[strongSwan] Small Problems with 5.2
Dirk Hartmann
dha at heise.de
Tue Jul 15 12:02:57 CEST 2014
Hi Martin,
--On Tuesday, July 15, 2014 11:24:04 AM +0200 Martin Willi
<martin at strongswan.org> wrote:
>> was there a change in 5.2 about charon asking for the certificate of
>> the peer? I can establish a connection when I add leftsendcert=yes to
>> the configuration of my roadwarrior.
>
> None that I'm aware of. leftsendcert=ifasked was the policy ever
> since.
>
>> If I don't add it I get a connection with 5.1.3 but on 5.2 I get:
>> [IKE] no trusted RSA public key found for 'C=DE, O=xxxx'
>> in the log of the server.
>
> As the default policy is "ifasked", this most likely implies that your
> server does not send a certificate request. By default certificate
> requests are sent; what is your rightsendcert setting on the server?
Fascinating.
I don't have a setting in the default section.
But I have a special conn for windows 7 Users with eap in which section
I set rightsendcert = never as mentioned in the wiki page
<https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig>
With this connection active it doesn't matter if I set rightsendcert to
ifasked or yes in the default section or the specific connection
section of my linux roadwarrior. I can't connect because charon doesn't
send a certificate request.
If I remove the conn section for win 7 eap, I can connect.
> charon logs the certificates and certificate requests sent/received
> during the exchange, that should help in analyzing what is missing.
Yes charon doesn't send certificate requests as long as there is a
single connection setting with rightsendcert=never
Best Regards
Dirk
More information about the Users
mailing list