-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Thomas,
On 11/12/2017 09:07 AM, Thomas J. Webb wrote: > I setup an Ubuntu machine using the same instructions that worked for me > before but am unable to connect from Mac OS X. I notice that on startup, > ipsec gives me this error (replacing actual domain with "example.com"): > > reusing virtual IP address pool 2002:25f7:7489:3::/112 > Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG] loaded certificate "C=NL, > O=Example Company, CN=vpn.example.com" from 'vpnHostCert.der' > Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG] id 'vpn.example.com' not > confirmed by certificate, defaulting to 'C=NL, O=Example Company, > CN=vpn.example.com' This indicates that the ID you configured in your ipsec.conf does not match the one from the cert. You can see it both ways: distinguished name misconfigured, or ipsec.conf's leftid wrong. However, it's much easier to reconfigure the leftid in your ipsec.conf. See the section about leftid/rightid in [1] for how to configure your local/remote IDs. The error below has most likely the same origin: charon is looking for a peer configuration using the rightid you (mis)configured while your peer's certificate is in another name. Again, try to reconfigure your IDs using [1]. > > Based on what I read earlier on this list and elsewhere, it could be > something wrong with how I made the cert. Here's the command I used to > generate vpnHostCert.der (also replacing real ip with 1.2.3.4): > > ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue > --lifetime 730 --cacert cacerts/strongswanCert.der --cakey > private/strongswanKey.der --dn "C=NL, O=Example Company, CN=vpn.example.com" > --san vpn.example.com --san 1.2.3.4 --san @1.2.3.4 --flag serverAuth --flag > ikeIntermediate --outform der > certs/vpnHostCert.der > > And verifying that it has the san: > > ipsec pki --print --in certs/vpnHostCert.der > cert: X509 > subject: "C=NL, O=Example Company, CN=vpn.example.com" > issuer: "C=NL, O=Example Company, CN=strongSwan Root CA" > validity: not before Nov 12 16:58:45 2017, ok > not after Nov 12 16:58:45 2019, ok (expires in 729 days) > ... > altNames: vpn.example.com, 1.2.3.4, 1.2.3.4 > flags: serverAuth iKEIntermediate > ... > > openssl also shows what I think is the right data? > > openssl x509 -inform DER -in certs/vpnHostCert.der -noout -text > ... > Subject: C=NL, O=Example Company, CN=vpn.example.com > ... > X509v3 Subject Alternative Name: > DNS:vpn.example.com, IP Address:1.2.3.4, DNS:1.2.3.4 > > If I change leftid in /etc/ipsec.conf to have the whole "C=NL, O=Example > Company, CN=vpn.example.com" instead of just vpn.example.com, I don't get the > "not confirmed by certificate" message, but am still unable to connect. And I > don't get how it's unable to match the domain with the CN in the message. > > When I try to connect it's not clear to me what the error is, but I'm > guessing it's "no matching peer config found": > > Nov 12 16:52:49 ik1-327-23579 charon: 01[CFG] ike config match: 0 (1.2.3.4 > 5.6.7.8 IKEv2) > Nov 12 16:52:49 ik1-327-23579 charon: 01[CFG] no matching peer config found > Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_ADDRESS > attribute > Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_DHCP > attribute > Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_DNS > attribute > Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP4_NETMASK > attribute > Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_ADDRESS > attribute > Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_DHCP > attribute > Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing INTERNAL_IP6_DNS > attribute > Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] processing (25) attribute > Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] received > ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding > Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] peer supports MOBIKE > Nov 12 16:52:49 ik1-327-23579 charon: 01[ENC] generating IKE_AUTH response 1 > [ N(AUTH_FAILED) ] > Nov 12 16:52:49 ik1-327-23579 charon: 01[NET] sending packet: from > 1.2.3.4[4500] to 5.6.7.8[4500] (76 bytes) > Nov 12 16:52:49 ik1-327-23579 charon: 01[MGR] checkin and destroy IKE_SA > (unnamed)[2] > Nov 12 16:52:49 ik1-327-23579 charon: 01[IKE] IKE_SA (unnamed)[2] state > change: CONNECTING => DESTROYING > Nov 12 16:52:49 ik1-327-23579 charon: 01[MGR] check-in and destroy of IKE_SA > successful > Nov 12 16:52:49 ik1-327-23579 charon: 09[NET] sending packet: from > 1.2.3.4[4500] to 5.6.7.8[4500] > Nov 12 16:52:49 ik1-327-23579 charon: 06[NET] waiting for data on sockets > Nov 12 16:53:18 ik1-327-23579 charon: 14[MGR] checkout IKE_SA > > Does anyone have an idea what I'm doing wrong or any hint where to look? Cheers, Thomas [1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaCCAzAAoJEGK31ONirBTGlHkQALVkI99dTR8s4KtHQdTy20WS IeJIYhNMcPFoQvScqJzzvX8l8nf6tDoO5flma5jWamtRSrWciZ7LJAAFHX4cG20I XILIOqk9+jnXIT7ohg/PjW/kMX6EHrejj1SSyafMfotQV1pj1e0h8rKADPDGY/7B 55JbZvg5hTeNTpG3KTqqvbPj5R22hYrPAmmny/0TR9YBX0q2gOBN65o9sRlwCXkC 2nxSCALB1+4d6jWR9AzNg6SOhL3pdrBrTy86mBsXTls9lwVmtx68+fQfORC46WsX Of0uSj9+a+gvfa65YyHk6CxVyFIcd34h0h471nmGN0THDri+o3d6FdDsq9LvIh8G mCxRHHnR6TAJuvNSa918ofOUaV3He42x7PcoHaqlqB4P/K13lj/yD7MaXWmo7o2B SiR32UGHX+32S+/anoSYSkXsAZUCMCQCJY07L13QkQQuulBsf1PJFebhW+R8qNWX z6BTv5y9dv2VRYN2SJxH81DhdT5p25t8ro9rHVFPGpmadcZxLRjEqe38JZe+DwjQ OWj0/fHoBh8b4U6dDBPUu8yHM+KLJW8dJx4me+/1TFawchJoCCJO9pcqCkf93Fnt 4/tSlDK5Ml7sYyhEaBwaEBsqqwCnucGeSvt+DC0CzaD91Q4zIAroeBoB4JzHW3Ks /ymssfDgYIL7ncTk0Rwc =Ekvf -----END PGP SIGNATURE-----
