[strongSwan] IDr problems...
carson at taltos.org
Sun Nov 27 02:24:32 CET 2016
I'm trying to set up IKEv2 to ipvanish.com's VPN service. I can't manage
to get past authenticating their server. Log excerpt (I have a full
decrypted packet trace if more info would be helpful):
generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.69 to 18.104.22.168 (476 bytes)
received packet: from 22.214.171.124 to 192.168.1.69 (1708 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]
received end entity cert "OU=Domain Control Validated,
no trusted RSA public key found for '126.96.36.199'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
The packet dump show them sending an IDr of ID_IPV4_ADDR: 188.8.131.52.
Sadly, their cert is missing a SAN for that, as a dump of their cert shows:
Subject: OU=Domain Control Validated, CN=*.vpn.ipvanish.com
X509v3 Subject Alternative Name:
Is there any way to override the IDr they send in my strongswan config?
I've tried everything I can think of in rightid/rightcert/rightsigkey
and always get the "no trusted RSA public key" error. I'm a strongswan
n00b, so apologies if I'm missing something obvious.
The only IKEv2 client they officially support is iOS, so there's really
no chance of getting them to fix their end :-(
More information about the Users