Hello Jaime, which strongSwan version are you using? There was a bug concerning the ASN.1 encoding of the Email RDN (E=) in right|leftid introduced with version 4.2.15 which was fixed with version 4.3.4. This bug causes the comparison between the ID defined by rightid and the subject DN defined by the certificate to fail. The debian lenny distribution originally had version 4.2.4 but there have been backports to newer versions later on.
Regards Andreas On 19.10.2010 15:28, Jaime Vargas wrote: >> Now to the problem: >> >>> no matching config found for >>> 'C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org, >>> [email protected]'... >>> 'C=ES, O=VPN Test, OU=Test, CN=usuario-ikev2' >> >> But your config is: >> >>> rightid="C=ES, O=VPN Test, OU=Test, CN=vpn-gateway.vpntest.org, >>> [email protected]" >>> rightid="C=ES, O=VPN Test, OU=Test, CN=roadwarrior" >> >> The client identity doesn't match. > > Sorry, assume they match. "usuario-ikev2" is the real user I'm using, > and I substituted it with "roadwarrior" in my email but obviously > forgot to do so in every instance. The problem is not there. > >> Double check that the client uses the >> same identity that the server expects. This identity must be contained >> in the clients certificate (either as DN or as subjectAltName). You can >> also use wildcard matching ("C=ES, O=VPN Test, OU=Test, CN=*") for >> multiple clients, or even accept any client with a cert under that ca >> (rightid=%any). >> > > I don't understand this. As for wildcard or rightid=%any, that is not > viable because the configuration MUST be unique for each user, so it > can assign their fixed IPs...so what might the problem be? Maybe the > roadwarrior is presenting the subjectAltName? > ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
