Hi, > "strongswan(client) - Netgear(server)"
I suppose you meant "strongswan(server) - Netgear(client)" because... > But according to RFC 4306, IDr payload is optional (Please use RFC 5996 for future reference) ...the IDr payload *is* optional, but only in the IKE_AUTH *request*. See page 11 of RFC 5996 for a description of the response. It starts with: "The responder asserts its identity with the IDr payload, optionally sends one or more certificates..." So, assuming you meant that the Netgear is the client and referring to your earlier logs > 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr ] > ... > 13[CFG] looking for peer configs matching 35.0.0.2[%any]...35.0.0.1[] the problem is that the IDi is empty ([]) the non-existence of IDr is reflected as [%any]. Since you've configured > rightid="C=CH, O=strongswan, CN=iss" there won't be a match as the empty IDi does not match that CN. So make sure you configure that CN as local ID on the Netgear device. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
