[strongSwan] ikev2 vpn using PKI auth with a Blackberry Z10

[G. B.]

You are correct, I am using v4.5.2 on Debian linux (stable branch).  It 
is the most up to date version available in the stable branch.  I took 
your advice and upgraded it (to the next available version in the Debian
 testing stream - v4.6.4), and my z10 connected to the sever without any
 modification to the configs or certificates.  Thanks for the tip!


It
 looks like I can't communicate with the server at all from the z10, and
 vice versa.  I will try and work this out on my own when I have more 
time.  Let me know if you have any suggestions to improve my current 
config.


Thanks very much for your help!  


> Date: Wed, 4 Sep 2013 08:58:35 +0200
> From: tobias at strongswan.org
> To: gawd0wns at hotmail.com
> CC: users at lists.strongswan.org
> Subject: Re: [strongSwan] ikev2 vpn using PKI auth with a Blackberry Z10
> 
> Hi,
> 
> You didn't write what strongSwan version you are using.  But I suspect
> it's something like 4.5.2, certainly before 4.6.3 because this problem here
> 
> > Sep  3 21:39:19 firebrand charon: 12[ENC] invalid X509 hash length (0)
> > in certreq
> > Sep  3 21:39:19 firebrand charon: 12[ENC] CERTIFICATE_REQUEST
> > verification failed
> > Sep  3 21:39:19 firebrand charon: 12[ENC] could not decrypt payloads
> > Sep  3 21:39:19 firebrand charon: 12[IKE] message verification failed
> 
> should be fixed by [1], which was included in 4.6.3.
> 
> Why the Z10 client sends an empty certificate request, which doesn't
> make much sense, is another question.  Perhaps the CA certificate is not
> installed properly (or at all), or it always does that (bug?).
> 
> Regards,
> Tobias
> 
> [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=4ef867f5
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130905/1c360d2d/attachment.html>