0

Does anybody know how to use Strongswan IKEv2 VPN without validating the FQDN on the CA ?

I'm trying to do the following loadbalancing setup using DNS:

server.hostname.com -> server1.hostname.com and server2.hostname.com

If I connect to server.hostname.com I get an AUTH_FAILED response because probably the hostname doesn't match the one on the Let's Encrypt certificate.

Is there any option to disable this validation and still allowing the user to connect ? Because when using L2TP with PSK it works perfectly, as there is no cert involved.

Apr 15 10:01:43 jp1 strongswan: 06[ENC] unknown attribute type (25)
Apr 15 10:01:43 jp1 strongswan: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 15 10:01:43 jp1 strongswan: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 15 10:01:43 jp1 strongswan: 06[IKE] peer supports MOBIKE
Apr 15 10:01:43 jp1 strongswan: 06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Thanks in advance!

Keanu
  • 1
  • 1
  • Your log looks incomplete (there are no details why the `AUTHENTICATION_FAILED` notify is sent back). Also, what client are you using? Can you configure the remote identity? – ecdsa Apr 15 '19 at 08:18
  • @ecdsa, https://pastebin.com/BGueyZfC here is the full log. I'm using the OSX client so yes, it is possible to configure the remote identity and when changing it to 'server1.hostname.com' the connection works. What I would like to accomplish is that when a user uses server.hostname.com as credentials the server would accept the connection, ignoring the match between the FQDN on the cert. – Keanu Apr 15 '19 at 10:06
  • Unfortunately, the full log does not help because it does not include more lines between the `parsed IKE_AUTH request` and `generating IKE_AUTH response` messages (so either messages are missing or there is a strange error that does not produce additional messages). Anyway, for strongSwan as well as other clients the requested/enforced identity has to be contained as subjectAltName in the certificate. – ecdsa Apr 15 '19 at 10:52

0 Answers0