[strongSwan] strongSwan with Windows 7
Paton, Andy
andy.paton at hp.com
Sun Aug 18 23:13:39 CEST 2013
On the strongswan host do you have the DNS name as the CN on the server cert?
Regards,
--
Andrew Paton
On 18 Aug 2013, at 22:11, "Noel Kuntze" <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello,
>
> I'm trying to configure a PC running Windows 7 to connect to my
> strongSwan host.
> Sadly, I ran into error 13801.
> I have a chain of a root CA and two intermediate CAs providing
> certificates for servers and clients.
> The certificates of those three CAs are in the certificate storage of
> Windows in the root certificate section.
> The OS is running in a VM on my desktop and the strongSwan host is my LAN.
> All the CA certificates have CA:TRUE set and proper extended key usage.
> This is the output of "openssl x509 -in strongswan_lan.pem -noout -text"
> wthout the signatures and public key (I know about the Umlauts):
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 11 (0xb)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=DE, ST=Baden-W\xC3\xBCrttemberg, O=ThermiCorp,
> OU=ServerCA Layer 2, CN=ThermiCorp ServerCA Layer 2
> Validity
> Not Before: Aug 18 18:36:48 2013 GMT
> Not After : Aug 16 18:36:48 2023 GMT
> Subject: C=DE, ST=Baden-W\xC3\xBCrttemberg, L=Haslach,
> O=ThermiCorp, CN=IP:192.168.178.48;DNS:vms.thermi
> Subject Public Key Info:
> [snip]
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Cert Type:
> SSL Server
> Netscape Comment:
> ThermiCorp Server Certificate
> X509v3 Subject Key Identifier:
> 01:1B:EA:7F:A3:1B:DC:26:16:F0:36:52:58:01:FC:79:58:65:C8:04
> X509v3 Extended Key Usage:
> TLS Web Server Authentication
> X509v3 Authority Key Identifier:
>
> keyid:71:52:C7:E9:9F:5C:00:43:B1:6B:CA:DC:50:B8:37:63:E2:77:A6:84
>
> DirName:/C=DE/ST=Baden-W\xC3\xBCrttemberg/L=Haslach/O=ThermiCorp/OU=Root
> CA/CN=ThermiCorp Root CA/emailAddress=noel.kuntze at googlemail.com
> serial:05
>
> X509v3 Issuer Alternative Name:
> <EMPTY>
>
> X509v3 Key Usage:
> Key Encipherment, Data Encipherment
> X509v3 Subject Alternative Name:
> IP Address:192.168.178.48
> Signature Algorithm: sha256WithRSAEncryption
> [snip]
>
> ipsec.conf:
> conn win7_test
> keyexchange=ikev2
> ike=aes256-sha1-modp1024!
> esp=aes256-sha1!
> dpdaction=clear
> dpddelay=300s
> rekey=no
> leftsubnet=0.0.0.0/0
> leftauth=pubkey
> leftcert=strongswan_lan.pem
> leftid=vms.thermi
> leftsendcert=ifasked
> right=192.168.178.45 # static IP of the VM
> rightsourceip=172.16.20.0/24
> rightauth=eap-mschapv2
> rightsendcert=never
> eap_identity=%any
> auto=add
>
> Any help with this is appreciated.
>
> Regards,
>
> Noel Kuntze
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.20 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSEThtAAoJEDg5KY9j7GZYeAkP/i4ZoRCEKy4HcpLk29kySTFX
> tIS8QqASrFc0uO0b1odd/kSUGrdAuqwoZ0LWg0zWkfgSjszkgdOnfcfoEnmCS+Cm
> WLN9p6+mSwkgeUrPpSZp6z6kmyEhkVg6hErRC4qNi/Ykji3XCklZx/Gph7PH1Orf
> 1M71voDKr+s+75GKoVQ4ME7T5z7OBScB7LZOedjL0NdKNRB/YLHLZ7tyyOpoSU8u
> HSl/0kBQVKuRyNyHVVVX1LAvisVanwN17TNg0Akgi9OJ7pYIznXvyPMgtk/mkNqD
> 2hEmYxcJUyVqLLwPOn0teDpZzXvt7EqsjPbBApymFNv7PgAUoRVRKMQZPOFc7vEv
> mmbo7CJA300Gyq0MYqDkMfRsRQ30i4k+LAgnwzq17XJvweZgysbrED6di+2XsZX+
> jIyerFsvASYg6i0AC/RKWAG8XQ5qHa4v665k419pdctBcNchGcOIE+JN2NIOdYwe
> 4fPSLvk51l2OWWfi4wmt+9r+rzIouND6dn4eGzyaC/jbCHsz5rife37Qak9GSdWT
> LeYIfFuZFKeweajArrpiARGNqj8QkOSr5EYc8fuLF6HWES6Au5xv3NVCcXcZamnW
> Gn+/hoRyveM3/DJ8n2poorqU5+YoZVKln2UHhla4zIwjRowWIeSPokn05lMr26Za
> IYTN10712SVCIzpDXobK
> =iUPd
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list