[strongSwan] Small Problems with 5.2
martin at strongswan.org
Tue Jul 15 13:52:45 CEST 2014
> With this connection active it doesn't matter if I set rightsendcert to
> ifasked or yes in the default section or the specific connection
> section of my linux roadwarrior. I can't connect because charon doesn't
> send a certificate request.
> If I remove the conn section for win 7 eap, I can connect.
Certificate requests are sent very early in the IKE negotiation. As a
responder, it is sent in the first IKE_SA_INIT response. At this stage,
charon can not reliably select a configuration, as no peer identities or
authentication methods are known yet.
If no IP address selectors are in place (using left/right), usually just
the first matching configuration is used. This probably is the win7
connection in your configuration.
> I set rightsendcert = never as mentioned in the wiki page
While this recommendation is fine if you handle Windows clients only,
for mixed setups it can result in these issues. I'll add a note to the
If you can't apply IP based selectors to your configuration using
left/right, you should consider removing the rightsendcert option.
Not sure why the behavior changed between 5.1.3 and 5.2.0 in this
regard; likely that it is related to the replaced ipsec.conf parser.
More information about the Users