Re: [strongSwan] ipsec connection fails: no matching peer config found
On 18.10.19 10:53, Tobias Brunner wrote: > Hi Michael, > >> found the reason. I had rightid="muc.XXX.de" in my client config. The >> logs do not show that the gateway ID is quoted. After removing the >> quotes the connection came up. > The quotes do not matter, unless they are some kind of typographic > quotes like “ = U+201C or ” = U+201D (i.e. not " = U+0022). However, > you'd see that in the log (as ???). So it's more likely you had a typo > in the XXX part of that identity. > now it works with the quotes. Strange. I checked the logs, but no visible difference in the XXX between these two entries: Oct 17 18:37:04 muc charon: 15[CFG] <108> looking for peer configs matching 192.168.178.8[muc.XXX.de]...46.81.179.210[m...@xxx.de] Oct 17 18:37:04 muc charon: 15[CFG] <108> no matching peer config found and Oct 18 10:06:01 muc charon: 09[CFG] <124> looking for peer configs matching 192.168.178.8[muc.XXX.de]...217.111.91.203[m...@xxx.de] Oct 18 10:06:01 muc charon: 09[CFG] selected peer config 'con-mobile' Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
Re: [strongSwan] ipsec connection fails: no matching peer config found
Hi Michael, > found the reason. I had rightid="muc.XXX.de" in my client config. The > logs do not show that the gateway ID is quoted. After removing the > quotes the connection came up. The quotes do not matter, unless they are some kind of typographic quotes like “ = U+201C or ” = U+201D (i.e. not " = U+0022). However, you'd see that in the log (as ???). So it's more likely you had a typo in the XXX part of that identity. Regards, Tobias
Re: [strongSwan] ipsec connection fails: no matching peer config found
On 17.10.19 19:01, Michael Schwartzkopff wrote: > Hi, > > I have a problem with one specific ipsec client. It cannot connect. The > logs on the server side say: > > Oct 17 18:50:15 muc charon: 11[CFG] <111> looking for peer configs > matching 192.168.178.8[muc.XXX.de]...46.81.179.210[m...@xxx.de] > Oct 17 18:50:15 muc charon: 11[CFG] <111> no matching peer config found > > > The status command on the server side says: > > Connections: > con-mobile: 192.168.178.8...%any IKEv2, dpddelay=10s > con-mobile: local: [muc.XXX.de] uses public key authentication > con-mobile: cert: "CN=muc.XXX.de" > con-mobile: remote: [*@XXX.de] uses EAP_RADIUS authentication with > EAP identity '%any' > > > So why does the server have a problem to identify the new incomming > connection? > > > The server side logs for another (working) client look like: > > Oct 17 18:57:17 muc charon: 12[CFG] <115> looking for peer configs > matching 192.168.178.8[%any]...109.41.194.144[m...@xxx.de] > Oct 17 18:57:17 muc charon: 12[CFG] selected peer > config 'con-mobile' > > > Server: strongswan on pfsense (FreeBSD strongSwan U5.7.1/K11.2-RELEASE-p10) > > non-working client: strongswan on linux (Linux strongSwan > U5.8.1/K5.3.6-arch1-1-ARCH) > > working client: strongswan on android. (2.2.0) > > > Mit freundlichen Grüßen, > Hi, found the reason. I had rightid="muc.XXX.de" in my client config. The logs do not show that the gateway ID is quoted. After removing the quotes the connection came up. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
[strongSwan] ipsec connection fails: no matching peer config found
Hi, I have a problem with one specific ipsec client. It cannot connect. The logs on the server side say: Oct 17 18:50:15 muc charon: 11[CFG] <111> looking for peer configs matching 192.168.178.8[muc.XXX.de]...46.81.179.210[m...@xxx.de] Oct 17 18:50:15 muc charon: 11[CFG] <111> no matching peer config found The status command on the server side says: Connections: con-mobile: 192.168.178.8...%any IKEv2, dpddelay=10s con-mobile: local: [muc.XXX.de] uses public key authentication con-mobile: cert: "CN=muc.XXX.de" con-mobile: remote: [*@XXX.de] uses EAP_RADIUS authentication with EAP identity '%any' So why does the server have a problem to identify the new incomming connection? The server side logs for another (working) client look like: Oct 17 18:57:17 muc charon: 12[CFG] <115> looking for peer configs matching 192.168.178.8[%any]...109.41.194.144[m...@xxx.de] Oct 17 18:57:17 muc charon: 12[CFG] selected peer config 'con-mobile' Server: strongswan on pfsense (FreeBSD strongSwan U5.7.1/K11.2-RELEASE-p10) non-working client: strongswan on linux (Linux strongSwan U5.8.1/K5.3.6-arch1-1-ARCH) working client: strongswan on android. (2.2.0) Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
