Hi Ygor, is right = ***.***.***.*** contained as a subjectAltName in the rw.pem certificate? If not then you must define rightid=<subject DN of rw.pem> on the client side.
Regards Andreas Ygor Amadeo Sartori Regados wrote: > Hi. > > I have configured strongSwan with X.509 authentication for roadwarriors. > It uses IKEv1 (for some Windows clients) and IKEv2 (some Linux clients). > > I'm trying to change the PKI to one using chained CAs. I created a Sub-CA > only for VPN roadwarriors' certificates. When I've changed the > certificates, I couldn't connect anymore. When I used my previous single- > level CA, it worked fine. > > Has anyone had such a problem? (sorry if my english is bad) > > My configuration: > *Server:* > config setup > nat_traversal=yes > plutostderrlog=/var/log/pluto.log > > ca principal > cacert = ca-principal.pem > auto = add > > ca vpn > cacert = ca-vpn.pem > auto = add > > conn %default > auto=add > leftfirewall=yes > rekey=no > dpdaction=clear > dpddelay=60 > dpdtimeout=180 > > conn rw > left=%defaultroute > leftcert=rw.pem > leftsubnet=192.168.0.0/24 > pfs=no > right=%any > rightsubnetwithin=0.0.0.0/0 > > *Client:* > config setup > nat_traversal = yes > plutostart = yes > charonstart = yes > plutostderrlog = /var/log/pluto.log > > conn %default > leftfirewall=yes > mobike=yes > compress=yes > auto=start > > conn rw > leftcert = dst.pem > keyexchange=ikev2 > left = %defaultroute > right = ***.***.***.*** > rightsubnet = 192.168.0.0/24 > > Log on server (masked IP addresses and certificate info): > > Apr 10 23:18:46 mailproxy charon: 13[NET] received packet: from +++.++.++ > +.+++[17615] to ***.***.***.***[500] > Apr 10 23:18:46 mailproxy charon: 13[ENC] parsed IKE_SA_INIT request 0 > [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > Apr 10 23:18:46 mailproxy charon: 13[IKE] +++.++.+++.+++ is initiating an > IKE_SA > Apr 10 23:18:46 mailproxy charon: 13[IKE] remote host is behind NAT > Apr 10 23:18:46 mailproxy charon: 13[IKE] sending cert request for > "O=***, OU=***, E=****, L=****, ST=**, C=**, CN=AC Raiz" > Apr 10 23:18:46 mailproxy charon: 13[IKE] sending cert request for "C=**, > ST=**, O=***, OU=***, CN=AC para VPNs, E=****" > Apr 10 23:18:46 mailproxy charon: 13[ENC] generating IKE_SA_INIT response > 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] > Apr 10 23:18:46 mailproxy charon: 13[NET] sending packet: from > ***.***.***.***[500] to +++.++.+++.+++[17615] > Apr 10 23:18:46 mailproxy charon: 14[NET] received packet: from +++.++.++ > +.+++[17619] to ***.***.***.***[4500] > Apr 10 23:18:46 mailproxy charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi > CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N > (MULT_AUTH) ] > Apr 10 23:18:46 mailproxy charon: 14[IKE] received cert request for > "C=**, ST=**, O=***, OU=***, CN=AC para VPNs, E=****" > Apr 10 23:18:46 mailproxy charon: 14[IKE] received cert request for > "O=***, OU=***, E=****, L=****, ST=**, C=**, CN=AC Raiz" > Apr 10 23:18:46 mailproxy charon: 14[IKE] received end entity cert "C=**, > ST=**, O=***, OU=****, CN=Ygor A. S. Regados (PC), E=*******" > Apr 10 23:18:46 mailproxy charon: 14[CFG] looking for peer configs > matching ***.***.***.***[***.***.***.***]...+++.++.+++.+++[C=**, ST=**, > O=***, OU=***, CN=Ygor A. S. Regados (PC), E=*******] > Apr 10 23:18:46 mailproxy charon: 14[CFG] no matching peer config found > Apr 10 23:18:46 mailproxy charon: 14[IKE] peer supports MOBIKE > Apr 10 23:18:46 mailproxy charon: 14[ENC] generating IKE_AUTH response 1 > [ N(AUTH_FAILED) ] > Apr 10 23:18:46 mailproxy charon: 14[NET] sending packet: from > ***.***.***.***[4500] to +++.++.+++.+++[17619] ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
