[strongSwan] Connection to cisco ezvpn server - how to disable strongswan to send a cert-req in AM1?

Olivier PELERIN olivier_pelerin at hotmail.com
Sun Jul 8 13:27:32 CEST 2012


Thanks Andreas,

I've modified the config.

conn "ezvpn"
        keyexchange=ikev1
        ikelifetime=1440m
        keylife=60m
        aggressive=yes
        ike=aes-sha-modp1024
        esp=aes128-sha1
        #xauth=client
        left=1.1.1.1
        leftid=@#65:7a:76:70:6e
        leftsourceip=%config
        #authby=xauthpsk
        leftauth=psk
        rightauth=psk
        leftauth2=xauth
        right=10.1.1.254
        rightid=10.1.1.254
        rightsubnet=0.0.0.0/0
        xauth_identity=cisco_user
        auto=add

ironmaiden cacerts # ipsec up 'ezvpn'
sending cert request for "CN=IOL, OU=Olivier, O=Cisco, C=BE"
initiating Aggressive Mode IKE_SA ezvpn[3] to 10.1.1.254
generating AGGRESSIVE request 0 [ SA KE No ID CERTREQ V V V ]
sending packet: from 1.1.1.1[500] to 10.1.1.254[500]
received packet: from 10.1.1.254[500] to 1.1.1.1[500]

We still send the CERT REQ. 

As you said, I had to add "    rightsendcert=no" into the profile to make it work.

Cheers,

> Date: Sat, 7 Jul 2012 07:27:00 +0200
> From: andreas.steffen at strongswan.org
> To: olivier_pelerin at hotmail.com
> CC: users at lists.strongswan.org
> Subject: Re: [strongSwan] Connection to cisco ezvpn server - how to disable strongswan to send a cert-req in AM1?
> 
> Hi Olivier,
> 
> try the new notation
> 
>    leftauth=psk
>    rightauth=psk
>    leftauth2=xauth
> 
> and a certificate request should not be sent. If it is still the case
> then this must be fixed. In that case try as a workaround
> 
>    rightsendcert=no
> 
> Regards
> 
> Andreas
> 
> On 07/06/2012 05:29 PM, Olivier PELERIN wrote:
> > Playing around on Strongswan, I try to connect an easyvpn client to an
> > easyvpn server.
> >
> >
> > I see strongswan sending a cert-req in the first packet of Aggressive mode.
> > *Jul  6 15:26:38.265: ISAKMP: Aggressive Mode packet contents (flags 0,
> > len 426):
> > *Jul  6 15:26:38.265:           SA payload
> > *Jul  6 15:26:38.265:             PROPOSAL
> > *Jul  6 15:26:38.265:               TRANSFORM
> > *Jul  6 15:26:38.265:               TRANSFORM
> > *Jul  6 15:26:38.265:           KE payload
> > *Jul  6 15:26:38.265:           NONCE payload
> > *Jul  6 15:26:38.265:           ID payload
> > *Jul  6 15:26:38.265:             ID_KEY_ID <ezvpn> port 0 protocol 0
> > *Jul  6 15:26:38.265:           CERT-REQ payload
> > *Jul  6 15:26:38.265:           VENDOR payload
> > *Jul  6 15:26:38.265:           VENDOR payload
> > *Jul  6 15:26:38.265:           VENDOR payload
> >
> >
> > How can I disable that?
> >
> > # Add con:wnections here.
> > conn "ezvpn"
> >          keyexchange=ikev1
> >          ikelifetime=1440m
> >          keylife=60m
> >          aggressive=yes
> >          ike=aes-sha-modp1024
> >          esp=aes128-sha1
> >          xauth=client
> >          left=1.1.1.1
> >          leftid=@#65:7a:76:70:6e:1f
> >          leftsourceip=%config
> >          authby=xauthpsk
> >          leftauth2=xauth
> >          right=10.1.1.254
> >          rightid=10.1.1.254
> >          rightsubnet=0.0.0.0/0
> >          xauth_identity=cisco_user
> >          auto=add
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120708/0cea2506/attachment.html>


More information about the Users mailing list