In my experience (not strongswan in this case) this sort of info is
exchanged during a MODE_CFG extended IKE exchange. This is a
request-response protocol, so if the client does not request it, the
server will not send it.
On Wed, 2012-08-22 at 04:37 +, Mao, Zhiheng wrote:
Hi there,
I
Hi,
I am trying to form a tunnel using RSA authentication in Strongswan with
CISCO as peer, but
I am getting the below error message.
Aug 22 12:03:34 uxcasxxx charon: 08[CFG] selected peer config 'site-site'
Aug 22 12:03:34 uxcasxxx charon: 08[CFG] using certificate C=IN, O=CAS
Aug 22
Your Cisco must be configured to use sha-1 instead of sha-256.
Strongswan is using sha-256 which the Cisco is complaining about. Check
your crypto map and related isakmp profiles.
On Wed, 2012-08-22 at 12:16 +0530, SaRaVanAn wrote:
Hi,
I am trying to form a tunnel using RSA authentication in
Hi,
08[LIB] expected hash algorithm HASH_SHA1, but found HASH_SHA256 (OID:
30:0d:06:09:60:86:48:01:65:03:04:02:01:05:00)
Your certificate looks bogus. The certificate itself says (in the X.509
encoding) it is signed by the CA using SHA1, but the PKCS#1 signature
contains an OID for SHA256.
I'll try again
You have the rightid configured to use only the email adress part of the
Cisco's ID trusted CA. I think the ID doesn't match so it does not
consider the auth policy defined in conn site-site.
What has worked for me in this situation (IOS 12.4 and IOS 15.1) is to
export the cert
Hi Zhiheng,
Since the configuration is done to the strongswan.conf, I am wondering
if other clients, for example, Bob, will also receive these addresses.
I guess this is the case, but what if Bob is not interested in
receiving DNS and DHCP addresses and has not requested them in its
IKEv2
Hi,
I played with a config to connect Win7 clients with EAP-MSCHAPv2 auth:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig
works so far, but has the drawback that you can't assign a static IPs
to a special user. I tried to simply use two connections with:
conn
Hi Andreas,
works like a charm.
Thank you very much!
Dirk
--On Wednesday, August 22, 2012 10:22:59 AM +0200 Andreas Steffen
andreas.stef...@strongswan.org wrote:
Hi Dirk,
did you have a look at the ipsec pool tool which allows to
pre-assign static IP addresses to users by storing them in
Hi all,
Is there any way for certificate authentication using Domain names
instead of Distinguished names ?. Because by default: in the
load_tester_config.c file it uses Distinguished names. Also, if i use the
load tester plugin i should use strongswan.conf file (which does not have
rightid