[strongSwan] user certificate could not be found via windows 7 vpn connect
Tobias Brunner
tobias at strongswan.org
Tue Aug 26 16:54:16 CEST 2014
Hi Johannes,
> # create pubkey for win7 "klapperkasten"
> ipsec pki --pub --in /etc/ipsec.d/private/klapperkastenKey.pem | ipsec
> pki --issue --cacert /etc/ipsec.d/cacerts/caCert.der --cakey
> /etc/ipsec.d/private/caKey.der --dn "C=DE, O=Heim, CN=klapperkasten"
> --san klapperkasten --san "192.168.0.207" --flag serverAuth --flag
> ikeIntermediate --outform pem > /etc/ipsec.d/certs/klapperkastenCert.pem
Windows will reject the certificate if the Extended Key Usage flags
don't contain the clientAuth flag, unless the flags are omitted
altogether. So either remove all --flag arguments or add --flag
clientAuth. By the way, support for the ikeIntermediate flag was added
with 5.0, so if you use an older release it will be silently ignored.
I added a table with working combinations to [1] and updated some stuff
on the rest of the Windows wiki pages regarding authentication with user
certificates. For instance, I noticed that one still has to install the
CA certificate to authenticate the server in the machine keystore, I
added some notes about the EAP-TLS endpoint verification, and the
example server config now uses leftauth=pubkey because Windows does not
support mutual EAP authentication.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
More information about the Users
mailing list