Martin, I can pass authentication now after I set subjectAltName, but I always failed when I use the DN. Curious what is wrong.
Thanks, Roger > -----Original Message----- > From: users-boun...@lists.strongswan.org [mailto:users- > boun...@lists.strongswan.org] On Behalf Of Zhang, Long (Roger) > Sent: Thursday, August 27, 2009 8:58 AM > To: Martin Willi > Cc: users@lists.strongswan.org > Subject: Re: [strongSwan] no matching peer config found > > Martin, > > Thanks for your reply. > > I tried with the full DN, but still failed :-( > > I tried with DN "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > e=...@alcatel-lucent.com" and "C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" and > combination of leftid and righted. Still failed. I will try to add > subjectAltName to the certificate. > > Aug 27 08:49:52 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi > CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) > N(MULT_AUTH) ] > Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received cert request for "C=CN, > ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel- > lucent.com" > Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received end entity cert "C=CN, > ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel- > lucent.com" > Aug 27 08:49:52 qdpat-xp charon: 11[CFG] looking for peer configs matching > 135.252.130.87[C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > emailaddress=...@alcatel-lucent.com]...135.252.131.87[c=cn, ST=Shandong, > O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com] > Aug 27 08:49:52 qdpat-xp charon: 11[CFG] no matching peer config found > Aug 27 08:49:52 qdpat-xp charon: 11[IKE] peer supports MOBIKE > Aug 27 08:49:52 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1 > [ N(AUTH_FAILED) ] > Aug 27 08:49:52 qdpat-xp charon: 11[NET] sending packet: from > 135.252.130.87[4500] to 135.252.131.87[4500] > > Sun side ipsec.conf > # /etc/ipsec.conf - strongSwan IPsec configuration file > > config setup > crlcheckinterval=180 > strictcrlpolicy=no > plutostart=no > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > > conn host-host > left=135.252.130.87 > leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem > #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > e=...@alcatel-lucent.com" > leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > emailaddress=...@alcatel-lucent.com" > #left...@sun.strongswan.org > leftfirewall=no > right=135.252.131.87 > rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > e=m...@alcatel-lucent.com" > #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > emailaddress=m...@alcatel-lucent.com" > #right...@moon.strongswan.org > auto=add > > > moon side ipsec.conf > # /etc/ipsec.conf - strongSwan IPsec configuration file > > config setup > crlcheckinterval=180 > strictcrlpolicy=no > plutostart=no > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > > conn host-host > left=135.252.131.87 > leftcert=/etc/ipsec.d/certs/moonCert.pem > leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > e=m...@alcatel-lucent.com" > #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > emailaddress=m...@alcatel-lucent.com" > #left...@moon.strongswan.org > leftfirewall=no > right=135.252.130.87 > rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > e=...@alcatel-lucent.com" > #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > emailaddress=...@alcatel-lucent.com" > #right...@sun.strongswan.org > auto=add > > Thanks, > Roger > > > -----Original Message----- > > From: Martin Willi [mailto:mar...@strongswan.org] > > Sent: Wednesday, August 26, 2009 10:10 PM > > To: Zhang, Long (Roger) > > Cc: users@lists.strongswan.org > > Subject: Re: [strongSwan] no matching peer config found > > > > Hi Roger, > > > > > peerid sun.strongswan.org not confirmed by certificate, defaulting to > > > subject DN: C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > > > e=...@alcatel-lucent.com > > > > strongSwan requires the peer ID to be contained in the certificate > > (either the complete DN, or as a subjectAltName, a matching CN= is > > insufficient). > > > > Either add your peer identities as subjectAltName, or use the complete > > DN of your certificate as peer identity. > > > > If you have E= in your peer DN identities, make sure to apply [1], there > > was is regression in 4.3.4 with email OID handling. > > > > Regards > > Martin > > > > [1]http://wiki.strongswan.org/repositories/diff/strongswan?rev=c8b543a6 > > > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
