[strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable

[Tobias Brunner]

Hi Arne,

> So its an issue with the cipher in the certificate vs. the cipher used to decrypt?

The algorithms used for the TLS session during EAP-TLS, as defined by
the selected TLS cipher suite.  This does not depend on the certificate
(except in regards to whether an RSA or ECDSA suite is selected) or the
IKE algorithms and keys.

> Do I configure the ciphers in strongswan.conf or ipsec.conf (via ike, esp)?

strongswan.conf (via `suites` setting, which you already set apparently)

> I wonder if switching to eap-mschapv2 would be more easy...

Yes, it's definitely easier to configure.  Machine certificates are
another option (not sure if Win10 Mobile supports that, though).  See
[1] for some pointers.

> *** strongswan.conf ***
>     plugins {
>         eap-tls {
>             fragment_size = 512
>         }
>     }
>     libtls {
>         suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>     }

Hm, `libtls` is a top-level section so it can't be on the same level as
`plugins` (but `tls` in the `charon` section is an alias for `libtls`,
which you could use).  And the first suite you configured here is the
one that apparently doesn't work, so maybe remove that.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/Windows7