[strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth
Noel Kuntze
noel at familie-kuntze.de
Sun Oct 9 19:04:21 CEST 2016
On 09.10.2016 18:57, Pete Ashdown wrote:
> conn win7
> leftcert=vpnHostCert.der
> leftsendcert=always
> leftauth=pubkey
> leftsubnet=0.0.0.0/0
> right=%any
> rightauth=eap-gtc
> rightsourceip=10.10.10.16/2
> rightsendcert=never
> eap_identity=%any
> keyexchange=ikev2
> auto=add
No leftid set, so it defaults to %any (which is the value of "left", if it is not defined).
%any is probably not a valid ID in your certificate (and not a valid IP,
DNS name or X.509 DN), so it defaults to the DN of the certificate
I don't think Windows supports EAP-GTC.
>
> Oct 9 10:52:47 vpn charon: 11[CFG] loaded certificate "C=US,
> O=XMission, CN=vpn.xmission.com" from 'vpnHostCert.der'
> Oct 9 10:52:47 vpn charon: 11[CFG] id '%any' not confirmed by
> certificate, defaulting to 'C=US, O=XMission, CN=vpn.xmission.com'
leftid defaults to the DN of the certificate, as described above.
> Oct 9 10:52:51 vpn charon: 13[CFG] looking for peer configs matching
> 10.10.10.1[vpn.xmission.com]...177.77.77.62[10.67.1.244]
> Oct 9 10:52:51 vpn charon: 13[CFG] no matching peer config found
Peer asks for the ID "vpn.xmission.com". The conn is implicitely configured
for the ID 'C=US, O=XMission, CN=vpn.xmission.com' though.
Therefore charon can not find a valid connection. You need to set leftid correctly
and make sure it's authenticated by the certificate in a SAN field.
--
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161009/79a68a52/attachment.sig>
More information about the Users
mailing list