[strongSwan] left=%any, leftid=, negotiation of own ID failed

Mon, 28 Sep 2009 07:09:18 -0700 

I'm using the following simple connection definition in ipsec.conf.

conn vaterstetten
         keyexchange=ikev2
         left=%any
         leftcert=danielCA_server2.pem
         right=86.122.57.21
         rightid="/CN=Vaterstetten/"
         type=transport
         auto=route

I left out leftid= b/c I relied on strongSwan using the DN from the 
X.509 certificate in danielCA_server2.pem.

The connection setup failed with this error message:

"negotiation of own ID failed"

If works if I set

left=%defaultroute

If I understand the documentation correctly then strongSwan figures out 
the interface address of the default route and checks if this IP address 
is included in the certificate as an subjectAltName. Since it's not 
strongSwan uses the DN from the certificate. So far so good.

I can fix the setup also by using

leftid="/CN=server2/"

straight from the start.

My question is why is the initial setup not working.

My goal is to make strongSwan more user friendly i.e. troubleshooting 
should be as easy as possible. The error message "negotiation of own ID 
failed" might not be that helpful.
Can't strongSwan detect this kind of problem when it's reading in the 
config file and complain like "You have to explicitly set leftid if you 
set left=%any".

Also: The wiki should be a bit more verbose regarding this topic:

-- Quote --
left|rightid = <id>

how the left|right participant should be identified for authentication; 
defaults to left|right.
Can be an IP address (in any ttoaddr(3) syntax) or a fully-qualified 
domain name preceded by @
(which is used as a literal string and not resolved).
-- End of Quote --

It misses out on mentioning that this ID has to match with the 
certificate. It should also mention what's going to happen if it's not 
matching.

The old documentation has some good info about that: "Important:  When 
an FQDN identifier is used it must be explicitly included as a so called 
subjectAltName of type dnsName (DNS:) in the certificate indicated by 
leftcert."

-Daniel
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to