[strongSwan] user certificate could not be found via windows 7 vpn connect

Tobias Brunner tobias at strongswan.org
Tue Aug 26 16:54:16 CEST 2014

Hi Johannes,

> # create pubkey for win7 "klapperkasten"
> ipsec pki --pub --in /etc/ipsec.d/private/klapperkastenKey.pem | ipsec
> pki --issue --cacert /etc/ipsec.d/cacerts/caCert.der --cakey
> /etc/ipsec.d/private/caKey.der --dn "C=DE, O=Heim, CN=klapperkasten"
> --san klapperkasten --san "" --flag serverAuth --flag
> ikeIntermediate --outform pem > /etc/ipsec.d/certs/klapperkastenCert.pem

Windows will reject the certificate if the Extended Key Usage flags
don't contain the clientAuth flag, unless the flags are omitted
altogether.  So either remove all --flag arguments or add --flag
clientAuth.  By the way, support for the ikeIntermediate flag was added
with 5.0, so if you use an older release it will be silently ignored.

I added a table with working combinations to [1] and updated some stuff
on the rest of the Windows wiki pages regarding authentication with user
certificates.  For instance, I noticed that one still has to install the
CA certificate to authenticate the server in the machine keystore, I
added some notes about the EAP-TLS endpoint verification, and the
example server config now uses leftauth=pubkey because Windows does not
support mutual EAP authentication.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq

More information about the Users mailing list