0

I am trying to establish a VPN between my router (running OpenWrt) and my smartphone using IPsec.

I followed the guide at https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/roadwarrior

As far as I can tell most things are working great, but I can't establish the connection and permanently getting the following errors on the router, when I click the "connect" button on my phone:

Sun Aug  9 22:29:48 2020 daemon.info syslog: 04[CFG] looking for peer configs matching 111.222.111.222[%any]...192.168.1.216[192.168.1.216]
Sun Aug  9 22:29:48 2020 daemon.info syslog: 04[CFG] no matching peer config found

As far as I tracked down this issue it is important that the names used for rightid and leftid are also on the SAN of the certificates (see VPN server using StrongSwan "no matching peer config found" - what does it mean?). Which in my opinion is the case:

Output of ipsec listcerts

no files found matching '/etc/strongswan.d/*.conf'

List of X.509 End Entity Certificates:

  altNames:  lumia950xl, myVpnClients
  subject:  "C=DE, O=-, CN=lumia950xl"
  issuer:   "C=DE, O=-, CN=something.example.org"
  serial:    68:e0:a1:3d:32:0a:02:7f
  validity:  not before Aug 09 19:35:53 2020, ok
             not after  Aug 09 19:35:53 2030, ok 
  pubkey:    RSA 2048 bits
  keyid:     a7:01:fd:fb:44:81:52:ee:5b:b7:03:59:df:4f:a3:fa:53:b5:58:ea
  subjkey:   de:dd:c9:3e:c5:bf:e2:e0:f1:51:c6:1d:ad:f1:02:2e:f3:48:ac:02
  authkey:   8e:19:a8:0c:b1:eb:c5:bc:3a:ff:e4:c0:c7:e1:24:0d:e1:e0:f9:0b

  altNames:  something.example.org
  subject:  "C=DE, O=-, CN=something.example.org"
  issuer:   "C=DE, O=-, CN=something.example.org"
  serial:    59:11:7e:ca:07:39:1a:ab
  validity:  not before Aug 09 19:35:49 2020, ok
             not after  Aug 09 19:35:49 2030, ok 
  pubkey:    RSA 2048 bits, has private key
  keyid:     53:9e:ad:04:d8:22:20:be:b6:2e:0a:9c:07:8e:89:03:6d:b4:bc:5f
  subjkey:   3b:d4:a6:f5:b2:48:1d:a7:08:8d:64:04:88:65:87:91:fe:65:00:78
  authkey:   8e:19:a8:0c:b1:eb:c5:bc:3a:ff:e4:c0:c7:e1:24:0d:e1:e0:f9:0b

I ran the script from the guide (section Making Keys) with the following parameters to generate the certificates:

COUNTRYNAME="DE"
CANAME="something.example.org"
ORGNAME="-"
SERVERDOMAINNAME="something.example.org"
CLIENTNAMES="lumia950xl" # or more " �^�� myvpnclient2 muvpnclient3"
SHAREDSAN="myVpnClients" # iOS clients need to match a common SAN

Content of ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn %default
        keyexchange=ikev2
        ike=aes256-aes128-sha256-sha1-modp3072-modp2048
        esp=aes128-aes256-sha256-modp3072-modp2048,aes128-aes256-sha256
        left=%any
        leftauth=pubkey
        leftcert=serverCert_something.example.org.pem
        leftid=something.example.org
        leftsubnet=0.0.0.0/0;::/0
        right=%any
        rightsourceip=192.168.1.99/32
        #rightdns=8.8.8.8
        eap_identity=%identity
        auto=add


#conn rwPUBKEY
#        rightauth=pubkey
#        rightcert=clientCert_lumia950xl.pem
#        #rightauth2=eap-mschapv2

conn rwEAPTLS
        rightauth=eap-tls
        rightcert=clientCert_lumia950xl.pem

Output of ipsec statusall

no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
  uptime: 5 minutes, since Aug 09 22:50:24 2020
  malloc: sbrk 262144, mmap 0, used 235072, free 27072
  worker threads: 9 of 16 idle, 7/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck uci addrblock unity
Virtual IP pools (size/online/offline):
  192.168.1.99/32: 1/0/0
Listening IP addresses:
  192.168.1.1
  fd87:6eb5:ef58::1
  111.222.111.222
Connections:
    rwEAPTLS:  %any...%any  IKEv2
    rwEAPTLS:   local:  [something.example.org] uses public key authentication
    rwEAPTLS:    cert:  "C=DE, O=-, CN=something.example.org"
    rwEAPTLS:   remote: [C=DE, O=-, CN=lumia950xl] uses EAP_TLS authentication with EAP identity '%any'
    rwEAPTLS:    cert:  "C=DE, O=-, CN=lumia950xl"
    rwEAPTLS:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
  none

Can someone please explain me what I am doing wrong?! :)

ahorn42
  • 1
  • 1
  • You configured _rightcert_, which sets the remote identity and that won't match the identity sent by the client (its physical IP). Try removing that option. – ecdsa Aug 17 '20 at 10:33
  • wow! - That was a small change with a big impact. I can now connect with my client. @ecdsa thanks a lot for pointing that out! :) – ahorn42 Aug 17 '20 at 23:31

0 Answers0