[strongSwan] "id ... not confirmed by certificate, defaulting to" ... and "no matching peer config found"

Thomas Webb MagusOfTheDark at yahoo.com
Sun Nov 12 17:35:28 CET 2017

> Hello Thomas,
> On 11/12/2017 09:07 AM, Thomas J. Webb wrote:
>> I setup an Ubuntu machine using the same instructions that worked for me before but am unable to connect from Mac OS X. I notice that on startup, ipsec gives me this error (replacing actual domain with "example.com"):
>> reusing virtual IP address pool 2002:25f7:7489:3::/112
>> Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG]   loaded certificate "C=NL, O=Example Company, CN=vpn.example.com" from 'vpnHostCert.der'
>> Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG]   id 'vpn.example.com' not confirmed by certificate, defaulting to 'C=NL, O=Example Company, CN=vpn.example.com'
> This indicates that the ID you configured in your ipsec.conf
> does not match the one from the cert. You can see it both ways:
> distinguished name misconfigured, or ipsec.conf's leftid wrong.
> However, it's much easier to reconfigure the leftid in your
> ipsec.conf. See the section about leftid/rightid in [1] for
> how to configure your local/remote IDs.
> The error below has most likely the same origin: charon is
> looking for a peer configuration using the rightid you
> (mis)configured while your peer's certificate is in another
> name. Again, try to reconfigure your IDs using [1].

I don't understand. From what I showed, where is the discrepancy? The cert shows the same domain. I don't get the "not confirmed by certificate" message if I use "C=NL, O=Example Company, CN=vpn.example.com" for leftid in ipsec.conf but I do if I use "vpn.example.com". Isn't it supposed to work either way?

More information about the Users mailing list