<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1461842589567_3206"><span style="font-size:12.0pt;line-height:115%;mso-fareast-font-family:"Times New Roman";mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin" id="yui_3_16_0_ym19_1_1461842589567_3207">Hi
All,<o:p id="yui_3_16_0_ym19_1_1461842589567_3208"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3206"><span style="font-size:12.0pt;line-height:115%;mso-fareast-font-family:"Times New Roman";mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><br></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3206"><span style="font-size:12.0pt;line-height:115%;mso-fareast-font-family:"Times New Roman";mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><br></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3209"><span style="font-size:12.0pt;line-height:115%;mso-fareast-font-family:"Times New Roman";mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin" id="yui_3_16_0_ym19_1_1461842589567_3210">I
am using strongSwan VPN Client app on an
android device (VPN Client) and running strongswan-5.4.0 on Linux device (VPN
Server on Virtual Machine). Trying to establish
an IKEv2/IPsec tunnel using Certificate with EAP authentication based on
username/password on client and pubkey on server. On server end, constrain
checking fails with the following error message. Can anyone please have a look
into the below stated and suggest me where I am wrong ? Thank you in advance
for your support and time. <o:p id="yui_3_16_0_ym19_1_1461842589567_3211"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3212"><span style="font-size:12.0pt;line-height:115%;mso-fareast-font-family:"Times New Roman";mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><br></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3212"><span style="font-size:12.0pt;line-height:115%;mso-fareast-font-family:"Times New Roman";mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin" id="yui_3_16_0_ym19_1_1461842589567_3213">Charon
log at Server end<o:p id="yui_3_16_0_ym19_1_1461842589567_3214"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3215"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3216">12[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT)
CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(AUTH_FOLLOWS) ]<o:p id="yui_3_16_0_ym19_1_1461842589567_3217"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3218"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3219">12[IKE] received cert request for "C=NL, O=Example
Company, CN=strongSwan Root CA"<o:p id="yui_3_16_0_ym19_1_1461842589567_3220"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3221"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3222">12[IKE] received end entity cert "C=NL, O=Example
Company, CN=vpn.example.org"<o:p id="yui_3_16_0_ym19_1_1461842589567_3223"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3224"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3225">12[CFG] looking for peer configs matching
10.0.131.40[%any]...192.168.10.59[C=NL, O=Example Company, CN=vpn.example.org]<o:p id="yui_3_16_0_ym19_1_1461842589567_3226"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3227"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3228">12[CFG] selected peer config 'vpn_server-vpn_client'<o:p id="yui_3_16_0_ym19_1_1461842589567_3229"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3230"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3231">12[CFG] using trusted
ca certificate "C=NL, O=Example Company, CN=strongSwan Root CA"<o:p id="yui_3_16_0_ym19_1_1461842589567_3232"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3233"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3234">12[CFG] checking certificate status of "C=NL, O=Example
Company, CN=vpn.example.org"<o:p id="yui_3_16_0_ym19_1_1461842589567_3235"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3236"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3237">12[CFG] certificate status is not available<o:p id="yui_3_16_0_ym19_1_1461842589567_3238"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3239"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3240">12[CFG] reached
self-signed root ca with a path length of 0<o:p id="yui_3_16_0_ym19_1_1461842589567_3241"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3242"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3243">12[CFG] using trusted
certificate "C=NL, O=Example Company, CN=vpn.example.org"<o:p id="yui_3_16_0_ym19_1_1461842589567_3244"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3245"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3246">12[IKE] authentication of 'C=NL, O=Example Company,
CN=vpn.example.org' with RSA_EMSA_PKCS1_SHA384 successful<o:p id="yui_3_16_0_ym19_1_1461842589567_3247"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3248"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3249">12[CFG] constraint requires EAP_MD5, but EAP_NAK was used<o:p id="yui_3_16_0_ym19_1_1461842589567_3250"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3251"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3252">12[CFG] selected peer config 'vpn_server-vpn_client'
inacceptable: non-matching authentication done<o:p id="yui_3_16_0_ym19_1_1461842589567_3253"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3254"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3255">12[CFG] no alternative config found<o:p id="yui_3_16_0_ym19_1_1461842589567_3256"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3257"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3258">12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using
ESPv3 TFC padding<o:p id="yui_3_16_0_ym19_1_1461842589567_3259"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3260"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3261">12[IKE] peer supports MOBIKE<o:p id="yui_3_16_0_ym19_1_1461842589567_3262"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3263"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3264">12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]<o:p id="yui_3_16_0_ym19_1_1461842589567_3265"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3266"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3267">12[NET] sending packet: from 10.0.131.40[4500] to
