[strongSwan] strongSwan with Windows 7

Noel Kuntze noel at familie-kuntze.de
Sun Aug 18 23:11:09 CEST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

I'm trying to configure a PC running Windows 7 to connect to my
strongSwan host.
Sadly, I ran into error 13801.
I have a chain of a root CA and two intermediate CAs providing
certificates for servers and clients.
The certificates of those three CAs are in the certificate storage of
Windows in the root certificate section.
The OS is running in a VM on my desktop and the strongSwan host is my LAN.
All the CA certificates have CA:TRUE set and proper extended key usage.
This is the output of "openssl x509 -in strongswan_lan.pem -noout -text"
wthout the signatures and public key (I know about the Umlauts):
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=Baden-W\xC3\xBCrttemberg, O=ThermiCorp,
OU=ServerCA Layer 2, CN=ThermiCorp ServerCA Layer 2
        Validity
            Not Before: Aug 18 18:36:48 2013 GMT
            Not After : Aug 16 18:36:48 2023 GMT
        Subject: C=DE, ST=Baden-W\xC3\xBCrttemberg, L=Haslach,
O=ThermiCorp, CN=IP:192.168.178.48;DNS:vms.thermi
        Subject Public Key Info:
        [snip]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                ThermiCorp Server Certificate
            X509v3 Subject Key Identifier:
                01:1B:EA:7F:A3:1B:DC:26:16:F0:36:52:58:01:FC:79:58:65:C8:04
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Authority Key Identifier:
               
keyid:71:52:C7:E9:9F:5C:00:43:B1:6B:CA:DC:50:B8:37:63:E2:77:A6:84
               
DirName:/C=DE/ST=Baden-W\xC3\xBCrttemberg/L=Haslach/O=ThermiCorp/OU=Root
CA/CN=ThermiCorp Root CA/emailAddress=noel.kuntze at googlemail.com
                serial:05

            X509v3 Issuer Alternative Name:
                <EMPTY>

            X509v3 Key Usage:
                Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name:
                IP Address:192.168.178.48
    Signature Algorithm: sha256WithRSAEncryption
    [snip]

ipsec.conf:
conn win7_test
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=strongswan_lan.pem
    leftid=vms.thermi
    leftsendcert=ifasked
    right=192.168.178.45 # static IP of the VM
    rightsourceip=172.16.20.0/24
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add

Any help with this is appreciated.

Regards,

Noel Kuntze
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSEThtAAoJEDg5KY9j7GZYeAkP/i4ZoRCEKy4HcpLk29kySTFX
tIS8QqASrFc0uO0b1odd/kSUGrdAuqwoZ0LWg0zWkfgSjszkgdOnfcfoEnmCS+Cm
WLN9p6+mSwkgeUrPpSZp6z6kmyEhkVg6hErRC4qNi/Ykji3XCklZx/Gph7PH1Orf
1M71voDKr+s+75GKoVQ4ME7T5z7OBScB7LZOedjL0NdKNRB/YLHLZ7tyyOpoSU8u
HSl/0kBQVKuRyNyHVVVX1LAvisVanwN17TNg0Akgi9OJ7pYIznXvyPMgtk/mkNqD
2hEmYxcJUyVqLLwPOn0teDpZzXvt7EqsjPbBApymFNv7PgAUoRVRKMQZPOFc7vEv
mmbo7CJA300Gyq0MYqDkMfRsRQ30i4k+LAgnwzq17XJvweZgysbrED6di+2XsZX+
jIyerFsvASYg6i0AC/RKWAG8XQ5qHa4v665k419pdctBcNchGcOIE+JN2NIOdYwe
4fPSLvk51l2OWWfi4wmt+9r+rzIouND6dn4eGzyaC/jbCHsz5rife37Qak9GSdWT
LeYIfFuZFKeweajArrpiARGNqj8QkOSr5EYc8fuLF6HWES6Au5xv3NVCcXcZamnW
Gn+/hoRyveM3/DJ8n2poorqU5+YoZVKln2UHhla4zIwjRowWIeSPokn05lMr26Za
IYTN10712SVCIzpDXobK
=iUPd
-----END PGP SIGNATURE-----

More information about the Users mailing list