Ok, I changed my command line to now read sudo charon-cmd --host x.x.x.x --identity remote.user --p12 remote.user.p12
But I am still getting failed login. This works in OSX’s built-in VPN client so I know the certificate is good. SERVER Jun 12 13:24:00 07[IKE] x.x.x.x is initiating an IKE_SA Jun 12 13:24:00 07[IKE] IKE_SA (unnamed)[6] state change: CREATED => CONNECTING Jun 12 13:24:00 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 Jun 12 13:24:00 07[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity Jun 12 13:24:00 07[IKE] local host is behind NAT, sending keep alives Jun 12 13:24:00 07[IKE] remote host is behind NAT Jun 12 13:24:00 07[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity Jun 12 13:24:00 07[IKE] sending cert request for "CN=Vivace Root CA" Jun 12 13:24:01 11[IKE] received cert request for "CN=Vivace Root CA" Jun 12 13:24:01 11[IKE] received end entity cert "C=GB, CN=remote.user" Jun 12 13:24:01 11[CFG] looking for peer configs matching 10.0.0.49[%any]…x.x.x.x[remote.user] Jun 12 13:24:01 11[CFG] peer config match local: 1 (ID_ANY -> ) Jun 12 13:24:01 11[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68) Jun 12 13:24:01 11[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2) Jun 12 13:24:01 11[CFG] candidate "ecdsa", match: 1/1/28 (me/other/ike) Jun 12 13:24:01 11[CFG] peer config match local: 1 (ID_ANY -> ) Jun 12 13:24:01 11[CFG] peer config match remote: 1 (ID_FQDN -> 63:68:72:69:73:2e:6f:72:63:68:61:72:64:2e:76:69:76:61:63:65:2e:74:65:63:68) Jun 12 13:24:01 11[CFG] ike config match: 28 (10.0.0.49 x.x.x.x IKEv2) Jun 12 13:24:01 11[CFG] candidate "rsa", match: 1/1/28 (me/other/ike) Jun 12 13:24:01 11[CFG] selected peer config 'ecdsa' Jun 12 13:24:01 11[CFG] certificate "C=GB, CN=remote.user" key: 384 bit ECDSA Jun 12 13:24:01 11[CFG] using trusted ca certificate "CN=Vivace Root CA" Jun 12 13:24:01 11[CFG] checking certificate status of "C=GB, CN=remote.user" Jun 12 13:24:01 11[CFG] ocsp check skipped, no ocsp found Jun 12 13:24:01 11[CFG] certificate status is not available Jun 12 13:24:01 11[CFG] certificate "CN=Vivace Root CA" key: 4096 bit RSA Jun 12 13:24:01 11[CFG] reached self-signed root ca with a path length of 0 Jun 12 13:24:01 11[CFG] using trusted certificate "C=GB, CN=remote.user" Jun 12 13:24:01 11[IKE] authentication of ‘remote.user' with ECDSA_WITH_SHA384_DER successful Jun 12 13:24:01 11[CFG] constraint check failed: EAP identity '%any' required Jun 12 13:24:01 11[CFG] selected peer config 'ecdsa' inacceptable: non-matching authentication done Jun 12 13:24:01 11[CFG] switching to peer config 'rsa' Jun 12 13:24:01 11[CFG] constraint check failed: EAP identity '%any' required Jun 12 13:24:01 11[CFG] selected peer config 'rsa' inacceptable: non-matching authentication done Jun 12 13:24:01 11[CFG] no alternative config found > On 12 Jun 2018, at 14:07, Tobias Brunner <tob...@strongswan.org> wrote: > > Hi Christian, > >> From what I can see, I’m requesting --remote-identity vpnserver but the >> server is choosing vpnserver1. > > charon-cmd does not send the configured identity (i.e. it does not send > an IDr payload). The configured identity is only used to match against > the returned identity/certificate. This is basically as if you > configured rightid=%vpnserver in ipsec.conf. So the server is free to > select whichever config it wants (it will just use the first one > loaded), so if you have multiple matching configs (based on the IPs and > IKE version) with different identities this could be problematic. > > Regards, > Tobias