I am trying to establish a VPN between my router (running OpenWrt) and my smartphone using IPsec.
I followed the guide at https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior
As far as I can tell most things are working great, but I can't establish the connection and permanently getting the following errors on the router, when I click the "connect" button on my phone:
Sun Aug 9 22:29:48 2020 daemon.info syslog: 04[CFG] looking for peer configs matching 111.222.111.222[%any]...192.168.1.216[192.168.1.216]
Sun Aug 9 22:29:48 2020 daemon.info syslog: 04[CFG] no matching peer config found
As far as I tracked down this issue it is important that the names used for rightid
and leftid
are also on the SAN of the certificates (see VPN server using StrongSwan "no matching peer config found" - what does it mean?). Which in my opinion is the case:
Output of ipsec listcerts
no files found matching '/etc/strongswan.d/*.conf'
List of X.509 End Entity Certificates:
altNames: lumia950xl, myVpnClients
subject: "C=DE, O=-, CN=lumia950xl"
issuer: "C=DE, O=-, CN=something.example.org"
serial: 68:e0:a1:3d:32:0a:02:7f
validity: not before Aug 09 19:35:53 2020, ok
not after Aug 09 19:35:53 2030, ok
pubkey: RSA 2048 bits
keyid: a7:01:fd:fb:44:81:52:ee:5b:b7:03:59:df:4f:a3:fa:53:b5:58:ea
subjkey: de:dd:c9:3e:c5:bf:e2:e0:f1:51:c6:1d:ad:f1:02:2e:f3:48:ac:02
authkey: 8e:19:a8:0c:b1:eb:c5:bc:3a:ff:e4:c0:c7:e1:24:0d:e1:e0:f9:0b
altNames: something.example.org
subject: "C=DE, O=-, CN=something.example.org"
issuer: "C=DE, O=-, CN=something.example.org"
serial: 59:11:7e:ca:07:39:1a:ab
validity: not before Aug 09 19:35:49 2020, ok
not after Aug 09 19:35:49 2030, ok
pubkey: RSA 2048 bits, has private key
keyid: 53:9e:ad:04:d8:22:20:be:b6:2e:0a:9c:07:8e:89:03:6d:b4:bc:5f
subjkey: 3b:d4:a6:f5:b2:48:1d:a7:08:8d:64:04:88:65:87:91:fe:65:00:78
authkey: 8e:19:a8:0c:b1:eb:c5:bc:3a:ff:e4:c0:c7:e1:24:0d:e1:e0:f9:0b
I ran the script from the guide (section Making Keys
) with the following parameters to generate the certificates:
COUNTRYNAME="DE"
CANAME="something.example.org"
ORGNAME="-"
SERVERDOMAINNAME="something.example.org"
CLIENTNAMES="lumia950xl" # or more " �^�� myvpnclient2 muvpnclient3"
SHAREDSAN="myVpnClients" # iOS clients need to match a common SAN
Content of ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
keyexchange=ikev2
ike=aes256-aes128-sha256-sha1-modp3072-modp2048
esp=aes128-aes256-sha256-modp3072-modp2048,aes128-aes256-sha256
left=%any
leftauth=pubkey
leftcert=serverCert_something.example.org.pem
leftid=something.example.org
leftsubnet=0.0.0.0/0;::/0
right=%any
rightsourceip=192.168.1.99/32
#rightdns=8.8.8.8
eap_identity=%identity
auto=add
#conn rwPUBKEY
# rightauth=pubkey
# rightcert=clientCert_lumia950xl.pem
# #rightauth2=eap-mschapv2
conn rwEAPTLS
rightauth=eap-tls
rightcert=clientCert_lumia950xl.pem
Output of ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
uptime: 5 minutes, since Aug 09 22:50:24 2020
malloc: sbrk 262144, mmap 0, used 235072, free 27072
worker threads: 9 of 16 idle, 7/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck uci addrblock unity
Virtual IP pools (size/online/offline):
192.168.1.99/32: 1/0/0
Listening IP addresses:
192.168.1.1
fd87:6eb5:ef58::1
111.222.111.222
Connections:
rwEAPTLS: %any...%any IKEv2
rwEAPTLS: local: [something.example.org] uses public key authentication
rwEAPTLS: cert: "C=DE, O=-, CN=something.example.org"
rwEAPTLS: remote: [C=DE, O=-, CN=lumia950xl] uses EAP_TLS authentication with EAP identity '%any'
rwEAPTLS: cert: "C=DE, O=-, CN=lumia950xl"
rwEAPTLS: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
Can someone please explain me what I am doing wrong?! :)