<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px"><div id="yiv3576852796"><div id="yui_3_16_0_1_1456642997157_20738"><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;" id="yui_3_16_0_1_1456642997157_20737"><div class="yiv3576852796" dir="ltr" id="yiv3576852796yui_3_16_0_1_1456501419487_14812"> rightid=Radius-1_Svr@test <<<</div><div class="yiv3576852796" dir="ltr" id="yiv3576852796yui_3_16_0_1_1456501419487_14812"> aaa_identity="C=JP, O=XXX, CN=Radius-1_svr@test"</div> <div class="yiv3576852796qtdSeparateBR" id="yui_3_16_0_1_1456642997157_20736"><br></div><div class="yiv3576852796qtdSeparateBR" id="yui_3_16_0_1_1456642997157_20736" dir="ltr">I'm fishing in the dark but I tried setting the same name of the server's certificate.</div><div class="yiv3576852796qtdSeparateBR" id="yui_3_16_0_1_1456642997157_20736" dir="ltr">But I got the same error "access denied".</div><div class="yiv3576852796qtdSeparateBR" id="yui_3_16_0_1_1456642997157_20736" dir="ltr"><br></div><div class="yiv3576852796qtdSeparateBR" id="yui_3_16_0_1_1456642997157_20736" dir="ltr">My parameters are wrong?</div><div class="yiv3576852796qtdSeparateBR" id="yui_3_16_0_1_1456642997157_20736" dir="ltr"># StrongSwan5.3.5</div><div class="yiv3576852796qtdSeparateBR" id="yui_3_16_0_1_1456642997157_20736" dir="ltr"><br></div><div class="yiv3576852796qtdSeparateBR" id="yui_3_16_0_1_1456642997157_20736" dir="ltr">Regards,<br clear="none"><br clear="none"></div></div></div></div><div class=".yiv3576852796yahoo_quoted"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;"> <div class="qtdSeparateBR"><br><br></div><div class="yiv3576852796yqt6572767978" id="yiv3576852796yqt56444"><div dir="ltr"><font size="2" face="Arial"> On Monday, 29 February 2016, 4:56, yukou katori <k10lie.tech@yahoo.co.uk> wrote:<br clear="none"></font></div> <br clear="none"><br clear="none"> <div class="yiv3576852796y_msg_container"><div id="yiv3576852796"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;"><div id="yiv3576852796yui_3_16_0_1_1456642997157_11256">Thanks, Noel.</div><div id="yiv3576852796yui_3_16_0_1_1456642997157_11255"><br clear="none"></div><div dir="ltr" id="yiv3576852796yui_3_16_0_1_1456642997157_11227">> <span class="yiv3576852796" id="yiv3576852796yui_3_16_0_1_1456642997157_11234" style="font-family:'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;font-size:13px;">'C=ES, O=ACCV, CN=ACCVRAIZ1'</span></div><div dir="ltr" id="yiv3576852796yui_3_16_0_1_1456642997157_11227"><span class="yiv3576852796" style="font-family:'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;font-size:13px;">Now I set as follows</span></div><div dir="ltr" id="yiv3576852796yui_3_16_0_1_1456642997157_11227"><span class="yiv3576852796" style="font-family:'Helvetica Neue', 'Segoe UI', Helvetica, Arial, 'Lucida Grande', sans-serif;font-size:13px;"> "</span>C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA@test" on CA.</div><div dir="ltr" id="yiv3576852796yui_3_16_0_1_1456642997157_11227"> "C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_Svr@test" issued by on the CA.</div><div dir="ltr" id="yiv3576852796yui_3_16_0_1_1456642997157_11227"> #self-signed certificate</div><div id="yiv3576852796yui_3_16_0_1_1456642997157_11036"><br clear="none"></div><div id="yiv3576852796yui_3_16_0_1_1456642997157_11036">And I set as follows on StrongSwan:</div><div id="yiv3576852796yui_3_16_0_1_1456642997157_11036"># eap-ttls-radius configuration</div><div class="yiv3576852796" id="yiv3576852796yui_3_16_0_1_1456501419487_14812"> rightid=Radius-1@test</div><div class="yiv3576852796" id="yiv3576852796yui_3_16_0_1_1456501419487_14812"> aaa_identity="C=JP, O=XXX, CN=Radius-1_svr@test"</div><div id="yiv3576852796yui_3_16_0_1_1456642997157_11036"><br