192.168.10.59[63644] (80 bytes)<o:p id="yui_3_16_0_ym19_1_1461842589567_3268"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3269"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3270"><o:p id="yui_3_16_0_ym19_1_1461842589567_3271"> </o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3272"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3273">I have disabled the constraints plugin (via ./configure --disable-constraints
option).</span> <span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3274">The eap-dynamic plugin handles EAP-Nak payloads returned by
clients and uses these to select a different EAP method supported/requested by
the client. Hence I have configured the below stated in plugins section of strongswan.conf<o:p id="yui_3_16_0_ym19_1_1461842589567_3275"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3276"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3277"><o:p id="yui_3_16_0_ym19_1_1461842589567_3278"> </o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3279"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3280">eap-dynamic<o:p id="yui_3_16_0_ym19_1_1461842589567_3281"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3282"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3283"> {<o:p id="yui_3_16_0_ym19_1_1461842589567_3284"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3285"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3286"><o:p id="yui_3_16_0_ym19_1_1461842589567_3287"> </o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3288"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3289">
prefer_user=yes<o:p id="yui_3_16_0_ym19_1_1461842589567_3290"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3291"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3292">
preferred=eap-md5,eap-mschapv2<o:p id="yui_3_16_0_ym19_1_1461842589567_3293"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3294"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3295"><o:p id="yui_3_16_0_ym19_1_1461842589567_3296"> </o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3297"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3298"> }<o:p id="yui_3_16_0_ym19_1_1461842589567_3299"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3300"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%"><br></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3300"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3301">Here goes the configuration.<o:p id="yui_3_16_0_ym19_1_1461842589567_3302"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3300"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%"><br></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3303"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3304"><u> Ipsec.conf</u><o:p id="yui_3_16_0_ym19_1_1461842589567_3305"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3303"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%"><br></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3306"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3307">config setup</span></div><div id="yui_3_16_0_ym19_1_1461842589567_3309"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3310">conn %default<o:p id="yui_3_16_0_ym19_1_1461842589567_3311"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3312"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3313"> ikelifetime=60m<o:p id="yui_3_16_0_ym19_1_1461842589567_3314"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3315"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3316"> keylife=20m<o:p id="yui_3_16_0_ym19_1_1461842589567_3317"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3318"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3319"> rekeymargin=3m<o:p id="yui_3_16_0_ym19_1_1461842589567_3320"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3321"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3322"> keyingtries=1<o:p id="yui_3_16_0_ym19_1_1461842589567_3323"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3324"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3325"><o:p id="yui_3_16_0_ym19_1_1461842589567_3326"> </o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3327"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3328">conn vpn_server-vpn_client<o:p id="yui_3_16_0_ym19_1_1461842589567_3329"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3330"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3331"><o:p id="yui_3_16_0_ym19_1_1461842589567_3332"> </o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3333"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3334">
left=10.0.131.40<o:p id="yui_3_16_0_ym19_1_1461842589567_3335"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3336"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3337">
leftfirewall=yes<o:p id="yui_3_16_0_ym19_1_1461842589567_3338"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3339"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3340"> leftprotoport=1<o:p id="yui_3_16_0_ym19_1_1461842589567_3341"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3342"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3343">
rightprotoport=1<o:p id="yui_3_16_0_ym19_1_1461842589567_3344"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3345"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3346"> right=%any<o:p id="yui_3_16_0_ym19_1_1461842589567_3347"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3348"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3349"> rightsendcert=always<o:p id="yui_3_16_0_ym19_1_1461842589567_3350"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3351"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3352">
leftcert=vpnHostCert.pem<o:p id="yui_3_16_0_ym19_1_1461842589567_3353"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3354"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3355"> leftauth=pubkey<o:p id="yui_3_16_0_ym19_1_1461842589567_3356"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3357"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3358">
rightauth=eap-md5<o:p id="yui_3_16_0_ym19_1_1461842589567_3359"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3360"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3361">
