[strongSwan] ERROR 13801
Andreas Steffen
andreas.steffen at strongswan.org
Sun Jul 17 12:21:32 CEST 2016
Hi Max,
the error occurring is:
Jul 12 12:27:27
14[IKE] <IPSec-IKEv2-EAP|1> no private key found for '40.30.20.10'
i.e. the VPN server cannot find its server certificate. Since
EAP-MSCHAPv2 is a weak authentication method, the server must always
authenticate itself with a public key method. Therefore you must
change the following two things:
- In /etc/ipsec.conf enable leftcert=vpnHostCert.pem
- The client assumes a server identity of 40.30.20.10. This IPv4
address must be contained as a subjectAltName in the server
certificate, otherwise the authentication will not work.
A much better solution is to configure the client to send the
fully qualified domain name, i.e. the hostname of the server and
to include the hostname as a subjectAltName in the server
certificate. In that case you have to add the following entry
in ipsec.conf:
leftid=<fully qualified hostname of vpnHost>
Best regards
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160717/f65f3e1f/attachment.bin>
More information about the Users
mailing list