[strongSwan] "id ... not confirmed by certificate, defaulting to" ... and "no matching peer config found"

Thomas J. Webb thomas at thomaswebb.net
Sun Nov 12 17:50:53 CET 2017

> This indicates that the ID you configured in your ipsec.conf
> does not match the one from the cert. You can see it both ways:
> distinguished name misconfigured, or ipsec.conf's leftid wrong.
> However, it's much easier to reconfigure the leftid in your
> psec.conf. See the section about leftid/rightid in [1] for
> how to configure your local/remote IDs.
> The error below has most likely the same origin: charon is
> looking for a peer configuration using the rightid you
> (mis)configured while your peer's certificate is in another
> name. Again, try to reconfigure your IDs using [1].

I don't understand. From what I showed, where is the discrepancy? The cert
shows the same domain. I don't get the "not confirmed by certificate"
message if I use "C=NL, O=Example Company, CN=vpn.example.com" for leftid
in ipsec.conf but I do if I use "vpn.example.com". Isn't it supposed to
work either way?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171112/26ec7d0f/attachment.html>

More information about the Users mailing list