> > Hello Thomas, > > On 11/12/2017 09:07 AM, Thomas J. Webb wrote: >> I setup an Ubuntu machine using the same instructions that worked for me >> before but am unable to connect from Mac OS X. I notice that on startup, >> ipsec gives me this error (replacing actual domain with "example.com"): >> >> reusing virtual IP address pool 2002:25f7:7489:3::/112 >> Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG] loaded certificate "C=NL, >> O=Example Company, CN=vpn.example.com" from 'vpnHostCert.der' >> Nov 12 16:46:30 ik1-327-23579 charon: 15[CFG] id 'vpn.example.com' not >> confirmed by certificate, defaulting to 'C=NL, O=Example Company, >> CN=vpn.example.com' > This indicates that the ID you configured in your ipsec.conf > does not match the one from the cert. You can see it both ways: > distinguished name misconfigured, or ipsec.conf's leftid wrong. > However, it's much easier to reconfigure the leftid in your > ipsec.conf. See the section about leftid/rightid in [1] for > how to configure your local/remote IDs. > The error below has most likely the same origin: charon is > looking for a peer configuration using the rightid you > (mis)configured while your peer's certificate is in another > name. Again, try to reconfigure your IDs using [1].
I don't understand. From what I showed, where is the discrepancy? The cert shows the same domain. I don't get the "not confirmed by certificate" message if I use "C=NL, O=Example Company, CN=vpn.example.com" for leftid in ipsec.conf but I do if I use "vpn.example.com". Isn't it supposed to work either way?