Hi Sven, leftsendcert=never
actually causes no certificate to be sent. You probably want to send rightcert=never which suppresses the certificate request. Regards Andreas ----- Ursprüngliche Mitteilung ----- > Hi Tobias, Hi Martin, > > thanks for your replies! > > I fixed the issue of the missing md4 plugin. Now md4 is being successfully > loaded as plugin during startup of strongSwan: > > 01[DMN] loaded plugins: aes des sha1 sha2 md4 md5 fips-prf random x509 pubkey > xcbc hmac gmp stroke eap-identity eap-mschapv2 > > That's true, Tobias, the IKE AUTH gets sent by strongSwan. But I still can't > figure out why strongSwan does not include the CERT into the IKE AUTH response > (in fact Win 7 sends a CERTREQ to strongSwan): > > 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.2) > 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' > 01[LIB] loaded certificate file '/usr/local/etc/ipsec.d/cacerts/cacert.pem' > 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' > 01[CFG] loading ocsp signer certificates from > '/usr/local/etc/ipsec.d/ocspcerts' > 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' > 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' > 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' > 01[CFG] loaded private key file > '/usr/local/etc/ipsec.d/private/clientkey.pem' > 01[CFG] loaded EAP secret for test > > ... > > 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ] > 07[IKE] received cert request for "O=Siemens, OU=ATS, L=Nuremberg, ST=Bavaria, > C=DE, CN=ikeca" 07[CFG] looking for peer configs matching > 192.168.10.90[%any]...192.168.10.12[192.168.10.12] 07[CFG] selected peer > config > 'host-host' 07[IKE] initiating EAP-Identity request > 07[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere, > CN=ikeclient' > (myself) with RSA signature successful 07[ENC] generating IKE_AUTH response 1 > [ > IDr AUTH EAP ] 07[NET] sending packet: from 192.168.10.90[4500] to > 192.168.10.12[4500] > > Any ideas what´s going wrong? Why does strongSwan not reply with IKE AUTH > [Idr > AUTH CERT EAP REQ/ID] as I would expect? Could it be of a misconfiguration of > strongSwan? My ipsec.conf looks as follows: > > config setup > plutostart=no > > conn host-host > esp = 3des-sha1 > ike = 3des-sha1-modp1024 > left=%defaultroute > leftsubnet=192.168.2.0/24 > leftcert=clientcert.pem > leftsendcert=never > right=192.168.10.12 > rightsubnet=192.168.3.0/24 > rightauth=eap-mschapv2 > eap_identity=%any > keyexchange=ikev2 > auto=add > > Thanks for your help! > Kind Regards, > Sven > > > Mit freundlichem Gruß / Best regards > > Sven Kerschbaum > > Siemens AG > Industry Sector Industry Automation Division > mailto:[email protected] > http://www.siemens.com/automation > > Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme > Managing Board: Peter Loescher, Chairman, President and Chief Executive > Officer; > Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt, > Siegfried Russwurm, Peter Y. Solmssen > Registered offices: Berlin and Munich; > Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684 > WEEE-Reg.-No. DE 23691322 > > > > -----Ursprüngliche Nachricht----- > Von: Tobias Brunner [mailto:[email protected]] > Gesendet: Freitag, 7. Mai 2010 11:34 > An: Martin Willi > Cc: Kerschbaum, Sven; [email protected] > Betreff: Re: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username > and password) > > Hi Martin, Hi Sven, > > the response is just a little bit below: > > > 08[IKE] authentication of 'C=DE, ST=Bavaria, O=Siemens, OU=andere, > > CN=ikeclient' (myself) with RSA signature successful > > 08[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP ] > > 08[NET] sending packet: from 192.168.10.90[4500] to 192.168.10.12[4500] > > Which indicates that the gateway certificate is not sent, which might cause > this > error in Win7. > > One other thing, not related to this particular error, but will cause the > authentication to fail later: > > > 01[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 > > pubkey xcbc hmac gmp stroke eap-identity eap-mschapv2 > > The MD4 plugin is not built/loaded (which is required, if you don't use the > OpenSSL plugin), therefore the NT-Hashes cannot be generated. > > Regards, > Tobias > > -- > ====================================================================== > Tobias Brunner > [email protected] > strongSwan - The Linux VPN Solution! http://www.strongswan.org > ====================================================================== > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
