[strongSwan] Can not create tunnel on Windows 10: no certificate with extensible authentication protocol found
Oliver Söder
osoeder at gmx.de
Wed Feb 8 09:46:54 CET 2017
Hello, I followed this manual to set up IKEv2 VPN on Ubuntu 16.04:
https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html
I successfully established a tunnel on an Android device with Strongswan
app and data can be transferred through the VPN server.
Now I am stuck at the Windows part (my client is Windows 10). When
following this manual ...
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
... something already looks different at this step:
"Double-clicking on the end entity certificate left in the Personal /
Certificates folder
shows that a corresponding private key is present in the registry:"
There is no remark about a matching private key in my case.
Furthermore there is no certificate trust path in the tab "Certification
Path". There is simply "strongSwan Root CA".
When I try to establish the tunnel on Windows 10, I get this message: "A
certificate could not be found that can be used with this Extensible
Authentication Protocol."
I signed the public key like that:
ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue
--lifetime 730 --cacert cacerts/strongswanCert.der --cakey
private/strongswanKey.der --dn "C=DE, O=Massivhaus, CN=<hostname>.com"
--san <hostname>.com --flag serverAuth --flag ikeIntermediate --outform der
> certs/vpnHostCert.der
I created the client certificate on the VPN server with this command:
ipsec pki --pub --in private/JohnKey.der --type rsa | ipsec pki --issue
--lifetime 730 --cacert cacerts/strongswanCert.der --cakey
private/strongswanKey.der --dn "C=DE, O=Massivhaus, CN=john@<hostname>.com"
--san "john@<hostname>.com" --outform der > certs/JohnCert.der
<hostname> is a place holder for the real domain name, which I used.
My mind starts to go in circles, I have no idea what I did wrong. I know
Windows needs "--flag serverAuth", but it is there (checked with "ipsec pki
--print --in certs/vpnHostCert.der)!
Any help would be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170208/dd5d2e28/attachment.html>
More information about the Users
mailing list