[strongSwan] How to configure Strongswan4.6.4/5.x with "IPSec Hybrid authentication with RSA" support

Martin Willi martin at strongswan.org
Tue Jun 19 11:37:23 CEST 2012

>         rightcert=clientCert.pem
>         rightauth=xauth

No need for a right cert, in Hybrid mode the client authenticates with
XAuth only.

> hybridrsasig:   remote: [C=JP, O=Strongswan, CN=client] uses XAuth authentication: any

Your configuration requires a remote identity "C=JP, O=Strongswan,
CN=client", read from the certificate.  

> Jun 19 17:58:35 13[CFG] looking for HybridInitRSA peer configs
> matching[]

But your client sends "" as IKE identity. If you remove
the rightcert option, you can define a rightid=, or even

> I will give it a try with a client that used "Hybrid" authentication
> without RSA and see if this works.

Hybrid mode is only defined with DSS or RSA as responder authentication
in [1]. We don't support DSS signatures, and no responder public key
authentication at all would be very insecure.



More information about the Users mailing list