 7 - no matching peer config found.

Josh jvpn at use.startmail.com
Mon Jan 4 16:32:16 CET 2016

Hi Derek,

Thanks for a yet another pointer to a page with instructions.

I confirmed that the root cause of my problems was server certificate 
creation process.

Strongswan pki commands provided in various samples create server 
certificate that is not sufficiently acceptable:

strongswan: 08[CFG]   id 'fqdn' not confirmed by certificate, defaulting 
to 'C=CH, O=fqdn-ca, CN=fqdn'

I ended up creating certificate using pfsense certificate manager and 
that solved the problem.

Certificate analysis shows that pfsense created certificate has IP 
address as alternative name as shown in openssl x509 output

# openssl x509 -in certs/vpnHostCert.pem -noout -text
X509v3 Subject Alternative Name:
DNS:fqdn, IP Address:nnn.nnn.nnn.nnn

while strongswan pki created does not have 'IP Address' keyword.

Could you please check alternative names in your certificate?


On 01/04/2016 09:57 AM, Derek Cameron wrote:
> Hi, Josh,
> I am using Debian 8 rather than CentOS 7, but it works fine for iOS 9 
> clients.
> Here is what I did:
> https://dcamero.github.io
> Regards,
> Derek.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list