Re: [strongSwan] Difficulty connecting to windows server with linux strongswan client
Anvar Kuchkartaev <an...@anvartay.com> writes: > I think you are using right=[IP] try to use hostname specified in remote > server certificate. Thanks for taking your time! I'm using "right=server dns name". The server dns name is mentioned in the certificate, as far as I can see. Nevertheless ipsec seems to complain about the ip address. The ip address is that of the internal server, I believe the server is NAT:ed. > > Anvar Kuchkartaev > an...@anvartay.com > Original Message > From: joa...@verona.se > Sent: viernes, 17 de noviembre de 2017 10:02 p.m. > To: users@lists.strongswan.org > Subject: [strongSwan] Difficulty connecting to windows server with linux > strongswan client > > > Hello, > > I'm trying to use a ubuntu strongswan client to connect to a windows vpn > server. I'm a strongswan newbie. Also I'm not managing the windows > server, but the admin is pretty helpful. > > The config is anonymized a bit. I tried a lot of different > configurations and this is just the latest one. > > The idea is that first should psk be used, and then smartcard cert > should be used for the 2nd phase. > > It seems that the psk phase works AFAICS, but then negotiation stops, > seemingly because the received cert doesnt match the ip or something. > > The end of the log looks like: > 12[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ] > 12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > 12[TLS] server certificate does not match to '192.168.220.3' > 12[TLS] sending fatal TLS alert 'access denied' > 12[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ] > > Is there some way around this? Is there some way to add an exception for > this certificate or something? > > Mac clients are able to connect to the > same server as well as windows based clients. > > > The config. > > config setup > strictcrlpolicy=no > uniqueids = yes > #charondebug="all" > charondebug="ike 4, knl 4,cfg 4,lib 4,tls 4" > # nat_traversal=yes > > # Add connections here. > conn my-ipsec > leftid=user@domain > > leftcert=%smartcard:45 > authby=pubkey > rightid=%any > > right=theserver > rightcert2=sstputvupa.cer > > leftauth=eap > rightauth=psk > auto=start -- Joakim Verona joa...@verona.se +46705459454
Re: [strongSwan] Difficulty connecting to windows server with linux strongswan client
I think you are using right=[IP] try to use hostname specified in remote server certificate. Anvar Kuchkartaev an...@anvartay.com Original Message From: joa...@verona.se Sent: viernes, 17 de noviembre de 2017 10:02 p.m. To: users@lists.strongswan.org Subject: [strongSwan] Difficulty connecting to windows server with linux strongswan client Hello, I'm trying to use a ubuntu strongswan client to connect to a windows vpn server. I'm a strongswan newbie. Also I'm not managing the windows server, but the admin is pretty helpful. The config is anonymized a bit. I tried a lot of different configurations and this is just the latest one. The idea is that first should psk be used, and then smartcard cert should be used for the 2nd phase. It seems that the psk phase works AFAICS, but then negotiation stops, seemingly because the received cert doesnt match the ip or something. The end of the log looks like: 12[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ] 12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 12[TLS] server certificate does not match to '192.168.220.3' 12[TLS] sending fatal TLS alert 'access denied' 12[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ] Is there some way around this? Is there some way to add an exception for this certificate or something? Mac clients are able to connect to the same server as well as windows based clients. The config. config setup strictcrlpolicy=no uniqueids = yes #charondebug="all" charondebug="ike 4, knl 4,cfg 4,lib 4,tls 4" # nat_traversal=yes # Add connections here. conn my-ipsec leftid=user@domain leftcert=%smartcard:45 authby=pubkey rightid=%any right=theserver rightcert2=sstputvupa.cer leftauth=eap rightauth=psk auto=start -- Joakim Verona joa...@verona.se +46705459454
[strongSwan] Difficulty connecting to windows server with linux strongswan client
Hello, I'm trying to use a ubuntu strongswan client to connect to a windows vpn server. I'm a strongswan newbie. Also I'm not managing the windows server, but the admin is pretty helpful. The config is anonymized a bit. I tried a lot of different configurations and this is just the latest one. The idea is that first should psk be used, and then smartcard cert should be used for the 2nd phase. It seems that the psk phase works AFAICS, but then negotiation stops, seemingly because the received cert doesnt match the ip or something. The end of the log looks like: 12[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ] 12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 12[TLS] server certificate does not match to '192.168.220.3' 12[TLS] sending fatal TLS alert 'access denied' 12[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ] Is there some way around this? Is there some way to add an exception for this certificate or something? Mac clients are able to connect to the same server as well as windows based clients. The config. config setup strictcrlpolicy=no uniqueids = yes #charondebug="all" charondebug="ike 4, knl 4,cfg 4,lib 4,tls 4" # nat_traversal=yes # Add connections here. conn my-ipsec leftid=user@domain leftcert=%smartcard:45 authby=pubkey rightid=%any right=theserver rightcert2=sstputvupa.cer leftauth=eap rightauth=psk auto=start -- Joakim Verona joa...@verona.se +46705459454