#eap_identity=%any<o:p id="yui_3_16_0_ym19_1_1461842589567_3362"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3363"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3364">
leftsubnet=0.0.0.0/0<o:p id="yui_3_16_0_ym19_1_1461842589567_3365"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3366"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3367"> rightsourceip =
10.0.3.15/32<o:p id="yui_3_16_0_ym19_1_1461842589567_3368"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3369"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3370"> type=tunnel<o:p id="yui_3_16_0_ym19_1_1461842589567_3371"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3372"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3373">
keyexchange=ikev2<o:p id="yui_3_16_0_ym19_1_1461842589567_3374"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3375"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3376"> esp=aes128-sha1<o:p id="yui_3_16_0_ym19_1_1461842589567_3377"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3378"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3379"> rekey=no<o:p id="yui_3_16_0_ym19_1_1461842589567_3380"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3381"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3382"> reauth=no<o:p id="yui_3_16_0_ym19_1_1461842589567_3383"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3384"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3385"> mobike=yes<o:p id="yui_3_16_0_ym19_1_1461842589567_3386"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3387"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3388"> auto=add<o:p id="yui_3_16_0_ym19_1_1461842589567_3389"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3390"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3391"> leftid=%any<o:p id="yui_3_16_0_ym19_1_1461842589567_3392"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3393"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3394"> rightid=%any<o:p id="yui_3_16_0_ym19_1_1461842589567_3395"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3396"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3397"><o:p id="yui_3_16_0_ym19_1_1461842589567_3398"> </o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3399"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3400"><u>ipsec.secrets</u><o:p id="yui_3_16_0_ym19_1_1461842589567_3401"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3399"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%"><br></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3402"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3403">: RSA /etc/ipsec.d/private/vpnHostKey.pem<o:p id="yui_3_16_0_ym19_1_1461842589567_3404"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3405"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3406">user : EAP "strongSwan"<o:p id="yui_3_16_0_ym19_1_1461842589567_3407"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3408"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3409"><o:p id="yui_3_16_0_ym19_1_1461842589567_3410"> </o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3411"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3412">Here are the commands used for certificate generation<o:p id="yui_3_16_0_ym19_1_1461842589567_3413"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3414">ipsec pki --gen --type rsa --size 4096 --outform pem >
private/strongswanKey.pem<o:p id="yui_3_16_0_ym19_1_1461842589567_3415"></o:p></div><div id="yui_3_16_0_ym19_1_1461842589567_3416">ipsec pki --self --ca --lifetime 3650 --in
private/strongswanKey.pem --type rsa --dn "C=NL, O=Example Company,
CN=strongSwan Root CA" --outform pem > cacerts/strongswanCert.pem<o:p id="yui_3_16_0_ym19_1_1461842589567_3417"></o:p></div><div id="yui_3_16_0_ym19_1_1461842589567_3418">ipsec pki --gen --type rsa --size 4096 --outform pem >
private/vpnHostKey.pem<o:p id="yui_3_16_0_ym19_1_1461842589567_3419"></o:p></div><div id="yui_3_16_0_ym19_1_1461842589567_3420">ipsec pki --pub --in private/vpnHostKey.pem --type rsa |
ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey
private/strongswanKey.pem --dn "C=NL, O=Example Company,
CN=vpn.example.org" --san vpn.example.com --san vpn.example.net --san 172.19.134.4 --san @172.19.134.4 --flag serverAuth --flag
ikeIntermediate --outform pem > certs/vpnHostCert.pem<o:p id="yui_3_16_0_ym19_1_1461842589567_3421"></o:p></div><div id="yui_3_16_0_ym19_1_1461842589567_3422">openssl pkcs12 -in certs/vpnHostCert.pem -inkey
private/vpnHostKey.pem -certfile cacerts/strongswanCert.pem -export -out
peer.p12<o:p id="yui_3_16_0_ym19_1_1461842589567_3423"></o:p></div><div id="yui_3_16_0_ym19_1_1461842589567_3424"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3425"><o:p id="yui_3_16_0_ym19_1_1461842589567_3426"> </o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3427"><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3428">Note that, IKEv2 certificate authentication without EAP works
fine. </span><span style="font-size: 12pt; line-height: 115%; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1461842589567_3429">. Imported all certificates to Android virtual
device and installed. Opted that specific certificate (CA), user certificate that
was imported.<o:p id="yui_3_16_0_ym19_1_1461842589567_3430"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3431"><span style="font-size: 12pt; line-height: 115%; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1461842589567_3432"><o:p id="yui_3_16_0_ym19_1_1461842589567_3433"> </o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_3434"><span style="font-size: 12pt; line-height: 115%; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1461842589567_3435">Regards,<o:p id="yui_3_16_0_ym19_1_1461842589567_3436"></o:p></span></div><div id="yui_3_16_0_ym19_1_1461842589567_2676">
</div><div dir="ltr" id="yui_3_16_0_ym19_1_1461842589567_3437"><span style="font-size: 12pt; line-height: 115%; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1461842589567_3438">Chinmaya</span><span style="font-size:12.0pt;mso-bidi-font-size:11.0pt;line-height:115%" id="yui_3_16_0_ym19_1_1461842589567_3439"><o:p id="yui_3_16_0_ym19_1_1461842589567_3440"></o:p></span></div></div></body></html>