[strongSwan] IDr problems...

Carson Gaspar carson at taltos.org
Sun Nov 27 02:24:32 CET 2016


I'm trying to set up IKEv2 to ipvanish.com's VPN service. I can't manage 
to get past authenticating their server. Log excerpt (I have a full 
decrypted packet trace if more info would be helpful):

generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr 
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.69[4500] to 81.171.97.38[4500] (476 bytes)
received packet: from 81.171.97.38[4500] to 192.168.1.69[4500] (1708 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
received end entity cert "OU=Domain Control Validated, 
CN=*.vpn.ipvanish.com"
no trusted RSA public key found for '81.171.97.38'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

The packet dump show them sending an IDr of ID_IPV4_ADDR: 81.171.97.38. 
Sadly, their cert is missing a SAN for that, as a dump of their cert shows:

         Subject: OU=Domain Control Validated, CN=*.vpn.ipvanish.com
             X509v3 Subject Alternative Name:
                 DNS:*.vpn.ipvanish.com, DNS:vpn.ipvanish.com

Is there any way to override the IDr they send in my strongswan config? 
I've tried everything I can think of in rightid/rightcert/rightsigkey 
and always get the "no trusted RSA public key" error. I'm a strongswan 
n00b, so apologies if I'm missing something obvious.

The only IKEv2 client they officially support is iOS, so there's really 
no chance of getting them to fix their end :-(

-- 
Carson



More information about the Users mailing list