Hello Olaf, The unstructuredAddress RDN was not supported by the right|leftid parser. I fixed this with the following patch:
http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=a30e025901e59b8bafb3617a27535cd50ec8b7d6 I also published the following untested developers release containingt the unstructuredAddress fix: http://download.strongswan.org/strongswan-4.5.2dr5.tar.bz2 BTW - I'm wondering that you are using unstructuredAddress for IP addresses. According to PKCS#9 this RDN was rather intended as an alternative to the postalAddress RDN. Best regards Andreas On 04/18/2011 07:56 PM, Olaf Rottler wrote: > Hallo, > nachdem ich die rightID völlig identisch in IPSEC.conf übernommen hatte, > beschwert er sich pluto immer noch über Ungleichheit; > > > 03 "msbt" #4: we require peer to have ID > 'SN=JMX1429L3BD, unstructuredAddress=1.18.8.124, > unstructuredName=msbt-gate.uni.int, CN=msbt-gate.uni.int' > > but peer declares > > 'SN=JMX1429L3BD, unstructuredAddress=1.18.8.124, > unstructuredName=msbt-gate.uni.int, CN=msbt-gate.uni.int' > > > Ich habe das bis in switch_connection verfolgt, Ursache ist scheinbar, > dass die Verbindungsbeschreibung den Typ _equals_binary und der erkannte > peer den Typ _equals_dn (ID_DER_ASN1_DN) erhalten hat (wegen des ersten > "="). > > 2415 if (initiator) > 2416 { > 2417 int pathlen; > 2418 > 2419 *** if (!peer->equals(peer, c->spd.that.id)) > 2420 { > 2421 loglog(RC_LOG_SERIOUS, > 2422 "we require peer to have ID > '%Y', but peer declares '%Y'", > 2423 c->spd.that.id, peer); > > *peer = {get_encoding = 0x5080f0 <get_encoding>, get_type = 0x508110 > <get_type>, equals = 0x5088f0 <equals_dn>, > matches = 0x508850 <matches_dn>, contains_wildcards = 0x5089b0 > <contains_wildcards_dn>, > create_part_enumerator = 0x508940 <create_part_enumerator>, clone = > 0x508d00 <clone_>, destroy = 0x508420 <destroy>} > 6: peer = (identification_t *) 0x8767498 > > *c->spd.that.id = {get_encoding = 0x5080f0 <get_encoding>, get_type = > 0x508110 <get_type>, equals = 0x5082e0 <equals_binary>, > matches = 0x508250 <matches_binary>, contains_wildcards = 0x506bf0 > <return_false>, > create_part_enumerator = 0x508940 <create_part_enumerator>, clone = > 0x508d00 <clone_>, destroy = 0x508420 <destroy>} > (gdb) s > > Wie es beim Einlesen der config an welcher stelle warum dazu kommt, > überblicke ich jetzt auf Anhieb leider noch nicht. > > Gruss > > Olaf > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
