[strongSwan] using strongswan to create eap-tls connection like windows 10
Sach K
sacho.polo at gmail.com
Fri Feb 1 05:17:37 CET 2019
Hi,
I am trying to create a test setup that will simulate a windows 10 client
connecting using eap-identity and certs. I am hitting an error that I
cannot figure out after running down the usual suspects. The same certs
used on a windows client works. I have copied my config below, and also the
error seen. I am hoping someone can point me in the right direction.
Responder config:
conn eapvpn
leftauth=pubkey
keyexchange=ikev2
eap_identity=%any
left=a.b.c.d
leftsubnet=0.0.0.0/0
leftcert=servercrt.pem
leftsendcert=always
right=%any
rightsourceip=<ippool>
rightauth=eap-tls
rightsendcert=never
auto=add
Initiator config:
conn eap-rw
leftauth=eap-tls
rightauth=pubkey
keyexchange=ikev2
rightid=%any
leftcert=clientcrt.pem
right=a.b.c.d
leftsourceip=%config
leftfirewall=yes
rightsubnet=0.0.0.0/0[icmp]
eap_identity="test-client"
auto=add
The error I see on the responder is
*signature verification failed, trying another key*
*no trusted certificate found for 'test-client' to verify TLS peer*
I have checked the following:
1. ca cert present on both sides in the cacert directory. They show up in
"ipsec stroke listcacerts" output on both sides.
2. client cert has proper key. The output of "ipsec stroke listcerts" shows
that the client crt has a private key. The private key is listed in the
ipsec.secrets file.
3. The eap-identity appears in the DNS of the client cert.
I am using strongswan-5.1.2 . I must have messed up some config, but I
can't figure out what. I checked the certs and keys. What am I missing?
thanx in advance,
sk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190131/06c66976/attachment.html>
More information about the Users
mailing list