Hi Jaime,
Some comments:
> interfaces=%defaultroute
interfaces is ignored by the IKEv2 daemon.
> left=%defaultroute
%defaultroute is resolved at startup by the ipsec starter. With IKEv2,
I'd use %any, which is resolved dynamically during the connect..
> crlcheckinterval=3600
> cachecrls=yes
CRL checking in IKEv2 is done on demand, and they are always cached.
> ca RootCA
> auto=add
> cacert=caroot.pem
> ca SubCA
> auto=add
> cacert=cacert.pem
CA certificates in ipsec.d/cacerts are loaded automatically, no need for
these ca sections.
> leftsourceip=10.1.0.1
Is not required, the IKEv2 daemon can figure this out automatically.
Now to the problem:
> no matching config found for
> 'C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org, [email protected]'...
> 'C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2'
But your config is:
> rightid="C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org,
> [email protected]"
> rightid="C=ES, O=VPN Test, OU=Test, CN=roadwarrior"
The client identity doesn't match. Double check that the client uses the
same identity that the server expects. This identity must be contained
in the clients certificate (either as DN or as subjectAltName). You can
also use wildcard matching ("C=ES, O=VPN Test, OU=Test, CN=*") for
multiple clients, or even accept any client with a cert under that ca
(rightid=%any).
Regards
Martin
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
