[strongSwan] Strange issue. Cant connect.

Christian Salway christian.salway at naimuri.com
Tue Jun 12 15:28:38 CEST 2018


Ok, I changed my command line to now read

sudo charon-cmd --host x.x.x.x --identity remote.user --p12 remote.user.p12

But I am still getting failed login.  This works in OSX’s built-in VPN client so I know the certificate is good.

SERVER

Jun 12 13:24:00 07[IKE] x.x.x.x is initiating an IKE_SA
Jun 12 13:24:00 07[IKE] IKE_SA (unnamed)[6] state change: CREATED => CONNECTING
Jun 12 13:24:00 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jun 12 13:24:00 07[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 12 13:24:00 07[IKE] local host is behind NAT, sending keep alives
Jun 12 13:24:00 07[IKE] remote host is behind NAT
Jun 12 13:24:00 07[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 12 13:24:00 07[IKE] sending cert request for "CN=Vivace Root CA"
Jun 12 13:24:01 11[IKE] received cert request for "CN=Vivace Root CA"
Jun 12 13:24:01 11[IKE] received end entity cert "C=GB, CN=remote.user"
Jun 12 13:24:01 11[CFG] looking for peer configs matching 10.0.0.49[%any]…x.x.x.x[remote.user]
Jun 12 13:24:01 11[CFG] peer config match local: 1 (ID_ANY -> )
Jun 12 13:24:01 11[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68)
Jun 12 13:24:01 11[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2)
Jun 12 13:24:01 11[CFG]   candidate "ecdsa", match: 1/1/28 (me/other/ike)
Jun 12 13:24:01 11[CFG] peer config match local: 1 (ID_ANY -> )
Jun 12 13:24:01 11[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68)
Jun 12 13:24:01 11[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2)
Jun 12 13:24:01 11[CFG]   candidate "rsa", match: 1/1/28 (me/other/ike)
Jun 12 13:24:01 11[CFG] selected peer config 'ecdsa'
Jun 12 13:24:01 11[CFG]   certificate "C=GB, CN=remote.user" key: 384 bit ECDSA
Jun 12 13:24:01 11[CFG]   using trusted ca certificate "CN=Vivace Root CA"
Jun 12 13:24:01 11[CFG] checking certificate status of "C=GB, CN=remote.user"
Jun 12 13:24:01 11[CFG] ocsp check skipped, no ocsp found
Jun 12 13:24:01 11[CFG] certificate status is not available
Jun 12 13:24:01 11[CFG]   certificate "CN=Vivace Root CA" key: 4096 bit RSA
Jun 12 13:24:01 11[CFG]   reached self-signed root ca with a path length of 0
Jun 12 13:24:01 11[CFG]   using trusted certificate "C=GB, CN=remote.user"
Jun 12 13:24:01 11[IKE] authentication of ‘remote.user' with ECDSA_WITH_SHA384_DER successful
Jun 12 13:24:01 11[CFG] constraint check failed: EAP identity '%any' required 
Jun 12 13:24:01 11[CFG] selected peer config 'ecdsa' inacceptable: non-matching authentication done
Jun 12 13:24:01 11[CFG] switching to peer config 'rsa'
Jun 12 13:24:01 11[CFG] constraint check failed: EAP identity '%any' required 
Jun 12 13:24:01 11[CFG] selected peer config 'rsa' inacceptable: non-matching authentication done
Jun 12 13:24:01 11[CFG] no alternative config found

> On 12 Jun 2018, at 14:07, Tobias Brunner <tobias at strongswan.org> wrote:
> 
> Hi Christian,
> 
>> From what I can see, I’m requesting --remote-identity vpnserver but the server is choosing vpnserver1.
> 
> charon-cmd does not send the configured identity (i.e. it does not send
> an IDr payload).  The configured identity is only used to match against
> the returned identity/certificate.  This is basically as if you
> configured rightid=%vpnserver in ipsec.conf.  So the server is free to
> select whichever config it wants (it will just use the first one
> loaded), so if you have multiple matching configs (based on the IPs and
> IKE version) with different identities this could be problematic.
> 
> Regards,
> Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180612/f44ebb13/attachment-0001.html>


More information about the Users mailing list