[strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth

Noel Kuntze noel at familie-kuntze.de
Sun Oct 9 19:04:21 CEST 2016

On 09.10.2016 18:57, Pete Ashdown wrote:
> conn win7
>      leftcert=vpnHostCert.der
>      leftsendcert=always
>      leftauth=pubkey
>      leftsubnet=
>      right=%any
>      rightauth=eap-gtc
>      rightsourceip=
>      rightsendcert=never
>      eap_identity=%any
>      keyexchange=ikev2
>      auto=add

No leftid set, so it defaults to %any (which is the value of "left", if it is not defined).
%any is probably not a valid ID in your certificate (and not a valid IP,
DNS name or X.509 DN), so it defaults to the DN of the certificate
I don't think Windows supports EAP-GTC.

> Oct  9 10:52:47 vpn charon: 11[CFG]   loaded certificate "C=US,
> O=XMission, CN=vpn.xmission.com" from 'vpnHostCert.der'
> Oct  9 10:52:47 vpn charon: 11[CFG]   id '%any' not confirmed by
> certificate, defaulting to 'C=US, O=XMission, CN=vpn.xmission.com'

leftid defaults to the DN of the certificate, as described above.

> Oct  9 10:52:51 vpn charon: 13[CFG] looking for peer configs matching
> Oct  9 10:52:51 vpn charon: 13[CFG] no matching peer config found

Peer asks for the ID "vpn.xmission.com". The conn is implicitely configured
for the ID 'C=US, O=XMission, CN=vpn.xmission.com' though.
Therefore charon can not find a valid connection. You need to set leftid correctly
and make sure it's authenticated by the certificate in a SAN field.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161009/79a68a52/attachment.sig>

More information about the Users mailing list