strongSwan - no matching peer config found
6,404
11[CFG] id '%any' not confirmed by certificate, defaulting to 'C=US, O=NimbleX VPN Server, CN=vpn-test.nimblex.net'
As you can see, your local identity defaults to the subject DN of the certificate. However, the peer proposes vpn-test.nimblex.net
as identity but no such config is found:
14[CFG] looking for peer configs matching 172.31.9.29[vpn-test.nimblex.net]...82.137.12.236[10.140.156.120]
So either change the expected identity on the peer to the subject DN, or set leftid=vpn-test.nimblex.net
, which only works, though, if that FQDN is contained in a subjectAlternativeName extension in the server certificate.
![Bogdan](https://i.stack.imgur.com/brwFT.jpg?s=256&g=1)
Author by
Bogdan
Updated on September 18, 2022Comments
-
Bogdan almost 2 years
I am trying to setup strongSwan to configure an iPhone to it but I am getting an error that I have trouble overcoming.
no matching peer config found
The complete debug log is as follows:
root@vpn-test:/home/ubuntu# ipsec start --nofork --debug-all Starting strongSwan 5.3.5 IPsec [starter]... Loading config setup charondebug=ike 1, knl 1, cfg 1 uniqueids=no Loading conn 'vpnserver-ikev2' auto=add compress=no dpdaction=clear dpddelay=300s eap_identity=%identity esp=aes256-sha512 forceencaps=yes fragmentation=yes ike=aes256-sha512-modp4096 inactivity=5s keyexchange=ikev2 left=%any leftcert=/etc/ipsec.d/certs/vpn-server-cert-new.pem leftid=%any leftsendcert=always leftsubnet=172.31.0.0/16 rekey=no right=%any rightauth=eap-radius rightdns=8.8.8.8 rightid=%any rightsendcert=never rightsourceip=10.10.0.0/16 type=tunnel found netkey IPsec stack Attempting to start charon... 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-87-generic, x86_64) 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=RO, ST=Bucharest, L=Bucharest, O=NimbleX, CN=test-ca.nimblex.net, [email protected]" from '/etc/ipsec.d/cacerts/ca.crt' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loading secrets from '/etc/ipsec.secrets' 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/vpn-server-key.pem' 00[CFG] loaded EAP secret for test %any% 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity 00[LIB] dropped capabilities, running as uid 0, gid 0 00[JOB] spawning 16 worker threads charon (6255) started after 40 ms 11[CFG] received stroke: add connection 'vpnserver-ikev2' 11[CFG] adding virtual IP address pool 10.10.0.0/16 11[CFG] loaded certificate "C=US, O=NimbleX VPN Server, CN=vpn-test.nimblex.net" from '/etc/ipsec.d/certs/vpn-server-cert-new.pem' 11[CFG] id '%any' not confirmed by certificate, defaulting to 'C=US, O=NimbleX VPN Server, CN=vpn-test.nimblex.net' 11[CFG] added configuration 'vpnserver-ikev2' 13[NET] received packet: from 82.137.12.236[7558] to 172.31.9.29[500] (300 bytes) 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 13[IKE] 82.137.12.236 is initiating an IKE_SA 13[IKE] local host is behind NAT, sending keep alives 13[IKE] remote host is behind NAT 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] 13[NET] sending packet: from 172.31.9.29[500] to 82.137.12.236[7558] (316 bytes) 14[NET] received packet: from 82.137.12.236[29079] to 172.31.9.29[4500] (348 bytes) 14[ENC] unknown attribute type (25) 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ] 14[CFG] looking for peer configs matching 172.31.9.29[vpn-test.nimblex.net]...82.137.12.236[10.140.156.120] 14[CFG] no matching peer config found 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 14[IKE] peer supports MOBIKE 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 14[NET] sending packet: from 172.31.9.29[4500] to 82.137.12.236[29079] (68 bytes)
In ipsec.secrets I have:
vpn-test.nimblex.net : RSA "/etc/ipsec.d/private/vpn-server-key.pem"
-
Bogdan almost 7 yearsI am generating the cert like this:
ipsec pki --pub --in vpn-server-key.pem --type rsa | ipsec pki --issue --lifetime 1825 --cacert server-root-ca.pem --cakey server-root-key.pem --dn "C=US, O=NimbleX, CN=vpn-test.nimblex.net" --san vpn-test.nimblex.net --flag serverAuth --flag ikeIntermediate --outform pem > /etc/ipsec.d/certs/vpn-server-cert-new.pem
. What am I missing? -
ecdsa almost 7 yearsLooks OK. Just make sure you configure the host name as identity if you want to use that instead of the distinguished name (i.e. set
leftid
as indicated in my answer). -
Bogdan almost 7 yearsI have another question I am hoping you can help me with if you have some time: superuser.com/questions/1238561/…