[strongSwan] "id ... not confirmed by certificate, defaulting to" ... and "no matching peer config found"

Thomas Egerer hakke_007 at gmx.de
Sun Nov 12 11:19:37 CET 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Thomas,

On 11/12/2017 09:07 AM, Thomas J. Webb wrote:
> I setup an Ubuntu machine using the same instructions that worked for me before but am unable to connect from Mac OS X. I notice that on startup, ipsec gives me this error (replacing actual domain with "example.com"):
> 
> reusing virtual IP address pool 2002:25f7:7489:3::/112
> Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG]   loaded certificate "C=NL, O=Example Company, CN=vpn.example.com" from 'vpnHostCert.der'
> Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG]   id 'vpn.example.com' not confirmed by certificate, defaulting to 'C=NL, O=Example Company, CN=vpn.example.com'
This indicates that the ID you configured in your ipsec.conf
does not match the one from the cert. You can see it both ways:
distinguished name misconfigured, or ipsec.conf's leftid wrong.
However, it's much easier to reconfigure the leftid in your
ipsec.conf. See the section about leftid/rightid in [1] for
how to configure your local/remote IDs.
The error below has most likely the same origin: charon is
looking for a peer configuration using the rightid you
(mis)configured while your peer's certificate is in another
name. Again, try to reconfigure your IDs using [1].
> 
> Based on what I read earlier on this list and elsewhere, it could be something wrong with how I made the cert. Here's the command I used to generate vpnHostCert.der (also replacing real ip with 1.2.3.4):
> 
> ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=NL, O=Example Company, CN=vpn.example.com" --san vpn.example.com --san 1.2.3.4  --san @1.2.3.4  --flag serverAuth --flag ikeIntermediate --outform der > certs/vpnHostCert.der
> 
> And verifying that it has the san:
> 
> ipsec pki --print --in certs/vpnHostCert.der
> cert:      X509
> subject:  "C=NL, O=Example Company, CN=vpn.example.com"
> issuer:   "C=NL, O=Example Company, CN=strongSwan Root CA"
> validity:  not before Nov 12 16:58:45 2017, ok
>            not after  Nov 12 16:58:45 2019, ok (expires in 729 days)
> ...
> altNames:  vpn.example.com, 1.2.3.4, 1.2.3.4
> flags:     serverAuth iKEIntermediate
> ...
> 
> openssl also shows what I think is the right data?
> 
> openssl x509 -inform DER -in certs/vpnHostCert.der -noout -text
> ...
> Subject: C=NL, O=Example Company, CN=vpn.example.com
> ...
> X509v3 Subject Alternative Name:
> DNS:vpn.example.com, IP Address:1.2.3.4, DNS:1.2.3.4
> 
> If I change leftid in /etc/ipsec.conf to have the whole "C=NL, O=Example Company, CN=vpn.example.com" instead of just vpn.example.com, I don't get the "not confirmed by certificate" message, but am still unable to connect. And I don't get how it's unable to match the domain with the CN in the message.
> 
> When I try to connect it's not clear to me what the error is, but I'm guessing it's "no matching peer config found":
> 
> Nov 12 16:52:49 ik1-327-23579 charon: 01[CFG] ike config match: 0 (1.2.3.4 5.6.7.8 IKEv2)
> Nov 12 16:52:49 ik1-327-23579 charon: 01[CFG] no matching peer config found
> Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_ADDRESS attribute
> Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_DHCP attribute
> Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_DNS attribute
> Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_NETMASK attribute
> Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_ADDRESS attribute
> Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_DHCP attribute
> Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_DNS attribute
> Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing (25) attribute
> Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] peer supports MOBIKE
> Nov 12 16:52:49 ik1-327-23579 charon: 01[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Nov 12 16:52:49 ik1-327-23579 charon: 01[NET] sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500] (76 bytes)
> Nov 12 16:52:49 ik1-327-23579 charon: 01[MGR] checkin and destroy IKE_SA (unnamed)[2]
> Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
> Nov 12 16:52:49 ik1-327-23579 charon: 01[MGR] check-in and destroy of IKE_SA successful
> Nov 12 16:52:49 ik1-327-23579 charon: 09[NET] sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500]
> Nov 12 16:52:49 ik1-327-23579 charon: 06[NET] waiting for data on sockets
> Nov 12 16:53:18 ik1-327-23579 charon: 14[MGR] checkout IKE_SA
> 
> Does anyone have an idea what I'm doing wrong or any hint where to look?

Cheers,
Thomas


[1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJaCCAzAAoJEGK31ONirBTGlHkQALVkI99dTR8s4KtHQdTy20WS
IeJIYhNMcPFoQvScqJzzvX8l8nf6tDoO5flma5jWamtRSrWciZ7LJAAFHX4cG20I
XILIOqk9+jnXIT7ohg/PjW/kMX6EHrejj1SSyafMfotQV1pj1e0h8rKADPDGY/7B
55JbZvg5hTeNTpG3KTqqvbPj5R22hYrPAmmny/0TR9YBX0q2gOBN65o9sRlwCXkC
2nxSCALB1+4d6jWR9AzNg6SOhL3pdrBrTy86mBsXTls9lwVmtx68+fQfORC46WsX
Of0uSj9+a+gvfa65YyHk6CxVyFIcd34h0h471nmGN0THDri+o3d6FdDsq9LvIh8G
mCxRHHnR6TAJuvNSa918ofOUaV3He42x7PcoHaqlqB4P/K13lj/yD7MaXWmo7o2B
SiR32UGHX+32S+/anoSYSkXsAZUCMCQCJY07L13QkQQuulBsf1PJFebhW+R8qNWX
z6BTv5y9dv2VRYN2SJxH81DhdT5p25t8ro9rHVFPGpmadcZxLRjEqe38JZe+DwjQ
OWj0/fHoBh8b4U6dDBPUu8yHM+KLJW8dJx4me+/1TFawchJoCCJO9pcqCkf93Fnt
4/tSlDK5Ml7sYyhEaBwaEBsqqwCnucGeSvt+DC0CzaD91Q4zIAroeBoB4JzHW3Ks
/ymssfDgYIL7ncTk0Rwc
=Ekvf
-----END PGP SIGNATURE-----

More information about the Users mailing list