clear="none"></div><div id="yiv3576852796yui_3_16_0_1_1456642997157_11037">Regards,</div> <div class="yiv3576852796qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv3576852796yqt4389531210" id="yiv3576852796yqt93372"><div class="yiv3576852796yahoo_quoted" style="display:block;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;"> <div dir="ltr"><font size="2" face="Arial"> On Monday, 29 February 2016, 4:44, Noel Kuntze <noel@familie-kuntze.de> wrote:<br clear="none"></font></div> <br clear="none"><br clear="none"> <div class="yiv3576852796y_msg_container">Now you're just fishing in the dark and guessing.<br clear="none">The format of the certificate is irrelevant. Read the log you pasted and fix the<br clear="none"><br clear="none">> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=ES, O=ACCV, CN=ACCVRAIZ1'<br clear="none">I guess that's from the client. Where did you set that DN?<br clear="none"><br clear="none">Regards,<br clear="none">Noel<br clear="none"><div class="yiv3576852796yqt9027043225" id="yiv3576852796yqtfd06095"><br clear="none">On 28.02.2016 20:37, yukou katori wrote:<br clear="none">> Hi, Noel<br clear="none">><br clear="none">> Or this "access denied" can come from pkcs format?<br clear="none">> pkcs#7 is used in this case, pkcs#12 should be used?<br clear="none">><br clear="none">> Regards,<br clear="none">><br clear="none">><br clear="none">> On Sunday, 28 February 2016, 15:20, yukou katori <<a rel="nofollow" shape="rect" ymailto="mailto:k10lie.tech@yahoo.co.uk" target="_blank" href="mailto:k10lie.tech@yahoo.co.uk">k10lie.tech@yahoo.co.uk</a>> wrote:<br clear="none">><br clear="none">><br clear="none">> Hi, Noel<br clear="none">><br clear="none">> Thanks.<br clear="none">> I complied again to isolate this problem.<br clear="none">> The reason why no item about certificates was shown by "ipsec listall" came from that I imported incorrect certificate from FreeRadius.<br clear="none">> Now I could get the item about CA by "ipsec install".<br clear="none">><br clear="none">> But I get the same error yet.<br clear="none">><br clear="none">> What does "access denied" mean?<br clear="none">> This is for TLS 1.2 but, it means:<br clear="none">> access_denied<br clear="none">> A valid certificate was received, but when access control was<br clear="none">> applied, the sender decided not to proceed with negotiation. This<br clear="none">> message is always fatal.<br clear="none">> from rfc5246<br clear="none">><br clear="none">> Access control?<br clear="none">><br clear="none">> I complied like this:<br clear="none">> ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --enable-eap-identity --enable-eap-tls --enable-eap-peap --enable-eap-ttls --enable-eap-mschapv2 --enable-eap-md5<br clear="none">><br clear="none">> Regards,<br clear="none">><br clear="none"><br clear="none"><br clear="none"><br clear="none">-- <br clear="none"><br clear="none">Mit freundlichen Grüßen/Kind Regards,<br clear="none">Noel Kuntze<br clear="none"><br clear="none">GPG Key ID: 0x63EC6658<br clear="none">Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br clear="none"><br clear="none"></div><br clear="none"><br clear="none"></div> </div> </div> </div></div></div></div></div><br clear="none"><div class="yiv3576852796yqt4389531210" id="yiv3576852796yqt41391">_______________________________________________<br clear="none">Users mailing list<br clear="none"><a rel="nofollow" shape="rect" ymailto="mailto:Users@lists.strongswan.org" target="_blank" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br clear="none"><a rel="nofollow" shape="rect" target="_blank" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></div><br clear="none"><br clear="none"></div></div> </div> </div> </div></div></body></html>