[strongSwan] unable to connect to strongSwan IKEv2 using eap-radius based authentication

yordanos beyene yordanosb at gmail.com
Tue Jun 12 07:46:21 CEST 2012


Hi Kimmo,

Finally I have the vpn connection established using eap-mschapv2 and
also machine certificates. My X509 certificates seems to work.

Thank you very much for all your help.

It seems the problem was with the Win7 vpn connection. Now I am using the
certificate DNS name, and I also added the IP address mapping to the hosts
file. I also resolved the ping issue by adding route to the address pool.

Below is the ip address pool route that I added.

 ip route add 172.16.80.0/24 dev eth4
   (172.16.80/24 is my ip pool, and eth4 is interface to internal network
(192.16.40.2).

Here is my configuration for authentication using machine certificate. I
used similar setp for eap-mschapv2.
conn %default
        auto=route
        keyexchange=ikev2
        keyingtries=1
conn myvpn~mypolicy
        vpn=myvpn
        authby=rsasig
        left=172.16.50.2
        leftsubnet=172.16.40.0/24
        leftcert=zeus at ares.cer
        rightid="C=US, ST=MYSTATE, O=MYORG, OU=MYUNIT, CN=hera.test.net, E=
hera at test.net"
        leftfirewall=yes
        right=%any
        rightsourceip=172.16.80.0/24
        auto=add
Now I will move to the eap-radius.

Thank!

Jordan.

On Mon, Jun 11, 2012 at 10:04 PM, Kimmo Koivisto <koippa at gmail.com> wrote:

