<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 1/24/2017 06:59, Yudi V wrote:<br>
</div>
<blockquote
cite="mid:CACo--mvWPikNChqtDE=L51AyCOm9u44sb1D0GNXQew+zpgx6Bw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jan 24, 2017 at 11:35 PM,
Karl Denninger <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:karl@denninger.net"
target="_blank">karl@denninger.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div>
<div class="gmail-h5"> On 1/24/2017 04:12, Yudi V
wrote:<br>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"> <br clear="all">
<div>
<div>
<div>Hi Karl,<br>
<br>
</div>
Sorry about the delayed reply.<br>
I was finally able to use EAP-TLS, I think
not having SAN same as CN on the client
certificate caused it to fail. I cannot be
100% sure as I also had incorrect config
to start with. <br>
<br>
<br>
</div>
I just got one more issue to sort out. How
does the server decide which "conn" to use
when a peer is trying to connect.<br>
</div>
<div>when I try to connect from the windows
client, I can connect to either rw_cert or
rw_pw when one of them is commented out.
But if both of them are listed, then it
always tries to use rw_pw (ie, eap-mschapv2)
if it is listed before rw_cert.<br>
</div>
<div>If I swap the order of rw_pw and rw_cert
(listed before rw_pw) then it always tries
to use eap-tls. <br>
</div>
<div><br>
</div>
<div>I am guessing the information sent by the
client to the server has some bearing on
which "conn" to use. <br>
</div>
<div>Is there anyway to dictate which "conn"
should be used?<br>
</div>
<div><br>
</div>
My current config looks like below:<br>
<br>
conn %default<br>
keyexchange=ikev2<br>
dpdaction=clear<br>
dpddelay=300s<br>
<br>
left=%any<br>
leftsubnet=<a moz-do-not-send="true"
href="http://0.0.0.0/0,::0" target="_blank">0.0.0.0/0,::0</a><br>
leftauth=pubkey<br>
leftcert=serverCert.der <br>
leftid=<a moz-do-not-send="true"
href="http://home1234.ddns.com"
target="_blank">home1234.ddns.com</a> <br>
leftfirewall=yes <br>
lefthostaccess=yes <br>
<br>
right=%any<br>
rightsourceip=%dhcp<br>
rightdns=192.168.3.1<br>
<br>
conn rw_pw<br>
rightauth=eap-mschapv2 #using
password<br>
eap_identity=%any<br>
auto=add<br>
<br>
conn rw_cert<br>
rightauth=eap-tls #using
certificate<br>
rightsendcert=never<br>
eap_identity=%any<br>
auto=add<br>
<br>
<div>thanks!<br>
</div>
yudi<br>
<br>
</div>
</div>
</blockquote>
</div>
</div>
Whichever one it can match options with first. If you
have multiple client types connecting you need to be
careful what order the various required options are
listed in within the config file.<span class="gmail-"><br>
<br>
<div class="gmail-m_-2751606270313387773moz-signature">--
<br>
Karl Denninger<br>
<a moz-do-not-send="true"
href="mailto:karl@denninger.net" target="_blank">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email
preferred]</i></font> </div>
</span></div>
<br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a moz-do-not-send="true"
href="https://lists.strongswan.org/mailman/listinfo/users"
rel="noreferrer" target="_blank">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a><br>
</blockquote>
</div>
<br>
<br clear="all">
</div>
<div class="gmail_extra">So order dictates which "Conn" is used,
that cannot be right. <br>
</div>
<div class="gmail_extra">I want to use the rightsourceip=
setting to connect to different subnets using separate config
sections. Local firewall block access between these subnets. <br>
</div>
<div class="gmail_extra">-- <br>
<div class="gmail_signature">Kind regards,<br>
Yudi<br>
</div>
</div>
</div>
</blockquote>
<br>
The client and server negotiate the connection by exchanging options
(what the client and server can each support.) The first match is
found for both in the config file is used.<br>
<br>
I don't know if it's possible to tell Windows' client to *not* send
the flags stating that it "can" use MSCHAPv2, which would cause the
server to skip that config. You'd think that if you set up a
certificate instead of a password it would not claim it will use
something that's not configured for a given connection but then
again that would require that the Windows client actually do
intelligent things. Given the "issues" Windows has with CN and SAN,
well.... :)<br>
<br>
I have a "rightauth=pubkey" stanza in my config file since I also
use Strongswan's Android client to connect to the same server; they
coexist just fine.<br>
<br>
conn WinUserCert<br>
left=%any<br>
leftsubnet=0.0.0.0/0<br>
leftcert=genesis.denninger.net.crt<br>
leftauth=pubkey<br>
right=%any<br>
rightsourceip=192.168.2.0/24<br>
rightauth=eap-tls<br>
eap_identity=%identity<br>
auto=add<br>
dpdaction=clear<br>
dpddelay=300s<br>
<br>
conn StrongSwan<br>
left=%any<br>
leftsubnet=0.0.0.0/0<br>
leftcert=genesis.denninger.net.crt<br>
leftauth=pubkey<br>
right=%any<br>
rightsourceip=192.168.2.0/24<br>
rightauth=pubkey<br>
auto=add<br>
<br>
<br>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>