[strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)
Kerschbaum, Sven
sven.kerschbaum at siemens.com
Fri May 7 13:53:31 CEST 2010
Yeah, right. I already changed the ipsec.conf to:
leftsendcert=always
strongSwan generates now the IKE AUTH response IKE AUTH [Idr AUTH CERT EAP].
Now it's a step further but Win 7 still complains with the following message:
"Error 13801: IKE authentication credentials are unacceptable"
In Win 7 I installed CA certificate used by the strongSwan server as a trusted root certificate. I also made an entry to the Win 7 - host file mapping cert details to the IP address of the strongSwan server.
192.168.10.90 ikeclient
Hmm... Thanks for your assistance and great help!
Mit freundlichem Gruß / Best regards
Sven Kerschbaum
Siemens AG
Industry Sector Industry Automation Division, I IA&DT ATS 12
mailto:sven.kerschbaum at siemens.com
http://www.siemens.com/automation
Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme
Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer;
Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt,
Siegfried Russwurm, Peter Y. Solmssen
Registered offices: Berlin and Munich;
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684
WEEE-Reg.-No. DE 23691322
-----Ursprüngliche Nachricht-----
Von: Martin Willi [mailto:martin at strongswan.org]
Gesendet: Freitag, 7. Mai 2010 13:44
An: Kerschbaum, Sven
Cc: users at lists.strongswan.org
Betreff: Re: AW: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)
Hi again,
> the response is just a little bit below:
A yes, haven't seen the first authentication round in the log.
> Why does strongSwan not reply with IKE AUTH [Idr AUTH CERT EAP REQ/ID]
> leftsendcert=never
Looks suspicious ;-). The example configuration uses
rightsendcert=never, which actually says to not request a certificate
from the client. leftsendcert=never will not include our own
certificate, for example if a client already has the peer certificate of
the gateway. But Windows 7 always expects a certificate payload to
authenticate the gateway.
Regards
Martin
More information about the Users
mailing list