> 2012/6/12 yordanos beyene <yordanosb at gmail.com>:
> > Thank you Kemmo for the tips.
>
> Hello Yordanos
>
> >
> > I scaled down my configurated to use eap-mschapv2 authentication instead
> of
> > eap-radius.
>
> did you use IP address or DNS name in your VPN connection?
>
> > My current  problem is ping requests from Win7 to a protected linux host
> > (172,16.40.10)  behind the VPN server fails. The ping requests reach
> > the host and ping replies from the host reach the vpn gateway but don't
> get
> > to the Win7 client.
> >
> > Do I need to install firewall policy? The following security policy is
> > dynsmicslly added.
>
> depens on your environment but firewall is not mandatory. Just
> remember to route the address pool back to the strongswan and NAT the
> traffic going out.
>
> >
> > Below is ping packet capture from vpn server internal interface
> ( directly
> > connected to the linux host - 172.16.40.10). Internal host responds to
> > Win7 ping request but response doesn't reach Win7 machine. VPN server
> fails
> > to apply esp and send to Win7 - 172.16.50.10.
>
> is ip_forwarding enabled?
> do you see routing table 220 and is there any content?
>
> > I am also perplexed why port 4500 is used instead of 500 during IKE
> > exchange. See vpn server logs and configuration  below. I am not behind
> NAT.
>
> Mobike RFC4555 specifies
> " To
>   simplify things, implementations that support both this specification
>   and NAT Traversal MUST change to port 4500 if the correspondent also
>   supports both, even if no NAT was detected between them"
>
>
> Regards,
> Kimmo
>
> >
> > Here is  ipsec.conf and strongswan log.
> >
> > ipsec.conf:
> >
> > conn %default
> >         auto=route
> >         keyexchange=ikev2
> >         keyingtries=1
> > conn myvpn~mypolicy
> >         vpn=myvpn
> >         left=172.16.30.2
> >         leftsubnet=0.0.0.0/0
> >         leftauth=pubkey
> >         leftcert=zeus at ares.cer
> >         leftid=@zeus.test.net
> >         right=%any
> >         rightsourceip=172.16.80.0/24
> >         rightauth=eap-mschapv2
> >         rightsendcert=never
> >         eap_identity=%any
> >         auto=add
> > vpn server log:
> > Jun 12 06:14:23 router CHARON-INFO: 12[ENC] parsed INFORMATIONAL
> response 1
> > [ ]
> > Jun 12 06:14:23 router CHARON-INFO: 12[IKE] IKE_SA deleted
> > Jun 12 06:14:23 router CHARON-INFO: 12[IKE] IKE_SA deleted
> > Jun 12 06:14:23 router CHARON-INFO: 12[LIB] releasing address to pool
> > 'myvpn~mypolicy' failed
> > Jun 12 06:14:23 router CHARON-INFO: 15[CFG] received stroke: delete
> > connection 'myvpn~mypolicy'
> > Jun 12 06:14:23 router CHARON-INFO: 15[CFG] deleted connection
> > 'myvpn~mypolicy'
> > Jun 12 06:14:23 router CHARON-INFO: 09[CFG] received stroke: add
> connection
> > 'myvpn~mypolicy'
> > Jun 12 06:14:23 router CHARON-INFO: 09[CFG]   loaded certificate "C=US,
> > ST=MYSTATE, O=MYORG, OU=MYGROUP, CN=zeus.test.net, E=zeus at test.net" from
> > 'zeus at ares.cer'
> > Jun 12 06:14:23 router CHARON-INFO: 09[CFG] added configuration
> > 'myvpn~mypolicy'
> > Jun 12 06:14:23 router CHARON-INFO: 09[CFG] adding virtual IP address
> pool
> > 'myvpn~mypolicy': 172.16.80.0/24
> > Jun 12 06:15:24 router CHARON-INFO: 13[NET] received packet: from [500]
> to
> > [500]
> > Jun 12 06:15:24 router CHARON-INFO: 13[ENC] parsed IKE_SA_INIT request 0
> [
> > SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > Jun 12 06:15:24 router CHARON-INFO: 13[IKE] 172.16.50.10 is initiating an
> > IKE_SA
> > Jun 12 06:15:24 router CHARON-INFO: 13[IKE] 172.16.50.10 is initiating an
> > IKE_SA
> > Jun 12 06:15:24 router CHARON-INFO: 13[ENC] generating IKE_SA_INIT
> response
> > 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> > Jun 12 06:15:24 router CHARON-INFO: 13[NET] sending packet: from [500] to
> > [500]
> > Jun 12 06:15:24 router CHARON-INFO: 15[NET] received packet: from [4500]
> to
> > [4500]
> > Jun 12 06:15:24 router CHARON-INFO: 15[ENC] unknown attribute type
> > INTERNAL_IP4_SERVER
> > Jun 12 06:15:24 router CHARON-INFO: 15[ENC] parsed IKE_AUTH request 1 [
> IDi
> > CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> "C=US,
> > ST=CA, L=Roseville, O=HP, OU=SPG, CN=ares.hp.com, E=ares at hp.com"
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > c0:7a:98:68:8d:89:fb:ab:05:64:0c:11:7d:aa:7d:65:b8:ca:cc:4e
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 4a:81:0c:de:f0:c0:90:0f:19:06:42:31:35:a2:a2:8d:d3:44:fd:08
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > f0:17:62:13:55:3d:b3:ff:0a:00:6b:fb:50:84:97:f3:ed:62:d0:1a
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 42:32:b6:16:fa:04:fd:fe:5d:4b:7a:c3:fd:f7:4c:40:1d:5a:43:af
