[strongSwan] Difficulty connecting to windows server with linux    strongswan client

joakim at verona.se joakim at verona.se
Sat Nov 18 20:54:08 CET 2017


Anvar Kuchkartaev <anvar at anvartay.com> writes:

> I think you are using right=[IP] try to use hostname specified in remote server certificate.

Thanks for taking your time!

I'm using "right=server dns name". The server dns name is mentioned in
the certificate, as far as I can see. Nevertheless ipsec seems to
complain about the ip address. The ip address is that of the internal
server, I believe the server is NAT:ed.

>
> Anvar Kuchkartaev 
> anvar at anvartay.com 
>   Original Message  
> From: joakim at verona.se
> Sent: viernes, 17 de noviembre de 2017 10:02 p.m.
> To: users at lists.strongswan.org
> Subject: [strongSwan] Difficulty connecting to windows server with linux    strongswan client
>
>
> Hello,
>
> I'm trying to use a ubuntu strongswan client to connect to a windows vpn
> server. I'm a strongswan newbie. Also I'm not managing the windows
> server, but the admin is pretty helpful.
>
> The config is anonymized a bit. I tried a lot of different
> configurations and this is just the latest one.
>
> The idea is that first should psk be used, and then smartcard cert
> should be used for the 2nd phase.
>
> It seems that the psk phase works AFAICS, but then negotiation stops,
> seemingly because the received cert doesnt match the ip or something.
>
> The end of the log looks like:
> 12[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ]
> 12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> 12[TLS] server certificate does not match to '192.168.220.3'
> 12[TLS] sending fatal TLS alert 'access denied'
> 12[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ]
>
> Is there some way around this? Is there some way to add an exception for
> this certificate or something?
>
> Mac clients are able to connect to the
> same server as well as windows based clients.
>
>
> The config.
>
> config setup
> strictcrlpolicy=no
> uniqueids = yes
> #charondebug="all"
> charondebug="ike 4, knl 4,cfg 4,lib 4,tls 4"
> #	nat_traversal=yes
>
> # Add connections here.
> conn my-ipsec
> leftid=user at domain
>
> leftcert=%smartcard:45
> authby=pubkey
> rightid=%any
>
> right=theserver
> rightcert2=sstputvupa.cer
>
> leftauth=eap
> rightauth=psk
> auto=start
-- 
Joakim Verona
joakim at verona.se
+46705459454


More information about the Users mailing list