[strongSwan] AUTH FAIL but I cannot figure out the reason

Tobias Brunner tobias at strongswan.org
Fri Jul 15 12:35:32 CEST 2016


Hi Ariwa,

> I see log. but I cannot figure out dubious point.
> Is there someone have any hint for it?

The log is pretty clear:

> Thu Jul 14 21:51:35 2016 daemon.info syslog: 03	[CFG]	looking for peer configs matching 192.168.1.32[openwrt5server]...192.168.1.156[C=JP, L=Tokyo, O=Dread Beef limited., CN=bigandy]
> Thu Jul 14 21:51:35 2016 daemon.info syslog: 03	[CFG]	peer config match local: 0 (ID_FQDN -> 6f:70:65:6e:77:72:74:35:73:65:72:76:65:72)
> Thu Jul 14 21:51:35 2016 daemon.info syslog: 03	[CFG]	peer config match remote: 0 (ID_DER_ASN1_DN -> 30:4d:31:0b:30:09:06:03:55:04:06:13:02:4a:50:31:0e:30:0c:06:03:55:04:07:13:05:54:6f:6b:79:6f:31:1c:30:1a:06:03:55:04:0a:13:13:44:72:65:61:64:20:42:65:65:66:20:6c:69:6d:69:74:65:64:2e:31:10:30:0e:06:03:55:04:03:13:07:62:69:67:61:6e:64:79)
> Thu Jul 14 21:51:35 2016 daemon.info syslog: 03	[CFG]	ike config match: 2076 (192.168.1.32 192.168.1.156 IKEv2)
> Thu Jul 14 21:51:35 2016 daemon.info syslog: 03	[CFG]	no matching peer config found			/* what is this? */

The client proposes identities that don't match your config.

You configured `leftcert` but not `leftid`, so the server's identity
will default to its IP address or, if that's not contained as
subjectAltName extension in the certificate, to the full subject DN of
the certificate.  The client, however, proposes `openwrt5server` as
server identity (because you configured that explicitly as server
identity in the VPN profile), which won't match either of these
potential server identities.  The client identity does also not match.
Since you didn't configure `rightid` but explicitly set `right` to an IP
address (roadwarrior connections usually have `right=%any`) the identity
will default to that IP, which won't match the ASN.1 DN the client sends
as its identity.

The identity the client uses as server identity has to be contained as
subjectAltName extension in the server's certificate.  If that's the
case with `openwrt5server` then configure that as `leftid` on the
server.  Usually, the hostname (or IP address) of the server is added as
subjectAltName to the certificate, in which case you don't have to
explicitly configure the server identity on the client as the Android
client uses the hostname/address as remote identity by default (it does
not send a remote identity either, if not explicitly configured, so you
wouldn't have to set `leftid` on the server).  Alternatively, you could
configure the complete subject DN of the server's certificate as server
identity on the client.

To accept the client identity just set `right=%any`, or explicitly
configure `rightid` (to either `%any` or the subject DN, optionally with
wildcards e.g. "C=JP, L=Tokyo, O=Dread Beef limited., CN=*").

Regards,
Tobias



More information about the Users mailing list