<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000066" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Martin<br>
</div>
<blockquote cite="mid:1382601675.3043.35.camel@martin" type="cite">
<pre wrap="">Hi Hans,
</pre>
<blockquote type="cite">
<pre wrap="">I added multiple certificates OU=<groupname> to the cert store, hoping
that Windows would ask me which one to use, with no luck.
</pre>
</blockquote>
<pre wrap="">
I assume you are using Machine Certificates to authenticate the clients?
I'm not aware of a way to enforce a specific certificate in IKE
authentication.</pre>
</blockquote>
correct<br>
<blockquote cite="mid:1382601675.3043.35.camel@martin" type="cite">
<pre wrap="">
What you might try is to switch from Machine Certificates to EAP-TLS
authentication (in IKEv2). Microsoft uses EAP-TLS to authenticate users
(not the Machine) with certificates or Smartcards. When selecting "Smart
Card or certificate" as EAP method, you can even (un-)set a "Use simple
certificate selection" flag that sounds promising.</pre>
</blockquote>
If I recall correctly, with "use simple certificate selection" set,
Windows is simply narrowing down the list of possible certificates
for selection, I guess based on the DN of the remote cert.<br>
<br>
I've tried what you suggested with the following ipsec.conf entries:<br>
<br>
<small><tt>conn %default</tt><tt><br>
</tt><tt> keyingtries=1</tt><tt><br>
</tt><tt> ikelifetime=60m</tt><tt><br>
</tt><tt> keylife=20m</tt><tt><br>
</tt><tt> rekeymargin=3m</tt><tt><br>
</tt><tt> keyexchange=ikev2</tt><tt><br>
</tt><tt> compress=yes</tt><tt><br>
</tt><tt> dpddelay=30</tt><tt><br>
</tt><tt> dpdtimeout=120</tt><tt><br>
</tt><tt> dpdaction=clear</tt><tt><br>
</tt><tt> mobike=no</tt><tt><br>
</tt><tt> esp=aes256-sha1-modp4096!</tt><tt><br>
</tt><tt> ike=aes256-sha512-modp4096!<br>
<br>
conn dev<br>
rightsourceip=172.30.131.127/25<br>
eap_identity=dev-oti.dom.ch<br>
also=warriors<br>
</tt><tt></tt><tt><br>
</tt><tt>conn test</tt><tt><br>
</tt><tt> rightsourceip=172.30.131.127/25</tt><tt><br>
</tt><tt> eap_identity=test-oti.dom.ch</tt><tt><br>
</tt><tt> also=warriors</tt><tt><br>
</tt><tt></tt><tt><br>
</tt><tt>conn warriors</tt><tt><br>
</tt><tt> left=%defaultroute</tt><tt><br>
</tt><tt> leftcert=oti-vpn.dom.ch.crt</tt><tt><br>
</tt><tt> <a class="moz-txt-link-abbreviated" href="mailto:leftid=@oti-vpn.dom.ch">leftid=@oti-vpn.dom.ch</a></tt><tt><br>
</tt><tt> leftsubnet=0.0.0.0/0</tt><tt><br>
</tt><tt> leftfirewall=yes</tt><tt><br>
</tt><tt> right=%any</tt><tt><br>
</tt><tt> #rightdns=</tt><tt><br>
</tt><tt> esp=aes256-sha1!</tt><tt><br>
</tt><tt> ike=aes256-sha2_384-modp1024!</tt><tt><br>
</tt><tt> dpddelay=300s</tt><tt><br>
</tt><tt> rekey=no</tt><tt><br>
</tt><tt> mobike=yes</tt><tt><br>
</tt><tt> auto=add</tt><tt><br>
</tt><tt> rightsendcert=never</tt><tt><br>
</tt><tt> rightauth=eap-tls</tt></small><br>
<br>
However I could not convince strongswan to select the connection
based on the TLS certficate<br>
<br>
...<br>
Oct 27 15:43:42 oti-5700 charon: 13[CFG] looking for peer configs
matching 172.30.131.20[%any]...192.168.3.70[192.168.3.70]<br>
Oct 27 15:43:42 oti-5700 charon: 13[CFG] candidate "dev", match:
1/1/6 (me/other/ike)<br>
Oct 27 15:43:42 oti-5700 charon: 13[CFG] candidate "test", match:
1/1/6 (me/other/ike)<br>
Oct 27 15:43:42 oti-5700 charon: 13[CFG] selected peer config 'dev'<br>
Oct 27 15:43:42 oti-5700 charon: 13[IKE] using configured
EAP-Identity dev-oti.zal.io<br>
...<br>
<br>
selecting the dev-oti.dom.ch cert on the windows side brought up the
connection. Selecting test-oti.dom.ch failed due to strongswan
always using peer 'dev' (the first one) and the eap_identity
missmatching. Looks like the peer config is selected before the
eap-tls comes into play. Am I missing something here?<br>
<br>
Regards<br>
Hans<br>
<br>
AND I'm impressed by the work and support you guys provide, thank's
a lot!<br>
<pre class="moz-signature" cols="72">--
Hans Riethmann
ortecin GmbH
Waffenplatzstrasse 40, 8002 Zuerich
mobile: +41 79 689 1052, phone: +41 44 280 2828
</pre>
</body>
</html>