[strongSwan] How to configure Strongswan4.6.4/5.x with "IPSec Hybrid authentication with RSA" support
Martin Willi
martin at strongswan.org
Tue Jun 19 11:37:23 CEST 2012
> rightcert=clientCert.pem
> rightauth=xauth
No need for a right cert, in Hybrid mode the client authenticates with
XAuth only.
> hybridrsasig: remote: [C=JP, O=Strongswan, CN=client] uses XAuth authentication: any
Your configuration requires a remote identity "C=JP, O=Strongswan,
CN=client", read from the certificate.
> Jun 19 17:58:35 13[CFG] looking for HybridInitRSA peer configs
> matching 192.168.246.210...192.168.248.101[192.168.248.101]
But your client sends "192.168.248.101" as IKE identity. If you remove
the rightcert option, you can define a rightid=192.168.248.101, or even
rightid=%any.
> I will give it a try with a client that used "Hybrid" authentication
> without RSA and see if this works.
Hybrid mode is only defined with DSS or RSA as responder authentication
in [1]. We don't support DSS signatures, and no responder public key
authentication at all would be very insecure.
Regards
Martin
[1]http://tools.ietf.org/html/draft-ietf-ipsec-isakmp-hybrid-auth-05
More information about the Users
mailing list