[strongSwan] Small Problems with 5.2

Martin Willi martin at strongswan.org
Tue Jul 15 13:52:45 CEST 2014


> With this connection active it doesn't matter if I set rightsendcert to 
> ifasked or yes in the default section or the specific connection 
> section of my linux roadwarrior. I can't connect because charon doesn't 
> send a certificate request.
> 
> If I remove the conn section for win 7 eap, I can connect.

Certificate requests are sent very early in the IKE negotiation. As a
responder, it is sent in the first IKE_SA_INIT response. At this stage,
charon can not reliably select a configuration, as no peer identities or
authentication methods are known yet.

If no IP address selectors are in place (using left/right), usually just
the first matching configuration is used. This probably is the win7
connection in your configuration.

> I set rightsendcert = never as mentioned in the wiki page 

While this recommendation is fine if you handle Windows clients only,
for mixed setups it can result in these issues. I'll add a note to the
wiki.

If you can't apply IP based selectors to your configuration using
left/right, you should consider removing the rightsendcert option.

Not sure why the behavior changed between 5.1.3 and 5.2.0 in this
regard; likely that it is related to the replaced ipsec.conf parser.

Regards
Martin



More information about the Users mailing list