[strongSwan] Small Problems with 5.2

Dirk Hartmann dha at heise.de
Tue Jul 15 14:21:32 CEST 2014


Hi Martin,

--On Tuesday, July 15, 2014 01:52:45 PM +0200 Martin Willi 
<martin at strongswan.org> wrote:

>
>> With this connection active it doesn't matter if I set rightsendcert
>> to  ifasked or yes in the default section or the specific connection
>> section of my linux roadwarrior. I can't connect because charon
>> doesn't  send a certificate request.
>>
>> If I remove the conn section for win 7 eap, I can connect.
>
> Certificate requests are sent very early in the IKE negotiation. As a
> responder, it is sent in the first IKE_SA_INIT response. At this
> stage, charon can not reliably select a configuration, as no peer
> identities or authentication methods are known yet.
>
> If no IP address selectors are in place (using left/right), usually
> just the first matching configuration is used. This probably is the
> win7 connection in your configuration.

ah ok I see

>> I set rightsendcert = never as mentioned in the wiki page
>
> While this recommendation is fine if you handle Windows clients only,
> for mixed setups it can result in these issues. I'll add a note to the
> wiki.
>
> If you can't apply IP based selectors to your configuration using
> left/right, you should consider removing the rightsendcert option.
>
> Not sure why the behavior changed between 5.1.3 and 5.2.0 in this
> regard; likely that it is related to the replaced ipsec.conf parser.

It's probably the new parser.
Checking the logs on the gateway running 5.1.3 I discovered that the 
rightsendcert = never wasn't honoured for any connection. Windows 7 eap 
clients received a cert request too. So your suggestion to remove this 
option from our config should be no problem.

Thanks
Dirk




More information about the Users mailing list