Good morgning everybody, hope you had a nice and sunny weekend ;). After trying hard to resolve the issue of failing to allocate a SPI, I have now further ideas what is causing this error:
12[IKE] IKE_SA host-host[1] established between 192.168.10.90[C=DE, ST=Bavaria, O=Siemens, OU=andere, CN=ikeclient]...192.168.10.12[192.168.10.12] 12[IKE] peer requested virtual IP %any 12[CFG] assigning new lease to '192.168.10.12' 12[IKE] assigning virtual IP 10.10.3.1 to peer 12[IKE] allocating SPI failed 12[ENC] generating IKE_AUTH response 5 [ AUTH CP N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ] Does anybody has an idea/hint/...? Thanks in advance, Sven Mit freundlichem Gruß / Best regards Sven Kerschbaum Siemens AG Industry Sector Industry Automation Division mailto:[email protected] http://www.siemens.com/automation Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen Registered offices: Berlin and Munich; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684 WEEE-Reg.-No. DE 23691322 -----Ursprüngliche Nachricht----- Von: Andreas Steffen [mailto:[email protected]] Gesendet: Freitag, 7. Mai 2010 15:01 An: Kerschbaum, Sven; Martin Willi Cc: [email protected] Betreff: Aw: Re: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 (Username and password) Did you read the certificate constraints defined in http://wiki.strongswan.org/projects/strongswan/wiki/Win7cCertReq - gateway name contained either in CN or subjectAltName. - serverAuth Extended Key Usage flag andreas ----- Ursprüngliche Mitteilung ----- > Yeah, right. I already changed the ipsec.conf to: > > leftsendcert=always > > strongSwan generates now the IKE AUTH response IKE AUTH [Idr AUTH CERT EAP]. > > Now it's a step further but Win 7 still complains with the following message: > > "Error 13801: IKE authentication credentials are unacceptable" > > In Win 7 I installed CA certificate used by the strongSwan server as a trusted > root certificate. I also made an entry to the Win 7 - host file mapping cert > details to the IP address of the strongSwan server. > > 192.168.10.90 ikeclient > > Hmm... Thanks for your assistance and great help! > > Mit freundlichem Gruß / Best regards > > Sven Kerschbaum > > Siemens AG > Industry Sector Industry Automation Division > mailto:[email protected] > http://www.siemens.com/automation > > Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme > Managing Board: Peter Loescher, Chairman, President and Chief Executive > Officer; > Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt, > Siegfried Russwurm, Peter Y. Solmssen > Registered offices: Berlin and Munich; > Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684 > WEEE-Reg.-No. DE 23691322 > > > > -----Ursprüngliche Nachricht----- > Von: Martin Willi [mailto:[email protected]] > Gesendet: Freitag, 7. Mai 2010 13:44 > An: Kerschbaum, Sven > Cc: [email protected] > Betreff: Re: AW: [strongSwan] strongSwan + Windows 7 + IKEv2 + MSCHAPv2 > (Username and password) > > Hi again, > > > the response is just a little bit below: > > A yes, haven't seen the first authentication round in the log. > > > Why does strongSwan not reply with IKE AUTH [Idr AUTH CERT EAP REQ/ID] > > > leftsendcert=never > > Looks suspicious ;-). The example configuration uses > rightsendcert=never, which actually says to not request a certificate > from the client. leftsendcert=never will not include our own > certificate, for example if a client already has the peer certificate of > the gateway. But Windows 7 always expects a certificate payload to > authenticate the gateway. > > Regards > Martin > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
