[strongSwan] Certificate checks while using EAP-TLS

Martin Willi martin at strongswan.org
Fri Oct 8 09:53:05 CEST 2010

Hi Andreas,

> I don't know how to change the client's IKEv2 identity cause the
> clients are Windows 7 not StrongSWAN clients.

You can't, Windows always uses the local IP as the IKEv2 identity. There
have been rumors that Service Pack 1 brings additional identity options,
but I haven't seen anything in the beta.

> I doesn't seem to work for smartcards (or at least I don't know how to
> make it work).

Windows uses machine certificates for plain IKEv2 certificate
authentication and user certificates (optionally on a smartcard) with
EAP-TLS authentication. It works straight forward with my SuisseID here.

I'm no expert in Windows smartcard things, but I think you'll have to
make sure the smartcard certificates are loaded into the user
certificate store; in my case the tool shipped with the smartcard does
this for me. As identity, I use the Microsoft specific UPN
subjectAltName contained in my certificate (it is handled as E-Mail on
the strongSwan side).


More information about the Users mailing list