[strongSwan] ERROR 13801

Andreas Steffen andreas.steffen at strongswan.org
Sun Jul 17 12:21:32 CEST 2016


Hi Max,

the error occurring is:

Jul 12 12:27:27
  14[IKE] <IPSec-IKEv2-EAP|1> no private key found for '40.30.20.10'

i.e. the VPN server cannot find its server certificate. Since
EAP-MSCHAPv2 is a weak authentication method, the server must always
authenticate itself with a public key method. Therefore you must
change the following two things:

- In /etc/ipsec.conf enable leftcert=vpnHostCert.pem

- The client assumes a server identity of 40.30.20.10. This IPv4
   address must be contained as a subjectAltName in the server
   certificate, otherwise the authentication will not work.
   A much better solution is to configure the client to send the
   fully qualified domain name, i.e. the hostname of the server and
   to include the hostname as a subjectAltName in the server
   certificate. In that case you have to add the following entry
   in ipsec.conf:

   leftid=<fully qualified hostname of vpnHost>

Best regards

Andreas


======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160717/f65f3e1f/attachment.bin>


More information about the Users mailing list