[strongSwan] left ID, right ID and no matching peer config
Piyush Agarwal
agarwalpiyush at gmail.com
Tue Apr 25 03:22:14 CEST 2017
Ah, had a typo in the configs. Here they are again.
Hi,
I am trying to establish strongswan between two ubuntu 14.04 machines.
I can get things to work if I specify both the leftID and the rightID on
both server and client.
What I need though is the following:
1) I will be copying the server self-signed certificate directly to the
client machine and vice-versa. I understand this is not 100% secure, but I
am going to have to go this way.
2) Those self-signed certificates will be generated with "server" on server
machine and "client" on client machine as the subject Alt Name.
3) For security, I'd like to set rightID on client to be "server" while the
rightID on server would be %any.
However, this throws a AUTH_FAILED error on the server:
looking for peer configs matching 10.10.10.10[server]...105.105.
105.105[client]
no matching peer config found
My server ipsec.conf:
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=rsasig
conn gcp
type=transport
left=10.10.10.10 #(NAT)
leftid=server
leftcert=server_cert.pem
leftsendcert=always
rightcert=client_cert.pem
right=105.105.105.105
rightid=%any
dpdaction=restart
dpddelay=60
dpdtimeout=768
auto=start
My client ipsec.conf:
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=rsasig
conn gcp
type=transport
left=20.20.20.20 #(NAT)
leftid=client
leftcert=client_cert.pem
leftsendcert=always
rightcert=server_cert.pem
right=106.106.106.106
* rightid=server*
dpdaction=restart
dpddelay=60
dpdtimeout=768
auto=start
What am I missing? Why is the server not able to find peer config when
rightid has been specified as %any? I hope I am not missing something
basic/obvious.
On Mon, Apr 24, 2017 at 6:19 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
wrote:
> Hi,
> I am trying to establish strongswan between two ubuntu 14.04 machines.
> I can get things to work if I specify both the leftID and the rightID on
> both server and client.
>
> What I need though is the following:
> 1) I will be copying the server self-signed certificate directly to the
> client machine and vice-versa. I understand this is not 100% secure, but I
> am going to have to go this way.
> 2) Those self-signed certificates will be generated with "server" on
> server machine and "client" on client machine as the subject Alt Name.
> 3) For security, I'd like to set rightID on client to be "server" while
> the rightID on server would be %any.
>
> However, this throws a AUTH_FAILED error on the server:
> looking for peer configs matching 10.10.10.10[server]...105.105.
> 105.105[client]
> no matching peer config found
>
>
> My server ipsec.conf:
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=rsasig
>
> conn gcp
> type=transport
> left=10.10.10.10 #(NAT)
> leftid=server
> leftcert=server_cert.pem
> leftsendcert=always
> rightcert=client_cert.pem
> right=105.105.105.105
> rightid=%any
> dpdaction=restart
> dpddelay=60
> dpdtimeout=768
> auto=start
>
>
> My client ipsec.conf:
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=rsasig
>
> conn gcp
> type=transport
> left=20.20.20.20 #(NAT)
> leftid=client
> leftcert=client_cert.pem
> leftsendcert=always
> rightcert=server_cert.pem
> right=106.106.106.106
> rightid=%any
> dpdaction=restart
> dpddelay=60
> dpdtimeout=768
> auto=start
>
> What am I missing? Why is the server not able to find peer config when
> rightid has been specified as %any? I hope I am not missing something
> basic/obvious.
>
> Thanks.
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>
--
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170424/c27e4b4b/attachment-0001.html>
More information about the Users
mailing list