[strongSwan] How to configure Strongswan4.6.4/5.x with "IPSec Hybrid authentication with RSA" support

Martin Willi martin at strongswan.org
Tue Jun 19 11:37:23 CEST 2012


>         rightcert=clientCert.pem
>         rightauth=xauth

No need for a right cert, in Hybrid mode the client authenticates with
XAuth only.

> hybridrsasig:   remote: [C=JP, O=Strongswan, CN=client] uses XAuth authentication: any

Your configuration requires a remote identity "C=JP, O=Strongswan,
CN=client", read from the certificate.  

> Jun 19 17:58:35 13[CFG] looking for HybridInitRSA peer configs
> matching 192.168.246.210...192.168.248.101[192.168.248.101]

But your client sends "192.168.248.101" as IKE identity. If you remove
the rightcert option, you can define a rightid=192.168.248.101, or even
rightid=%any.

> I will give it a try with a client that used "Hybrid" authentication
> without RSA and see if this works.

Hybrid mode is only defined with DSS or RSA as responder authentication
in [1]. We don't support DSS signatures, and no responder public key
authentication at all would be very insecure.

Regards
Martin

[1]http://tools.ietf.org/html/draft-ietf-ipsec-isakmp-hybrid-auth-05





More information about the Users mailing list