[strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password)

Andreas Steffen andreas.steffen at hsr.ch
Fri May 7 15:01:03 CEST 2010


Did you read the certificate constraints
defined in

http://wiki.strongswan.org/projects/strongswan/wiki/Win7cCertReq

- gateway name contained either in CN or subjectAltName.

- serverAuth Extended Key Usage flag

andreas

----- Ursprüngliche Mitteilung -----
> Yeah, right. I already changed the ipsec.conf to:
>
> leftsendcert=always
>
> strongSwan generates now the IKE AUTH response IKE AUTH  [Idr AUTH CERT EAP].
>
> Now it's a step further but Win 7 still complains with the following message:
>
> "Error 13801: IKE authentication credentials are unacceptable"
>
> In Win 7 I installed CA certificate used by the strongSwan server as a trusted
> root certificate. I also made an entry to the Win 7 - host file mapping cert
> details to the IP address of the strongSwan server.
>
> 192.168.10.90    ikeclient
>
> Hmm... Thanks for your assistance and great help!
>
> Mit freundlichem Gruß / Best regards
>
> Sven Kerschbaum
>
> Siemens AG
> Industry Sector Industry Automation Division, I IA&DT ATS 12
> mailto:sven.kerschbaum at siemens.com
> http://www.siemens.com/automation
>
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme
> Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer;
> Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt,
> Siegfried Russwurm, Peter Y. Solmssen
> Registered offices: Berlin and Munich;
> Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684
> WEEE-Reg.-No. DE 23691322
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Martin Willi [mailto:martin at strongswan.org]
> Gesendet: Freitag, 7. Mai 2010 13:44
> An: Kerschbaum, Sven
> Cc: users at lists.strongswan.org
> Betreff: Re: AW: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2
> (Username and password)
>
> Hi again,
>
> > the response is just a little bit below:
>
> A yes, haven't seen the first authentication round in the log.
>
> > Why does strongSwan not reply with IKE AUTH  [Idr AUTH CERT EAP REQ/ID]
>
> >          leftsendcert=never
>
> Looks suspicious ;-). The example configuration uses
> rightsendcert=never, which actually says to not request a certificate
> from the client. leftsendcert=never will not include our own
> certificate, for example if a client already has the peer certificate of
> the gateway. But Windows 7 always expects a certificate payload to
> authenticate the gateway.
>
> Regards
> Martin
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users





More information about the Users mailing list