[strongSwan] Windows Client - Multiple Connections, Multiple Certs
Tom Rymes
trymes at rymes.com
Sun Feb 24 17:32:00 CET 2019
Hopefully this will not result in a duplicate post, I sent the first
version of this message from a different address.
I have specified two IKEv2 connections on a Windows 10 client, each one
connecting to a different Strongswan machine using machine certificates.
Connection1 works just fine, but when I add the second connection, along
with its certificate, it does not work. The Strongswan server for
Connection2 reports this in the log:
charon: 13[IKE] received cert request for "C=US, ST=QQ,
L=Connection2Town, O=Connection2Org, OU=Connection2Dept, CN=Connection2
CA, E=user at connection2.com"
charon: 13[IKE] received cert request for "C=US, ST=ZZ,
L=Connection1Town, O=Connection1Org, OU=Connection1Dept,
CN=Connection1CA, E=user at connection1.com"
charon: 13[IKE] received 42 cert requests for an unknown ca
charon: 13[IKE] received end entity cert "C=US, ST=ZZ, O=MyOrg,
OU=MyDept, CN=Connection1"
charon: 13[CFG] looking for peer configs matching
x.x.x.x[%any]...y.y.y.y[C=US, ST=ZZ, O=MyOrg, OU=MyDept, CN=Connection1]
charon: 13[CFG] no matching peer config found
charon: 13[IKE] peer supports MOBIKE
charon: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
I have imported two certificates to the client, one for each connection,
and if I delete the certificate for Connection1, Connection2 will
successfully connect. Is Windows sending the wrong certificate, or is
Strongswan somehow choosing the wrong one? I do not see anywhere that I
can specify which certificate the client should use for a given connection.
The only conclusion I can reach is that the assumption is that thie
client will only have one certificate installed to identify itself, so I
will need to either import the certs from one host to the other, or I
will need to create a certificate on the windows machine and upload that
to both hosts instead of creating separate certs for each connection?
Can anyone point out what boneheaded mistakes I am making here?
Many thanks,
Tom
More information about the Users
mailing list