[strongSwan] Connection to cisco ezvpn server - how to disable strongswan to send a cert-req in AM1?

Andreas Steffen andreas.steffen at strongswan.org
Sat Jul 7 07:27:00 CEST 2012


Hi Olivier,

try the new notation

   leftauth=psk
   rightauth=psk
   leftauth2=xauth

and a certificate request should not be sent. If it is still the case
then this must be fixed. In that case try as a workaround

   rightsendcert=no

Regards

Andreas

On 07/06/2012 05:29 PM, Olivier PELERIN wrote:
> Playing around on Strongswan, I try to connect an easyvpn client to an
> easyvpn server.
>
>
> I see strongswan sending a cert-req in the first packet of Aggressive mode.
> *Jul  6 15:26:38.265: ISAKMP: Aggressive Mode packet contents (flags 0,
> len 426):
> *Jul  6 15:26:38.265:           SA payload
> *Jul  6 15:26:38.265:             PROPOSAL
> *Jul  6 15:26:38.265:               TRANSFORM
> *Jul  6 15:26:38.265:               TRANSFORM
> *Jul  6 15:26:38.265:           KE payload
> *Jul  6 15:26:38.265:           NONCE payload
> *Jul  6 15:26:38.265:           ID payload
> *Jul  6 15:26:38.265:             ID_KEY_ID <ezvpn> port 0 protocol 0
> *Jul  6 15:26:38.265:           CERT-REQ payload
> *Jul  6 15:26:38.265:           VENDOR payload
> *Jul  6 15:26:38.265:           VENDOR payload
> *Jul  6 15:26:38.265:           VENDOR payload
>
>
> How can I disable that?
>
> # Add con:wnections here.
> conn "ezvpn"
>          keyexchange=ikev1
>          ikelifetime=1440m
>          keylife=60m
>          aggressive=yes
>          ike=aes-sha-modp1024
>          esp=aes128-sha1
>          xauth=client
>          left=1.1.1.1
>          leftid=@#65:7a:76:70:6e:1f
>          leftsourceip=%config
>          authby=xauthpsk
>          leftauth2=xauth
>          right=10.1.1.254
>          rightid=10.1.1.254
>          rightsubnet=0.0.0.0/0
>          xauth_identity=cisco_user
>          auto=add

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==






More information about the Users mailing list