Thank you very much for the detailed reply. It helped a lot, though I
have something to add.
> 6) Transfer 10.5.0.1.zip to the Windows host and load the certificates
> by doubleclicking on them.
You should not import the cert by doubleclicking on it - it will import
to the current user's facility instead of a local computer. That will
cause 13806 errormessage telling that there is no appropriate computer
certificate etc. MMC and the local computer account switch should be
used instead.
> 7) Configure iked to do RSA auth w/o EAP (for the start):
>
> ikev2 "win7" passive esp \
> from 192.168.0.0/24 to 192.168.1.0/24 local any peer any \
> srcid 10.1.0.1 \
> config address 192.168.1.100 \
> config name-server 192.168.0.1
>
> Here, 192.168.0.0/24 is a network client is getting access to,
> 192.168.1.0/24 is a "DHCP"-like network from which client is
> getting an ip address (192.168.1.100 specifically). Please
> note, that the code to turn this awkwardness into real (DHCP-like)
> address pool specification is not written yet. Note that srcid
> has to match the host that the certificate is issued to, otherwise
> windows will refuse to connect.
>
> Once you do that you can load iked and see that it hooks up the
> server certificate (in the iked -dvv output that is).
This is the most intriguing part :)
ikev2 "win7" esp \
from 172.16.2.0/24 to 0.0.0.0/0 \
peer 10.0.0.0/8 local 192.168.56.0/24 \
eap "mschap-v2" \
config address 172.16.2.1 \
tag "$name-$id"
This example is from the man page. `config address' is in the range of
`from source', not from the destination subnet. Are you sure it sould be
like you said?
How do I manage the `DHCP-like' addresses? Is this address range where
the client should be granted an IP from OR is that a client's local
private network? I found that dhcpd cannot run on enc0 interface. How do
you manage that?
Now the negotiation seems to be complete but still the connection can
not be established due to various reasons:
1. Windows side stops on error #31 "Attached device is not working
properly" (looks like a Windows problem though). Have you seen that?
2. Doesn't work EAP mode - Windows stops on "Checking username and
password" error. Then #13803, 1931...
> If someone thinks that this might be turned into some sort of a
> howto or FAQ entry or whatever, please feel free to reuse any
> piece of text. Attribution is welcomed but not required.
Your instructoins really did the trick - I got rid of those anoying
troubles that were caused by strictly following the manuals... I think
it should have been written in more detail, covering in detail _every_
network part (with its role) that participate in the negotiation. 'cause
sometimes it has contradicting points. Probably it is a matter of
individual perception, nevertheless I had what I had as well as tons of
others struggling with that in mail lists across the web =)
Thanks.
--
Best regards,
Pavel Shvagirev
skype: pavel.shvagirev
