I setup an Ubuntu machine using the same instructions that worked for me before but am unable to connect from Mac OS X. I notice that on startup, ipsec gives me this error (replacing actual domain with "example.com"): reusing virtual IP address pool 2002:25f7:7489:3::/112 Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG] loaded certificate "C=NL, O=Example Company, CN=vpn.example.com" from 'vpnHostCert.der' Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG] id 'vpn.example.com' not confirmed by certificate, defaulting to 'C=NL, O=Example Company, CN=vpn.example.com' Based on what I read earlier on this list and elsewhere, it could be something wrong with how I made the cert. Here's the command I used to generate vpnHostCert.der (also replacing real ip with 1.2.3.4): ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=NL, O=Example Company, CN=vpn.example.com" --san vpn.example.com --san 1.2.3.4 --san @1.2.3.4 --flag serverAuth --flag ikeIntermediate --outform der > certs/vpnHostCert.der And verifying that it has the san: ipsec pki --print --in certs/vpnHostCert.der cert: X509 subject: "C=NL, O=Example Company, CN=vpn.example.com" issuer: "C=NL, O=Example Company, CN=strongSwan Root CA" validity: not before Nov 12 16:58:45 2017, ok not after Nov 12 16:58:45 2019, ok (expires in 729 days) ... altNames: vpn.example.com, 1.2.3.4, 1.2.3.4flags: serverAuth iKEIntermediate ... openssl also shows what I think is the right data? openssl x509 -inform DER -in certs/vpnHostCert.der -noout -text...Subject: C=NL, O=Example Company, CN=vpn.example.com...X509v3 Subject Alternative Name: DNS:vpn.example.com, IP Address:1.2.3.4, DNS:1.2.3.4
If I change leftid in /etc/ipsec.conf to have the whole "C=NL, O=Example Company, CN=vpn.example.com" instead of just vpn.example.com, I don't get the "not confirmed by certificate" message, but am still unable to connect. And I don't get how it's unable to match the domain with the CN in the message. When I try to connect it's not clear to me what the error is, but I'm guessing it's "no matching peer config found": Nov 12 16:52:49 ik1-327-23579 charon: 01[CFG] ike config match: 0 (1.2.3.4 5.6.7.8 IKEv2) Nov 12 16:52:49 ik1-327-23579 charon: 01[CFG] no matching peer config found Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_ADDRESS attribute Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_DHCP attribute Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_DNS attribute Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_NETMASK attribute Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_ADDRESS attribute Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_DHCP attribute Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_DNS attribute Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing (25) attribute Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] peer supports MOBIKE Nov 12 16:52:49 ik1-327-23579 charon: 01[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Nov 12 16:52:49 ik1-327-23579 charon: 01[NET] sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500] (76 bytes) Nov 12 16:52:49 ik1-327-23579 charon: 01[MGR] checkin and destroy IKE_SA (unnamed)[2] Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING Nov 12 16:52:49 ik1-327-23579 charon: 01[MGR] check-in and destroy of IKE_SA successful Nov 12 16:52:49 ik1-327-23579 charon: 09[NET] sending packet: from 1.2.3.4[4500] to 5.6.7.8[4500] Nov 12 16:52:49 ik1-327-23579 charon: 06[NET] waiting for data on sockets Nov 12 16:53:18 ik1-327-23579 charon: 14[MGR] checkout IKE_SA Does anyone have an idea what I'm doing wrong or any hint where to look?
