[strongSwan] Strongswan Android client could not log in (VPN otherwise working for Win7)
Lawrence Chiu
Lawrence_Chiu_TX3 at yahoo.com
Sun Sep 22 01:42:02 CEST 2013
Focusing on this error near the end of syslog:
Sep 21 18:26:16 vmware-u003 charon: 04[CFG] selected peer config 'win7'
Sep 21 18:26:16 vmware-u003 charon: 04[IKE] no trusted RSA public key
found for 'C=CH, O=strongSwan, CN=win7.mycompany.local'
Sep 21 18:26:16 vmware-u003 charon: 04[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 21 18:26:16 vmware-u003 charon: 04[IKE] peer supports MOBIKE
Sep 21 18:26:16 vmware-u003 charon: 04[ENC] generating IKE_AUTH response
1 [ N(AUTH_FAILED) ]
Sep 21 18:26:16 vmware-u003 charon: 04[NET] sending packet: from
192.168.0.180[4500] to 166.147.64.91[50881]
The error "no trusted RSA public key found for 'C=CH, O=strongSwan,
CN=win7.mycompany.local'" looked interesting, so...
I added a line to ipsec.conf:
rightcert=win7.cert
and then placed the win7.cert file (the client public certificate) in
/etc/ipsec.d/certs/
Now, the errors have changed:
Sep 21 18:27:17 barney charon: 04[CFG] selected peer config 'win7'
Sep 21 18:27:17 barney charon: 04[CFG] using trusted ca certificate
"C=CH, O=strongSwan, CN=pkiCA"
Sep 21 18:27:17 barney charon: 04[CFG] checking certificate status of
"C=CH, O=strongSwan, CN=win7.mycompany.local"
Sep 21 18:27:17 barney charon: 04[CFG] certificate status is not available
Sep 21 18:27:17 barney charon: 04[CFG] reached self-signed root ca
with a path length of 0
Sep 21 18:27:17 barney charon: 04[CFG] using trusted certificate
"C=CH, O=strongSwan, CN=win7.mycompany.local"
Sep 21 18:27:17 barney charon: 04[IKE] authentication of 'C=CH,
O=strongSwan, CN=win7.mycompany.local' with RSA signature successful
Sep 21 18:27:17 barney charon: 04[CFG] constraint requires EAP
authentication, but public key was used
Sep 21 18:27:17 barney charon: 04[CFG] selected peer config 'win7'
inacceptable
Sep 21 18:27:17 barney charon: 04[CFG] no alternative config found
Sep 21 18:27:17 barney charon: 04[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 21 18:27:17 barney charon: 04[IKE] peer supports MOBIKE
Sep 21 18:27:17 barney charon: 04[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Sep 21 18:27:17 barney charon: 04[NET] sending packet: from
192.168.0.50[4500] to 166.147.64.91[54346]
So it looks like the error is now: "constraint requires EAP
authentication, but public key was used" since immediately after that,
it says: "selected peer config 'win7' inacceptable"
More information about the Users
mailing list