[strongSwan] IDr problems...
Carson Gaspar
carson at taltos.org
Sun Nov 27 02:24:32 CET 2016
I'm trying to set up IKEv2 to ipvanish.com's VPN service. I can't manage
to get past authenticating their server. Log excerpt (I have a full
decrypted packet trace if more info would be helpful):
generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.69[4500] to 81.171.97.38[4500] (476 bytes)
received packet: from 81.171.97.38[4500] to 192.168.1.69[4500] (1708 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
received end entity cert "OU=Domain Control Validated,
CN=*.vpn.ipvanish.com"
no trusted RSA public key found for '81.171.97.38'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
The packet dump show them sending an IDr of ID_IPV4_ADDR: 81.171.97.38.
Sadly, their cert is missing a SAN for that, as a dump of their cert shows:
Subject: OU=Domain Control Validated, CN=*.vpn.ipvanish.com
X509v3 Subject Alternative Name:
DNS:*.vpn.ipvanish.com, DNS:vpn.ipvanish.com
Is there any way to override the IDr they send in my strongswan config?
I've tried everything I can think of in rightid/rightcert/rightsigkey
and always get the "no trusted RSA public key" error. I'm a strongswan
n00b, so apologies if I'm missing something obvious.
The only IKEv2 client they officially support is iOS, so there's really
no chance of getting them to fix their end :-(
--
Carson
More information about the Users
mailing list