[strongSwan] Connection to cisco ezvpn server - how to disable strongswan to send a cert-req in AM1?
Olivier PELERIN
olivier_pelerin at hotmail.com
Sun Jul 8 13:27:32 CEST 2012
Thanks Andreas,
I've modified the config.
conn "ezvpn"
keyexchange=ikev1
ikelifetime=1440m
keylife=60m
aggressive=yes
ike=aes-sha-modp1024
esp=aes128-sha1
#xauth=client
left=1.1.1.1
leftid=@#65:7a:76:70:6e
leftsourceip=%config
#authby=xauthpsk
leftauth=psk
rightauth=psk
leftauth2=xauth
right=10.1.1.254
rightid=10.1.1.254
rightsubnet=0.0.0.0/0
xauth_identity=cisco_user
auto=add
ironmaiden cacerts # ipsec up 'ezvpn'
sending cert request for "CN=IOL, OU=Olivier, O=Cisco, C=BE"
initiating Aggressive Mode IKE_SA ezvpn[3] to 10.1.1.254
generating AGGRESSIVE request 0 [ SA KE No ID CERTREQ V V V ]
sending packet: from 1.1.1.1[500] to 10.1.1.254[500]
received packet: from 10.1.1.254[500] to 1.1.1.1[500]
We still send the CERT REQ.
As you said, I had to add " rightsendcert=no" into the profile to make it work.
Cheers,
> Date: Sat, 7 Jul 2012 07:27:00 +0200
> From: andreas.steffen at strongswan.org
> To: olivier_pelerin at hotmail.com
> CC: users at lists.strongswan.org
> Subject: Re: [strongSwan] Connection to cisco ezvpn server - how to disable strongswan to send a cert-req in AM1?
>
> Hi Olivier,
>
> try the new notation
>
> leftauth=psk
> rightauth=psk
> leftauth2=xauth
>
> and a certificate request should not be sent. If it is still the case
> then this must be fixed. In that case try as a workaround
>
> rightsendcert=no
>
> Regards
>
> Andreas
>
> On 07/06/2012 05:29 PM, Olivier PELERIN wrote:
> > Playing around on Strongswan, I try to connect an easyvpn client to an
> > easyvpn server.
> >
> >
> > I see strongswan sending a cert-req in the first packet of Aggressive mode.
> > *Jul 6 15:26:38.265: ISAKMP: Aggressive Mode packet contents (flags 0,
> > len 426):
> > *Jul 6 15:26:38.265: SA payload
> > *Jul 6 15:26:38.265: PROPOSAL
> > *Jul 6 15:26:38.265: TRANSFORM
> > *Jul 6 15:26:38.265: TRANSFORM
> > *Jul 6 15:26:38.265: KE payload
> > *Jul 6 15:26:38.265: NONCE payload
> > *Jul 6 15:26:38.265: ID payload
> > *Jul 6 15:26:38.265: ID_KEY_ID <ezvpn> port 0 protocol 0
> > *Jul 6 15:26:38.265: CERT-REQ payload
> > *Jul 6 15:26:38.265: VENDOR payload
> > *Jul 6 15:26:38.265: VENDOR payload
> > *Jul 6 15:26:38.265: VENDOR payload
> >
> >
> > How can I disable that?
> >
> > # Add con:wnections here.
> > conn "ezvpn"
> > keyexchange=ikev1
> > ikelifetime=1440m
> > keylife=60m
> > aggressive=yes
> > ike=aes-sha-modp1024
> > esp=aes128-sha1
> > xauth=client
> > left=1.1.1.1
> > leftid=@#65:7a:76:70:6e:1f
> > leftsourceip=%config
> > authby=xauthpsk
> > leftauth2=xauth
> > right=10.1.1.254
> > rightid=10.1.1.254
> > rightsubnet=0.0.0.0/0
> > xauth_identity=cisco_user
> > auto=add
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120708/0cea2506/attachment.html>
More information about the Users
mailing list