[strongSwan] strongswan and a windows7 client without cert
andreas.steffen at strongswan.org
Sat Jun 18 15:27:13 CEST 2011
Windows 7 expects you to use EAP Identity:
see our example scenario:
IKEv2 requires that the VPN server must authenticate itself
using a server certificate. Hints how to create a server certificate
that will be accepted by a Windows 7 client can be found here:
On 06/18/2011 03:00 PM, Nickola Kolev wrote:
> I would very much like to setup a strongswan VPN gateway, which
> authenticates Windows 7 clients with only a username and password via
> Radius server (freeradius), and with no certs whatsoever. Is that
> Currently I get to a point, where the Freeradius server receives an
> Access-Request via strongswan, but the username there is the IP
> address, which the client has - e.g. '=C0=A8=C9=0C' for 192.168.201.12.
> As a result, no successful authentication is done.
> Here's part of the strongswan's config:
> conn roadwarrior-nat-ikev2
> So, the last thing I see in the logs from strongswan, is this:
> Jun 18 13:46:28 vpnserver charon: 01[CFG] sending RADIUS Access-Request to server 'primary'
> Jun 18 13:46:28 vpnserver charon: 01[CFG] received RADIUS Access-Challenge from server 'primary'
> Jun 18 13:46:28 vpnserver charon: 01[IKE] initiating EAP_RADIUS method (id 0x01)
> Jun 18 13:46:28 vpnserver charon: 01[IKE] peer supports MOBIKE
> Jun 18 13:46:28 vpnserver charon: 01[IKE] no private key found for 'XX.XX.XX.68'
> Jun 18 13:46:28 vpnserver charon: 01[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Jun 18 13:46:28 vpnserver charon: 01[NET] sending packet: from XX.XX.XX.68 to YY.YY.YY.216
>>From this I'm guessing, that in fact I need a certificate,
> nevertheless. Is it possible to have the strongswan daemon relay the
> username to the freeradius daemon intact?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users