[strongSwan] no matching peer config found

Christian Salway ccsalway at yahoo.co.uk
Tue May 1 23:22:32 CEST 2018 

Version: strongSwan 5.6.2 using swanctl
I am trying to re-use settings so that just the certificate is different (vpnserver uses ECDSA, vpnsever1 uses RSA), which according to the help page [1] should be possible:
"connections.<conn>.local<suffix> sectionSection for a local authentication round. A local authentication round defines the rules how authentication is performed for the local peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple Authentication or IKEv1 XAuth.Each round is defined in a section having local as prefix, and an optional unique suffix. To define a single authentication round, the suffix may be omitted."
However, when I connect from OSX (using Local ID = vpnserver1), strongSwan doesn't match to a local peer.
May  1 21:17:10 09[CFG] looking for peer configs matching 10.0.5.202[vpnserver1]...86.2.58.36[192.168.0.31]May  1 21:17:10 09[CFG] peer config match local: 0 (ID_FQDN -> 76:70:6e:73:65:72:76:65:72:31)May  1 21:17:10 09[CFG] peer config match remote: 1 (ID_IPV4_ADDR -> c0:a8:00:1f)May  1 21:17:10 09[CFG] ike config match: 28 (10.0.5.202 86.2.58.36 IKEv2)May  1 21:17:10 09[CFG] no matching peer config found
I have tried prefixing fqdn:vpnserver1, @vpnserver1, I have even tried by IP addresses on both the private IP and public IP (adding them in to the certificates as both DNS:x.x.x.x and IP:x.x.x.x - not shown in the certs below as I removed them after trying)

