[strongSwan] left ID, right ID and no matching peer config

Piyush Agarwal agarwalpiyush at gmail.com
Tue Apr 25 03:22:14 CEST 2017


Ah, had a typo in the configs. Here they are again.

Hi,
I am trying to establish strongswan between two ubuntu 14.04 machines.
I can get things to work if I specify both the leftID and the rightID on
both server and client.

What I need though is the following:
1) I will be copying the server self-signed certificate directly to the
client machine and vice-versa. I understand this is not 100% secure, but I
am going to have to go this way.
2) Those self-signed certificates will be generated with "server" on server
machine and "client" on client machine as the subject Alt Name.
3) For security, I'd like to set rightID on client to be "server" while the
rightID on server would be %any.

However, this throws a AUTH_FAILED error on the server:
looking for peer configs matching 10.10.10.10[server]...105.105.
105.105[client]
no matching peer config found


My server ipsec.conf:

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
    authby=rsasig

conn gcp
    type=transport
    left=10.10.10.10 #(NAT)
    leftid=server
    leftcert=server_cert.pem
    leftsendcert=always
    rightcert=client_cert.pem
    right=105.105.105.105
    rightid=%any
    dpdaction=restart
    dpddelay=60
    dpdtimeout=768
    auto=start


My client ipsec.conf:

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
    authby=rsasig

conn gcp
    type=transport
    left=20.20.20.20 #(NAT)
    leftid=client
    leftcert=client_cert.pem
    leftsendcert=always
    rightcert=server_cert.pem
    right=106.106.106.106
*    rightid=server*
    dpdaction=restart
    dpddelay=60
    dpdtimeout=768
    auto=start

What am I missing? Why is the server not able to find peer config when
rightid has been specified as %any? I hope I am not missing something
basic/obvious.

On Mon, Apr 24, 2017 at 6:19 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
wrote:

> Hi,
> I am trying to establish strongswan between two ubuntu 14.04 machines.
> I can get things to work if I specify both the leftID and the rightID on
> both server and client.
>
> What I need though is the following:
> 1) I will be copying the server self-signed certificate directly to the
> client machine and vice-versa. I understand this is not 100% secure, but I
> am going to have to go this way.
> 2) Those self-signed certificates will be generated with "server" on
> server machine and "client" on client machine as the subject Alt Name.
> 3) For security, I'd like to set rightID on client to be "server" while
> the rightID on server would be %any.
>
> However, this throws a AUTH_FAILED error on the server:
> looking for peer configs matching 10.10.10.10[server]...105.105.
> 105.105[client]
> no matching peer config found
>
>
> My server ipsec.conf:
>
> conn %default
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
>     keyexchange=ikev2
>     authby=rsasig
>
> conn gcp
>     type=transport
>     left=10.10.10.10 #(NAT)
>     leftid=server
>     leftcert=server_cert.pem
>     leftsendcert=always
>     rightcert=client_cert.pem
>     right=105.105.105.105
>     rightid=%any
>     dpdaction=restart
>     dpddelay=60
>     dpdtimeout=768
>     auto=start
>
>
> My client ipsec.conf:
>
> conn %default
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
>     keyexchange=ikev2
>     authby=rsasig
>
> conn gcp
>     type=transport
>     left=20.20.20.20 #(NAT)
>     leftid=client
>     leftcert=client_cert.pem
>     leftsendcert=always
>     rightcert=server_cert.pem
>     right=106.106.106.106
>     rightid=%any
>     dpdaction=restart
>     dpddelay=60
>     dpdtimeout=768
>     auto=start
>
> What am I missing? Why is the server not able to find peer config when
> rightid has been specified as %any? I hope I am not missing something
> basic/obvious.
>
> Thanks.
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>



-- 
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170424/c27e4b4b/attachment-0001.html>


More information about the Users mailing list