[strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)

Kerschbaum, Sven sven.kerschbaum at siemens.com
Fri May 7 13:53:31 CEST 2010


Yeah, right. I already changed the ipsec.conf to:

leftsendcert=always

strongSwan generates now the IKE AUTH response IKE AUTH  [Idr AUTH CERT EAP].

Now it's a step further but Win 7 still complains with the following message:

"Error 13801: IKE authentication credentials are unacceptable"

In Win 7 I installed CA certificate used by the strongSwan server as a trusted root certificate. I also made an entry to the Win 7 - host file mapping cert details to the IP address of the strongSwan server.

192.168.10.90	ikeclient

Hmm... Thanks for your assistance and great help!

Mit freundlichem Gruß / Best regards

Sven Kerschbaum

Siemens AG
Industry Sector Industry Automation Division, I IA&DT ATS 12
mailto:sven.kerschbaum at siemens.com
http://www.siemens.com/automation

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme
Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; 
Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt,
Siegfried Russwurm, Peter Y. Solmssen
Registered offices: Berlin and Munich; 
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684
WEEE-Reg.-No. DE 23691322



-----Ursprüngliche Nachricht-----
Von: Martin Willi [mailto:martin at strongswan.org] 
Gesendet: Freitag, 7. Mai 2010 13:44
An: Kerschbaum, Sven
Cc: users at lists.strongswan.org
Betreff: Re: AW: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)

Hi again,

> the response is just a little bit below:

A yes, haven't seen the first authentication round in the log.

> Why does strongSwan not reply with IKE AUTH  [Idr AUTH CERT EAP REQ/ID] 

>      leftsendcert=never

Looks suspicious ;-). The example configuration uses
rightsendcert=never, which actually says to not request a certificate
from the client. leftsendcert=never will not include our own
certificate, for example if a client already has the peer certificate of
the gateway. But Windows 7 always expects a certificate payload to
authenticate the gateway.

Regards
Martin





More information about the Users mailing list