[strongSwan] "id ... not confirmed by certificate, defaulting to" ... and "no matching peer config found"

Sun Nov 12 09:07:06 CET 2017

I setup an Ubuntu machine using the same instructions that worked for me before but am unable to connect from Mac OS X. I notice that on startup, ipsec gives me this error (replacing actual domain with "example.com"):
reusing virtual IP address pool 2002:25f7:7489:3::/112
Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG]   loaded certificate "C=NL, O=Example Company, CN=vpn.example.com" from 'vpnHostCert.der'
Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG]   id 'vpn.example.com' not confirmed by certificate, defaulting to 'C=NL, O=Example Company, CN=vpn.example.com'
Based on what I read earlier on this list and elsewhere, it could be something wrong with how I made the cert. Here's the command I used to generate vpnHostCert.der (also replacing real ip with 1.2.3.4):
ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=NL, O=Example Company, CN=vpn.example.com" --san vpn.example.com --san 1.2.3.4  --san @1.2.3.4  --flag serverAuth --flag ikeIntermediate --outform der > certs/vpnHostCert.der
And verifying that it has the san:
ipsec pki --print --in certs/vpnHostCert.der
cert:      X509
subject:  "C=NL, O=Example Company, CN=vpn.example.com"
issuer:   "C=NL, O=Example Company, CN=strongSwan Root CA"
validity:  not before Nov 12 16:58:45 2017, ok
           not after  Nov 12 16:58:45 2019, ok (expires in 729 days)
...
altNames:  vpn.example.com, 1.2.3.4, 1.2.3.4flags:     serverAuth iKEIntermediate ...
openssl also shows what I think is the right data?
openssl x509 -inform DER -in certs/vpnHostCert.der -noout -text...Subject: C=NL, O=Example Company, CN=vpn.example.com...X509v3 Subject Alternative Name: 
DNS:vpn.example.com, IP Address:1.2.3.4, DNS:1.2.3.4

If I change leftid in /etc/ipsec.conf to have the whole "C=NL, O=Example Company, CN=vpn.example.com" instead of just vpn.example.com, I don't get the "not confirmed by certificate" message, but am still unable to connect. And I don't get how it's unable to match the domain with the CN in the message.

When I try to connect it's not clear to me what the error is, but I'm guessing it's "no matching peer config found":
Nov 12 16:52:49 ik1-327-23579 charon: 01[CFG] ike config match: 0 (1.2.3.4 5.6.7.8 IKEv2)
Nov 12 16:52:49 ik1-327-23579 charon: 01[CFG] no matching peer config found
Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_ADDRESS attribute
Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_DHCP attribute
Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_DNS attribute
Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_NETMASK attribute
Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_ADDRESS attribute
Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_DHCP attribute
Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_DNS attribute
Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing (25) attribute
Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] peer supports MOBIKE
Nov 12 16:52:49 ik1-327-23579 charon: 01[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 12 16:52:49 ik1-327-23579 charon: 01[NET] sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500] (76 bytes)
Nov 12 16:52:49 ik1-327-23579 charon: 01[MGR] checkin and destroy IKE_SA (unnamed)[2]
Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
Nov 12 16:52:49 ik1-327-23579 charon: 01[MGR] check-in and destroy of IKE_SA successful
Nov 12 16:52:49 ik1-327-23579 charon: 09[NET] sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500]
Nov 12 16:52:49 ik1-327-23579 charon: 06[NET] waiting for data on sockets
Nov 12 16:53:18 ik1-327-23579 charon: 14[MGR] checkout IKE_SA
Does anyone have an idea what I'm doing wrong or any hint where to look?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171112/47437b89/attachment.html>