Charon does not match sent identity to configured one



  • Hi,

    I want to establish an IPSec connection to a Cisco ASA 8.4 using Main mode and mutual RSA authentication. My ASA sends the correct identity (the CN of the certificate) but pfsense does not like it. I've already hardcoded configured the identity using the "Peer identifier" setting "ASN.1 DN", but charon claims the follwing:

    charon: 11[IKE] <con2000|71> IDir 'C=AT, ST=Upper Austria, L=City, O=Example, CN=houston.lan.example.org, unstructuredName=houston.lan.example.org' does not match to ''</con2000|71>
    

    Even I've configured the peer ID to exactly the same string like mentioned in the log record, charon seems only to check it against an empty string (see '' at the end).


  • Banned

    asn1dn won't work at all as it is, stop wasting your time. There's a bug about the strongswan madness somewhere, or multiple of them… like:

    https://redmine.pfsense.org/issues/4792
    https://redmine.pfsense.org/issues/4794

    If you insist on using it, read this:

    https://lists.strongswan.org/pipermail/users/2015-May/008123.html
    https://lists.strongswan.org/pipermail/users/2015-May/008191.html

    and good luck with figuring that out.  ::) >:(



  • I agree. Binary encode of the ASN1 identifier indeed works but is a mess to obtain.

    Best workaround right now is modify /etc/inc/vpn.inc around line 767, to force skipping the identity prefix altogether. Once done it'll work as in previous versions



  • @georgeman:

    Best workaround right now is modify /etc/inc/vpn.inc around line 767, to force skipping the identity prefix altogether. Once done it'll work as in previous versions

    That'll work for that circumstance, but possibly break others. Should be a fine workaround in your case.

    I'm going through all the possible combinations there now doing testing, with an automated test setup to iterate through all the possibilities. We'll have that resolved for 2.2.4.



  • @cmb:

    I'm going through all the possible combinations there now doing testing, with an automated test setup to iterate through all the possibilities. We'll have that resolved for 2.2.4.

    Awesome!  :D