Andreas, Thanks for your detail explanation.
One more question. I can not find the daemon.log on moon side. Seems like it is not generated. Then how can I generate it? The moon side is Fedora Core 9 Linux. Roger > -----Original Message----- > From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] > Sent: Thursday, August 27, 2009 1:25 PM > To: Zhang, Long (Roger) > Cc: Martin Willi; users@lists.strongswan.org > Subject: Re: [strongSwan] no matching peer config found > > Roger, > > as Martin mentioned in his previous mail, a stupid bug was introduced > some time back in the strongSwan 4.3 branch that incorrectly encodes > the email address in a left|rightid="<full DN>" statement. There are > the following workarounds: > > 1) Don't use email RDNs in DNs since they are bad practice anyway. > 2) Use a subjectAltName in left|rightid > 3) Apply the patch [1] to your strongSwan 4.3.x distribution. The > patch fixes the ASN.1 email OID encoding. > 4) Use the latest strongSwan developer release 4.3.5dr1 [2] > > [1] http://wiki.strongswan.org/repositories/diff/strongswan?rev=c8b543a6 > [2] http://download.strongswan.org/strongswan-4.3.5dr1.tar.bz2 > > Best regards > > Andreas > > Zhang, Long (Roger) wrote: > > Martin, > > > > I can pass authentication now after I set subjectAltName, but I always > failed when I use the DN. Curious what is wrong. > > > > Thanks, > > Roger > > > >> -----Original Message----- > >> From: users-boun...@lists.strongswan.org [mailto:users- > >> boun...@lists.strongswan.org] On Behalf Of Zhang, Long (Roger) > >> Sent: Thursday, August 27, 2009 8:58 AM > >> To: Martin Willi > >> Cc: users@lists.strongswan.org > >> Subject: Re: [strongSwan] no matching peer config found > >> > >> Martin, > >> > >> Thanks for your reply. > >> > >> I tried with the full DN, but still failed :-( > >> > >> I tried with DN "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > >> e=...@alcatel-lucent.com" and "C=CN, ST=Shandong, O=ALU, OU=RD, > >> CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" and > >> combination of leftid and righted. Still failed. I will try to add > >> subjectAltName to the certificate. > >> > >> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 > [ IDi > >> CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) > >> N(MULT_AUTH) ] > >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received cert request for > "C=CN, > >> ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel- > >> lucent.com" > >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received end entity cert "C=CN, > >> ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel- > >> lucent.com" > >> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] looking for peer configs > matching > >> 135.252.130.87[C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > >> emailaddress=...@alcatel-lucent.com]...135.252.131.87[c=cn, ST=Shandong, > >> O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com] > >> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] no matching peer config found > >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] peer supports MOBIKE > >> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1 > >> [ N(AUTH_FAILED) ] > >> Aug 27 08:49:52 qdpat-xp charon: 11[NET] sending packet: from > >> 135.252.130.87[4500] to 135.252.131.87[4500] > >> > >> Sun side ipsec.conf > >> # /etc/ipsec.conf - strongSwan IPsec configuration file > >> > >> config setup > >> crlcheckinterval=180 > >> strictcrlpolicy=no > >> plutostart=no > >> > >> conn %default > >> ikelifetime=60m > >> keylife=20m > >> rekeymargin=3m > >> keyingtries=1 > >> keyexchange=ikev2 > >> > >> conn host-host > >> left=135.252.130.87 > >> leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem > >> #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > >> e=...@alcatel-lucent.com" > >> leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > >> emailaddress=...@alcatel-lucent.com" > >> #left...@sun.strongswan.org > >> leftfirewall=no > >> right=135.252.131.87 > >> rightid="C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org, > >> e=m...@alcatel-lucent.com" > >> #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org, > >> emailaddress=m...@alcatel-lucent.com" > >> #right...@moon.strongswan.org > >> auto=add > >> > >> > >> moon side ipsec.conf > >> # /etc/ipsec.conf - strongSwan IPsec configuration file > >> > >> config setup > >> crlcheckinterval=180 > >> strictcrlpolicy=no > >> plutostart=no > >> > >> conn %default > >> ikelifetime=60m > >> keylife=20m > >> rekeymargin=3m > >> keyingtries=1 > >> keyexchange=ikev2 > >> > >> conn host-host > >> left=135.252.131.87 > >> leftcert=/etc/ipsec.d/certs/moonCert.pem > >> leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > >> e=m...@alcatel-lucent.com" > >> #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org, > >> emailaddress=m...@alcatel-lucent.com" > >> #left...@moon.strongswan.org > >> leftfirewall=no > >> right=135.252.130.87 > >> rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > >> e=...@alcatel-lucent.com" > >> #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, > CN=sun.strongswan.org, > >> emailaddress=...@alcatel-lucent.com" > >> #right...@sun.strongswan.org > >> auto=add > >> > >> Thanks, > >> Roger > >> > >>> -----Original Message----- > >>> From: Martin Willi [mailto:mar...@strongswan.org] > >>> Sent: Wednesday, August 26, 2009 10:10 PM > >>> To: Zhang, Long (Roger) > >>> Cc: users@lists.strongswan.org > >>> Subject: Re: [strongSwan] no matching peer config found > >>> > >>> Hi Roger, > >>> > >>>> peerid sun.strongswan.org not confirmed by certificate, defaulting to > >>>> subject DN: C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > >>>> e=...@alcatel-lucent.com > >>> strongSwan requires the peer ID to be contained in the certificate > >>> (either the complete DN, or as a subjectAltName, a matching CN= is > >>> insufficient). > >>> > >>> Either add your peer identities as subjectAltName, or use the complete > >>> DN of your certificate as peer identity. > >>> > >>> If you have E= in your peer DN identities, make sure to apply [1], > there > >>> was is regression in 4.3.4 with email OID handling. > >>> > >>> Regards > >>> Martin > >>> > >>> > [1]http://wiki.strongswan.org/repositories/diff/strongswan?rev=c8b543a6 > > ====================================================================== > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution! www.strongswan.org > > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users