When I connect from Windows which uses ID_ANY, it picks the first one in the list "local" (as expected).

```
connections {   default {      version = 2      send_cert = always      encap = yes      pools = pool1      unique = replace      local {         id = vpnserver         certs = vpnserver.crt      }      local1 {        id = vpnserver1        certs = vpnserver1.crt      }      remote {         auth = eap-mschapv2         eap_id = %any         #revocation = strict  # OCSP must be running      }      children {         net {            local_ts = 10.0.0.0/20            inactivity = 1h         }      }   }}```
```List of X.509 End Entity Certificates
  subject:  "CN=vpnserver1"  issuer:   "CN=Root CA"  validity:  not before May 01 17:18:52 2018, ok             not after  May 31 17:18:52 2019, ok (expires in 394 days)  serial:    c2:79:0c:c6:8b:27:50:6a  altNames:  vpnserver1  flags:     serverAuth ikeIntermediate   OCSP URIs: http://127.0.0.1:2560  authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50  subjkeyId: 98:e8:e0:53:18:0a:d4:1c:38:40:23:ed:1b:3f:a3:13:53:e9:1d:09  pubkey:    RSA 2048 bits, has private key  keyid:     ff:b9:af:34:56:ec:7b:33:e5:3f:67:35:43:1d:98:61:ca:73:bf:b1  subjkey:   98:e8:e0:53:18:0a:d4:1c:38:40:23:ed:1b:3f:a3:13:53:e9:1d:09
  subject:  "CN=vpnserver"  issuer:   "CN=Root CA"  validity:  not before May 01 14:33:35 2018, ok             not after  May 31 14:33:35 2019, ok (expires in 394 days)  serial:    c2:79:0c:c6:8b:27:50:69  altNames:  vpnserver  flags:     serverAuth ikeIntermediate   OCSP URIs: http://127.0.0.1:2560  authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50  subjkeyId: 52:8e:b0:37:4f:ef:c5:79:43:8f:e1:29:6d:0b:cf:6a:65:58:b3:35  pubkey:    ECDSA 384 bits, has private key  keyid:     ef:5a:f5:de:7d:ab:a2:40:e5:53:27:0b:e8:2c:54:3f:28:e7:0c:c4  subjkey:   52:8e:b0:37:4f:ef:c5:79:43:8f:e1:29:6d:0b:cf:6a:65:58:b3:35```
May  1 21:09:56 11[CFG] vici client 1 requests: load-connMay  1 21:09:56 11[CFG]  conn default:May  1 21:09:56 11[CFG]   child net:May  1 21:09:56 11[CFG]    rekey_time = 3600May  1 21:09:56 11[CFG]    life_time = 3960May  1 21:09:56 11[CFG]    rand_time = 360May  1 21:09:56 11[CFG]    rekey_bytes = 0May  1 21:09:56 11[CFG]    life_bytes = 0May  1 21:09:56 11[CFG]    rand_bytes = 0May  1 21:09:56 11[CFG]    rekey_packets = 0May  1 21:09:56 11[CFG]    life_packets = 0May  1 21:09:56 11[CFG]    rand_packets = 0May  1 21:09:56 11[CFG]    updown = (null)May  1 21:09:56 11[CFG]    hostaccess = 0May  1 21:09:56 11[CFG]    ipcomp = 0May  1 21:09:56 11[CFG]    mode = TUNNELMay  1 21:09:56 11[CFG]    policies = 1May  1 21:09:56 11[CFG]    policies_fwd_out = 0May  1 21:09:56 11[CFG]    dpd_action = clearMay  1 21:09:56 11[CFG]    start_action = clearMay  1 21:09:56 11[CFG]    close_action = clearMay  1 21:09:56 11[CFG]    reqid = 0May  1 21:09:56 11[CFG]    tfc = 0May  1 21:09:56 11[CFG]    priority = 0May  1 21:09:56 11[CFG]    interface = (null)May  1 21:09:56 11[CFG]    mark_in = 0/0May  1 21:09:56 11[CFG]    mark_in_sa = 0May  1 21:09:56 11[CFG]    mark_out = 0/0May  1 21:09:56 11[CFG]    inactivity = 3600May  1 21:09:56 11[CFG]    proposals = ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQMay  1 21:09:56 11[CFG]    local_ts = 10.0.0.0/20May  1 21:09:56 11[CFG]    remote_ts = dynamicMay  1 21:09:56 11[CFG]    hw_offload = 0May  1 21:09:56 11[CFG]    sha256_96 = 0May  1 21:09:56 11[CFG]   version = 2May  1 21:09:56 11[CFG]   local_addrs = %anyMay  1 21:09:56 11[CFG]   remote_addrs = %anyMay  1 21:09:56 11[CFG]   local_port = 500May  1 21:09:56 11[CFG]   remote_port = 500May  1 21:09:56 11[CFG]   send_certreq = 1May  1 21:09:56 11[CFG]   send_cert = CERT_ALWAYS_SENDMay  1 21:09:56 11[CFG]   mobike = 1May  1 21:09:56 11[CFG]   aggressive = 0May  1 21:09:56 11[CFG]   dscp = 0x00May  1 21:09:56 11[CFG]   encap = 1May  1 21:09:56 11[CFG]   dpd_delay = 0May  1 21:09:56 11[CFG]   dpd_timeout = 0May  1 21:09:56 11[CFG]   fragmentation = 2May  1 21:09:56 11[CFG]   unique = UNIQUE_REPLACEMay  1 21:09:56 11[CFG]   keyingtries = 1May  1 21:09:56 11[CFG]   reauth_time = 0May  1 21:09:56 11[CFG]   rekey_time = 14400May  1 21:09:56 11[CFG]   over_time = 1440May  1 21:09:56 11[CFG]   rand_time = 1440May  1 21:09:56 11[CFG]   proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048May  1 21:09:56 11[CFG]   local:May  1 21:09:56 11[CFG]    id = vpnserverMay  1 21:09:56 11[CFG]   local:May  1 21:09:56 11[CFG]    id = vpnserver1May  1 21:09:56 11[CFG]   remote:May  1 21:09:56 11[CFG]    eap_id = %anyMay  1 21:09:56 11[CFG]    eap-type = EAP_MSCHAPV2May  1 21:09:56 11[CFG]    class = EAPMay  1 21:09:56 11[CFG] added vici connection: default

[1] https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180501/a471b5c9/attachment.html>

More information about the Users mailing list