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > be:a8:a0:74:72:50:6b:44:b7:c9:23:d8:fb:a8:ff:b3:57:6b:68:6c
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > fb:61:40:61:b4:8a:bc:eb:56:1d:64:16:1f:ab:6d:f3:f7:ae:45:a5
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 53:32:d1:b3:cf:7f:fa:e0:f1:a0:5d:85:4e:92:d2:9e:45:1d:b4:4f
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 00:ad:d9:a3:f6:79:f6:6e:74:a9:7f:33:3d:81:17:d7:4c:cf:33:de
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > a8:48:b4:24:2f:c6:ea:24:a0:d7:8e:3c:b9:3c:5c:78:d7:98:33:e4
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > a1:72:5f:26:1b:28:98:43:95:5d:07:37:d5:85:96:9d:4b:d2:c3:45
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] received cert request for
> > unknown ca with keyid
> > 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
> > Jun 12 06:15:24 router CHARON-INFO: 15[CFG] looking for peer configs
> > matching 172.16.30.2[%any]...172.16.50.10[172.16.50.10]
> > Jun 12 06:15:24 router CHARON-INFO: 15[CFG] selected peer config
> > 'myvpn~mypolicy'
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] initiating EAP-Identity
> request
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] peer supports MOBIKE
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] authentication of
> > 'zeus.test.net' (myself) with RSA signature successful
> > Jun 12 06:15:24 router CHARON-INFO: 15[IKE] sending end entity cert
> "C=US,
> > ST=CA, O=MYORG, OU=SPG, CN=zeus.test.net, E=zeus at test.net"
> > Jun 12 06:15:24 router CHARON-INFO: 15[ENC] generating IKE_AUTH response
> 1 [
> > IDr CERT AUTH EAP/REQ/ID ]
> > Jun 12 06:15:24 router CHARON-INFO: 15[NET] sending packet: from [4500]
> to
> > [4500]
> > Jun 12 06:15:24 router CHARON-INFO: 12[NET] received packet: from [4500]
> to
> > [4500]
> > Jun 12 06:15:24 router CHARON-INFO: 12[ENC] parsed IKE_AUTH request 2 [
> > EAP/RES/ID ]
> > Jun 12 06:15:24 router CHARON-INFO: 12[IKE] received EAP identity
> 'jordan'
> > Jun 12 06:15:24 router CHARON-INFO: 12[IKE] initiating EAP_MSCHAPV2
> method
> > Jun 12 06:15:24 router CHARON-INFO: 12[ENC] generating IKE_AUTH response
> 2 [
> > EAP/REQ/MSCHAPV2 ]
> > Jun 12 06:15:24 router CHARON-INFO: 12[NET] sending packet: from [4500]
> to
> > [4500]
> > Jun 12 06:15:24 router CHARON-INFO: 16[NET] received packet: from [4500]
> to
> > [4500]
> > Jun 12 06:15:24 router CHARON-INFO: 16[ENC] parsed IKE_AUTH request 3 [
> > EAP/RES/MSCHAPV2 ]
> > Jun 12 06:15:24 router CHARON-INFO: 16[ENC] generating IKE_AUTH response
> 3 [
> > EAP/REQ/MSCHAPV2 ]
> > Jun 12 06:15:24 router CHARON-INFO: 16[NET] sending packet: from [4500]
> to
> > [4500]
> > Jun 12 06:15:24 router CHARON-INFO: 09[NET] received packet: from [4500]
> to
> > [4500]
> > Jun 12 06:15:24 router CHARON-INFO: 09[ENC] parsed IKE_AUTH request 4 [
> > EAP/RES/MSCHAPV2 ]
> > Jun 12 06:15:24 router CHARON-INFO: 09[IKE] EAP method EAP_MSCHAPV2
> > succeeded, MSK established
> > Jun 12 06:15:24 router CHARON-INFO: 09[ENC] generating IKE_AUTH response
> 4 [
> > EAP/SUCC ]
> > Jun 12 06:15:24 router CHARON-INFO: 09[NET] sending packet: from [4500]
> to
> > [4500]
> > Jun 12 06:15:24 router CHARON-INFO: 08[NET] received packet: from [4500]
> to
> > [4500]
> > Jun 12 06:15:24 router CHARON-INFO: 08[ENC] parsed IKE_AUTH request 5 [
> AUTH
> > ]
> > Jun 12 06:15:24 router CHARON-INFO: 08[IKE] authentication of
> '172.16.50.10'
> > with EAP successful
> > Jun 12 06:15:24 router CHARON-INFO: 08[IKE] authentication of
> > 'zeus.test.net' (myself) with EAP
> > Jun 12 06:15:24 router CHARON-INFO: 08[IKE] IKE_SA myvpn~mypolicy[9]
> > established between 172.16.30.2[zeus.test.net
> ]...172.16.50.10[172.16.50.10]
> > Jun 12 06:15:24 router CHARON-INFO: 08[IKE] IKE_SA myvpn~mypolicy[9]
> > established between 172.16.30.2[zeus.test.net
> ]...172.16.50.10[172.16.50.10]
> > Jun 12 06:15:24 router CHARON-INFO: 08[IKE] scheduling reauthentication
> in
> > 10137s
> > Jun 12 06:15:24 router CHARON-INFO: 08[IKE] maximum IKE_SA lifetime
> 10677s
> > Jun 12 06:15:24 router CHARON-INFO: 08[IKE] peer requested virtual IP
> > (vr*)%any
> > Jun 12 06:15:24 router CHARON-INFO: 08[CFG] assigning new lease to
> 'jordan'
> > Jun 12 06:15:24 router CHARON-INFO: 08[IKE] assigning virtual IP
> 172.16.80.1
> > to peer
> > Jun 12 06:15:24 router CHARON-INFO: 08[IKE] CHILD_SA myvpn~mypolicy{13}
> > established with SPIs c120b985_i 65d20505_o and TS 0.0.0.0/0 ===
> > 172.16.80.1/32
> > Jun 12 06:15:24 router CHARON-INFO: 08[IKE] CHILD_SA myvpn~mypolicy{13}
> > established with SPIs c120b985_i 65d20505_o and TS 0.0.0.0/0 ===
> > 172.16.80.1/32
