Hi Ariwa, > I see log. but I cannot figure out dubious point. > Is there someone have any hint for it?
The log is pretty clear: > Thu Jul 14 21:51:35 2016 daemon.info syslog: 03 [CFG] looking for > peer configs matching 192.168.1.32[openwrt5server]...192.168.1.156[C=JP, > L=Tokyo, O=Dread Beef limited., CN=bigandy] > Thu Jul 14 21:51:35 2016 daemon.info syslog: 03 [CFG] peer config > match local: 0 (ID_FQDN -> 6f:70:65:6e:77:72:74:35:73:65:72:76:65:72) > Thu Jul 14 21:51:35 2016 daemon.info syslog: 03 [CFG] peer config > match remote: 0 (ID_DER_ASN1_DN -> > 30:4d:31:0b:30:09:06:03:55:04:06:13:02:4a:50:31:0e:30:0c:06:03:55:04:07:13:05:54:6f:6b:79:6f:31:1c:30:1a:06:03:55:04:0a:13:13:44:72:65:61:64:20:42:65:65:66:20:6c:69:6d:69:74:65:64:2e:31:10:30:0e:06:03:55:04:03:13:07:62:69:67:61:6e:64:79) > Thu Jul 14 21:51:35 2016 daemon.info syslog: 03 [CFG] ike config > match: 2076 (192.168.1.32 192.168.1.156 IKEv2) > Thu Jul 14 21:51:35 2016 daemon.info syslog: 03 [CFG] no matching > peer config found /* what is this? */ The client proposes identities that don't match your config. You configured `leftcert` but not `leftid`, so the server's identity will default to its IP address or, if that's not contained as subjectAltName extension in the certificate, to the full subject DN of the certificate. The client, however, proposes `openwrt5server` as server identity (because you configured that explicitly as server identity in the VPN profile), which won't match either of these potential server identities. The client identity does also not match. Since you didn't configure `rightid` but explicitly set `right` to an IP address (roadwarrior connections usually have `right=%any`) the identity will default to that IP, which won't match the ASN.1 DN the client sends as its identity. The identity the client uses as server identity has to be contained as subjectAltName extension in the server's certificate. If that's the case with `openwrt5server` then configure that as `leftid` on the server. Usually, the hostname (or IP address) of the server is added as subjectAltName to the certificate, in which case you don't have to explicitly configure the server identity on the client as the Android client uses the hostname/address as remote identity by default (it does not send a remote identity either, if not explicitly configured, so you wouldn't have to set `leftid` on the server). Alternatively, you could configure the complete subject DN of the server's certificate as server identity on the client. To accept the client identity just set `right=%any`, or explicitly configure `rightid` (to either `%any` or the subject DN, optionally with wildcards e.g. "C=JP, L=Tokyo, O=Dread Beef limited., CN=*"). Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
