-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello,
Your rightid setting does not match the DN of the certificate. rightid="C=US, ST=State, L=City, O=Company_1, OU=Sales, CN=*" DN=" C=US, ST=State, L=City, O=Company_2, OU=Marketing" The organization part of the id does not match the organization part of the DN of the certificate. Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 13.06.2014 18:48, schrieb bviper47: > Greetings, > > I am attempting to set up an IKEv1 RSA endpoint to serve Android and > iOS native clients. However, I wish to restrict connections to certain > distinguished names. (e.g. clients starting with "C=US, ST=State, > L=City, O=Company_1, OU=Sales" are allowed, but "C=US, ST=State, > L=City, O=Company_1, OU=Marketing" are not) Very much like this older > strongSwan 4.2 configuration guide is referencing > http://www.strongswan.org/docs/readme4.htm#section_4.6 and this guide > for iOS > http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)#strongSwan-configuration-for-multiple-clients > . I am receiving a "no peer config found" error message. I am using > strongSwan 5.1.3 configured with "./configure --prefix=/usr > --sysconfdir=/etc --enable-xauth-noauth" > > My ipsec.conf is the following: > > config setup > charondebug="ike 2, knl 2" > conn ios > keyexchange=ikev1 > leftauth=rsa > rightauth=rsa > rightauth2=xauth-noauth > left=%defaultroute > leftsubnet=0.0.0.0/0 > leftfirewall=no > leftcert=server.crt.pem > right= %any > rightid="C=US, ST=State, L=City, O=Company_1, OU=Sales, CN=*" > rightsubnet=10.0.0.0/24 > rightsourceip=10.0.0.0/24 > auto=add > > My full log can be found at http://pastebin.com/yN4v0aRX > > I'm getting the following > > Jun 13 11:20:23 ast-scodev-4 charon: 12[CFG] looking for XAuthInitRSA > peer configs matching 10.89.150.204...10.152.10.45[C=US, ST=State, > L=City, O=Company_2, OU=Marketing, CN=client_2] > Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] no peer config found > Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] queueing INFORMATIONAL task > Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] activating new tasks > Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] activating INFORMATIONAL task > Jun 13 11:20:23 ast-scodev-4 charon: 12[ENC] generating > INFORMATIONAL_V1 request 1377396233 [ HASH N(AUTH_FAILED) ] > Jun 13 11:20:23 ast-scodev-4 charon: 12[NET] sending packet: from > 10.89.150.204[500] to 10.152.10.45[500] (92 bytes) > Jun 13 11:20:23 ast-scodev-4 charon: 12[IKE] IKE_SA (unnamed)[1] state > change: CONNECTING => DESTROYING > > Please note that setting rightauth2=xauth-generic still results in the > same error. > > Any suggestions? > > Thanks > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTmyxMAAoJEDg5KY9j7GZYPbwP/iN72CDVKfoY5bawkL8E/cVS wt9dTu4JynxEcMr81mLiXpFem7akz35KcTBBxWm6a/bkWGPav4/V/HHKXnhHooZv TkYWpwfqgJv9wBB0srD7qBr3IcRSG6KCBM+abIlehSSclJ/7UQYKb9wWmQljg3aT bmpNk8C6lF2TpxScTstowbbgvpOWQp0eyphHN0zPo2F22SrCkAkhZdoNYYfzF7CQ eOrtvO9s+PLKRKE2zF/yQlPmI3HVx5OWvhFiOoDHrFfqfucNNp1aI+8n3EbWpI+g 4y5kPHVo9dt+nXEO/7VVESBluIyPy8LGPkfBt9eH9+2YHceMxNfUZKt9GAeo4OrR Fzz+2JMqKNNB0V0TjgvoAIBDMuzic5/BK3wOYK8n6ti7ztvPAGn1nQhp5ppvjjVd aOyy1gIlAvwEOTYbb+Pt9mXe9nccRutFwN5yXCoUzfgXZlInOnmt21bm+CiHC9UT DDJQV5KGh4p6u7wntUCjmDeoByGePPMLww7cBU2OlcPc2kt5ry1xWNKRut15fLYh a1CPb/zBPc4Vjn3GcxEPpaqRIKlOcU+P0IdiUpFydix0S0HVqVOHs02O8PDBYj3B jJSxNo1tgQu4AKFUEUHpzhqtP9D4n+lOOM7X8FI02IkDsUo0SmjW2bJTi2PZI+xy OQnXEVAZg1BpiztLeuTa =Bg/y -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
