<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>
Thanks Andreas,<br><br>I've modified the config.<br><br>conn "ezvpn"<br> keyexchange=ikev1<br> ikelifetime=1440m<br> keylife=60m<br> aggressive=yes<br> ike=aes-sha-modp1024<br> esp=aes128-sha1<br> #xauth=client<br> left=1.1.1.1<br> leftid=@#65:7a:76:70:6e<br> leftsourceip=%config<br> #authby=xauthpsk<br> leftauth=psk<br> rightauth=psk<br> leftauth2=xauth<br> right=10.1.1.254<br> rightid=10.1.1.254<br> rightsubnet=0.0.0.0/0<br> xauth_identity=cisco_user<br> auto=add<br><br>ironmaiden cacerts # ipsec up 'ezvpn'<br>sending cert request for "CN=IOL, OU=Olivier, O=Cisco, C=BE"<br>initiating Aggressive Mode IKE_SA ezvpn[3] to 10.1.1.254<br>generating AGGRESSIVE request 0 [ SA KE No ID CERTREQ V V V ]<br>sending packet: from 1.1.1.1[500] to 10.1.1.254[500]<br>received packet: from 10.1.1.254[500] to 1.1.1.1[500]<br><br>We still send the CERT REQ. <br><br>As you said, I had to add " rightsendcert=no" into the profile to make it work.<br><br>Cheers,<br><br><div><div id="SkyDrivePlaceholder"></div>> Date: Sat, 7 Jul 2012 07:27:00 +0200<br>> From: andreas.steffen@strongswan.org<br>> To: olivier_pelerin@hotmail.com<br>> CC: users@lists.strongswan.org<br>> Subject: Re: [strongSwan] Connection to cisco ezvpn server - how to disable strongswan to send a cert-req in AM1?<br>> <br>> Hi Olivier,<br>> <br>> try the new notation<br>> <br>> leftauth=psk<br>> rightauth=psk<br>> leftauth2=xauth<br>> <br>> and a certificate request should not be sent. If it is still the case<br>> then this must be fixed. In that case try as a workaround<br>> <br>> rightsendcert=no<br>> <br>> Regards<br>> <br>> Andreas<br>> <br>> On 07/06/2012 05:29 PM, Olivier PELERIN wrote:<br>> > Playing around on Strongswan, I try to connect an easyvpn client to an<br>> > easyvpn server.<br>> ><br>> ><br>> > I see strongswan sending a cert-req in the first packet of Aggressive mode.<br>> > *Jul 6 15:26:38.265: ISAKMP: Aggressive Mode packet contents (flags 0,<br>> > len 426):<br>> > *Jul 6 15:26:38.265: SA payload<br>> > *Jul 6 15:26:38.265: PROPOSAL<br>> > *Jul 6 15:26:38.265: TRANSFORM<br>> > *Jul 6 15:26:38.265: TRANSFORM<br>> > *Jul 6 15:26:38.265: KE payload<br>> > *Jul 6 15:26:38.265: NONCE payload<br>> > *Jul 6 15:26:38.265: ID payload<br>> > *Jul 6 15:26:38.265: ID_KEY_ID <ezvpn> port 0 protocol 0<br>> > *Jul 6 15:26:38.265: CERT-REQ payload<br>> > *Jul 6 15:26:38.265: VENDOR payload<br>> > *Jul 6 15:26:38.265: VENDOR payload<br>> > *Jul 6 15:26:38.265: VENDOR payload<br>> ><br>> ><br>> > How can I disable that?<br>> ><br>> > # Add con:wnections here.<br>> > conn "ezvpn"<br>> > keyexchange=ikev1<br>> > ikelifetime=1440m<br>> > keylife=60m<br>> > aggressive=yes<br>> > ike=aes-sha-modp1024<br>> > esp=aes128-sha1<br>> > xauth=client<br>> > left=1.1.1.1<br>> > leftid=@#65:7a:76:70:6e:1f<br>> > leftsourceip=%config<br>> > authby=xauthpsk<br>> > leftauth2=xauth<br>> > right=10.1.1.254<br>> > rightid=10.1.1.254<br>> > rightsubnet=0.0.0.0/0<br>> > xauth_identity=cisco_user<br>> > auto=add<br>> <br>> ======================================================================<br>> Andreas Steffen andreas.steffen@strongswan.org<br>> strongSwan - the Linux VPN Solution! www.strongswan.org<br>> Institute for Internet Technologies and Applications<br>> University of Applied Sciences Rapperswil<br>> CH-8640 Rapperswil (Switzerland)<br>> ===========================================================[ITA-HSR]==<br>> <br>> <br></div> </div></body>
</html>