[strongSwan] Certificate checks while using EAP-TLS

Andreas Schantin andreas.schantin at uni-siegen.de
Fri Oct 8 09:26:57 CEST 2010

Hi Martin,

you've been a great help. Thanks a lot. I've been looking in all the 
wrong places all the time. I was in deed using the IKEv2 identity from 
the client which doesn't match any fields in the clients certificate in 
my case. Sadly I don't know how to change the client's IKEv2 identity 
cause the clients are Windows 7 not StrongSWAN clients.

But Windows after all lets me choose the eap_identity. So by choosing 
the subjectAlternativeName (normally an email address in my client's 
certificates) as the EAP-identity on the client I actually got it to work.

Sadly Windows 7 only gives me that choice if the public/private key pair 
is installed on the machine. I doesn't seem to work for smartcards (or 
at least I don't know how to make it work). I know this is not a Windows 
7 list but if anybody has a hint for me I be very grateful (hope to be 
using my eToken).

Best regards


Am 07.10.2010 16:34, schrieb Martin Willi:
> Hi Andreas,
>> I would like to let the clients authenticate
>> themselves with previously issued certificates that contains an email
>> address in the subjectAlternativeName (or that have no
>> subjectAlternativeName at all).
>> 01[TLS] no trusted certificate found for '' to verify TLS peer
> Charon uses the same cert chain validation in TLS as in traditional
> IKEv2 certificate validation. This validator is a little more strict
> than other TLS stacks in that it requires the peers identity to be
> contained as subject or as subjectAltName in the certificate. Having
> just the peers identity as CN in the DN is not sufficient.
> The peer must either use the full DN of the certificate or one of the
> subjectAltNames as identity. You can specify the IKEv2 identity in
> ipsec.conf as leftid. If you use an additional EAP-Identity exchange
> (initiated by the server with eap_identity=%identity), you can specify
> the EAP-Identity with eap_identity=alice at strongswan.org on the client.
> Don't forget to --enable-eap-identity during configure, as this
> EAP-Identity exchange requires an additional plugin.
>> I just want to check if that client's certificate is issued by
>> a certain CA (and maybe has a certain field in the DN).
> Yes, this should be no problem. But the client must authenticate with an
> identity that is contained in the certificate.
> Regards
> Martin

More information about the Users mailing list