[Openswan Users] no suitable connection for peer - using multiple CAs

Paul Wouters paul at xelerance.com
Mon Feb 15 10:21:02 EST 2010

On Sun, 7 Feb 2010, Bob Miller wrote:

> I now want to create a net-to-net tunnel between these two gateways.
> As best as I can tell, the certs are all loading up fine, --listall
> shows what I expect to see, the CAs both show as being loaded in the
> logs on both sides.  However, I get an error like so on which ever side
> receives a connection initiation:
> Main mode peer ID is ID_FQDN: '@gatelian.computerisms.ca'
> no suitable connection for peer '@gatelian.computerisms.ca'
> sending encrypted notification INVALID_ID_INFORMATION to

Looks like the leftid/rightid's are not matching up.

> My config is duplicated on both sides as follows:

>   leftrsasigkey=%cert
>   rightrsasigkey=%cert

I personally would use the simpler raw RSA keys for a static gateway
to gateway tunnel, without using X.509.

> conn computerisms-ctfn
>   left=
>   leftnexthop=
>   leftsubnet=
>   leftcert=/etc/ipsec.d/certs/fw-ctfn.ctfn.ca.pem
>   leftsourceip=
>   right=
>   rightnexthop=
>   rightsubnet=
>   rightcert=/etc/ipsec.d/certs/gatelian.computerisms.ca.pem

The leftcert/rightcert should be the gateway machine certs, not
the CA certs.

>   rightsourceip=
>   auto=start
>   leftca=/etc/ipsec.d/cacerts/CTFN.Root.Authority
>   rightca=/etc/ipsec.d/cacerts/Computerisms.Root.Certificate
>   rightid=@gatelian.computerisms.ca
>   leftid=@fw-ctfn.ctfn.ca
>   include /etc/ipsec.d/examples/no_oe.conf
> The leftid is not a resolvable dns name, but both rightid and leftid
> match the CN in their respective certs.

the left/rightid= lines that start with a "@" are just strings, not
hostnames. They should work fine.

Try and see if the conn loaded properly using ipsec auto --add computerisms-ctfn
on both sides.


More information about the Users mailing list