> > Jun 12 06:15:24 router CHARON-INFO: 08[ENC] generating IKE_AUTH response
> 5 [
> > AUTH CP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
> > N(ADD_4_ADDR) ]
> > Jun 12 06:15:24 router CHARON-INFO: 08[NET] sending packet: from [4500]
> to
> > [4500]
> >
> > I appreciate any help.
> >
> > Thanks!
> >
> > Jordan.
> > On Mon, Jun 11, 2012 at 12:01 AM, Kimmo Koivisto <koippa at gmail.com>
> wrote:
> >>
> >> 2012/6/11 yordanos beyene <yordanosb at gmail.com>:
> >> > Hi Everyone,
> >> Hello
> >>
> >> >
> >> > I am having difficulties connectiong to strongSwan IKEv2 using
> >> > eap-radius
> >> > from a windows7 Agile VPN client. Below are my vpn server, windows7,
> >> > radius
> >> > configuration and error messages. I have followed the strongSwan
> >> > windows7
> >> > certificate requirements and tried for a couple of days different
> >> > recommendations from the strongswam mailing archive but I couldn't
> make
> >> > it
> >> > to work. I really appreciate any help.
> >>
> >> If I would be you, I would first make the connection work with
> >> eap-mschapv2 and rule out the problems with certificates.
> >>
> >> This is my configuration from working eap-mschapv2 connection:
> >>
> >> conn win7
> >>    rekey=no
> >>    left=%any
> >>    leftsubnet=0.0.0.0/0
> >>    leftauth=pubkey
> >>    leftcert=mycert.crt
> >>    leftid=@cert-cn
> >>    right=%any
> >>    rightsourceip=192.168.2.0/25
> >>    rightauth=eap-mschapv2
> >>    rightsendcert=never
> >>    eap_identity=%any
> >>    auto=add
> >>
> >>
> >> >
> >> > conn myvpn~mypolicy
> >> >         vpn=myvpn
> >> >         mobike=no
> >>
> >> I would enable mobike, that is quite important for me, changing
> >> interface from WLAN to 3G etc works nice.
> >>
> >> >         left=172.16.30.2
> >> >         leftsubnet=172.26.40.0/24
> >>
> >> Split tunneling is not possibe, thus you can narrow traffic selector
> >> to your subnet. I'm negotiating 0.0.0.0/0 so I can surf internet with
> >> the connection
> >>
> >> > =============================
> >> >  #Windows 7 Agile vpn client
> >> >
> >> > Type of VPN : IKEv2
> >> > Authentication: EAP ; sub-menu: tried both PEAP and EAP-MSCHAP v2
> >> > X509 machine certificate and CA certificate installed , and verified
> as
> >> > valid
> >>
> >> With mschapv2, client machine certificate is not needed, server is
> >> authenticated using server certificate, client authenticates with EAP.
> >>
> >> > Added the following configuration to the windows 7 hosts file
> >> >
> >> >             172.16.30.2    zeus.test.net
> >> > ( 172.16.30.2 refers to the vpn gateway interface, and zeus.test.netis
> >> > the
> >> > vpn gateway certificate CN and subject alt name).====
> >>
> >> Did you configure you VPN connection using the zeus.test.net? I know,
> >> stupid thing to ask but just to verify that problem is not there.
> >>
> >> > when I started the Windows 7 Agile vpn connection,  the following
> error
> >> > message shows on the vpn gateway and windows7 :
> >> > #Windows7 error message
> >> >
> >> > starts "Verifying user name and password and displays
> >> > Error:13801: IKE  authentication credentials are unacceptable
> >> > =============================
> >>
> >> When you authenticate using eap-mschapv2 and username/password
> >> authentication fails, Windows shows window with message "Re-enter your
> >> user name and password. Windows could not connect using ...."
> >> Error 13801 means problem in certificates, at least in mschapv2.
> >>
> >> If you already have client certificate installed, you can also try
> >> using the selection "use machine certificate" and try without EAP,
> >> that verifies that certificates are okay.
> >>
> >> In that case, this is my working configuration for it:
> >>
> >>
> >> conn %default
> >>       keyingtries=3
> >>       keyexchange=ikev2
> >>       ike=aes256-sha1-modp1024!
> >>       esp=aes256-sha1!
> >>       dpdaction=clear
> >>       dpddelay=30s
> >>       rekey=no
> >>
> >> conn win7certs
> >>        authby=rsasig
> >>        left=my-public-ip
> >>        leftsubnet=0.0.0.0/0
> >>        leftcert=mycert.crt
> >>        leftid=@cert-cn
> >>        right=%any
> >>        rightsourceip=192.168.3.0/24
> >>        auto=add
> >>
> >>
> >> Regards,
> >> Kimmo
> >>
> >> >
> >> > No user authentication request send to the radius server.
> >> >
> >> > Thank you!
> >> >
> >> > Jordan.
> >> >
> >> > _______________________________________________
> >> > Users mailing list
> >> > Users at lists.strongswan.org
> >> > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120611/104b95be/attachment.html>


More information about the Users mailing list