Hi Martin, you've been a great help. Thanks a lot. I've been looking in all the wrong places all the time. I was in deed using the IKEv2 identity from the client which doesn't match any fields in the clients certificate in my case. Sadly I don't know how to change the client's IKEv2 identity cause the clients are Windows 7 not StrongSWAN clients.
But Windows after all lets me choose the eap_identity. So by choosing the subjectAlternativeName (normally an email address in my client's certificates) as the EAP-identity on the client I actually got it to work. Sadly Windows 7 only gives me that choice if the public/private key pair is installed on the machine. I doesn't seem to work for smartcards (or at least I don't know how to make it work). I know this is not a Windows 7 list but if anybody has a hint for me I be very grateful (hope to be using my eToken). Best regards Andreas Am 07.10.2010 16:34, schrieb Martin Willi: > Hi Andreas, > >> I would like to let the clients authenticate >> themselves with previously issued certificates that contains an email >> address in the subjectAlternativeName (or that have no >> subjectAlternativeName at all). > >> 01[TLS] no trusted certificate found for '141.99.152.189' to verify TLS peer > > Charon uses the same cert chain validation in TLS as in traditional > IKEv2 certificate validation. This validator is a little more strict > than other TLS stacks in that it requires the peers identity to be > contained as subject or as subjectAltName in the certificate. Having > just the peers identity as CN in the DN is not sufficient. > > The peer must either use the full DN of the certificate or one of the > subjectAltNames as identity. You can specify the IKEv2 identity in > ipsec.conf as leftid. If you use an additional EAP-Identity exchange > (initiated by the server with eap_identity=%identity), you can specify > the EAP-Identity with [email protected] on the client. > Don't forget to --enable-eap-identity during configure, as this > EAP-Identity exchange requires an additional plugin. > >> I just want to check if that client's certificate is issued by >> a certain CA (and maybe has a certain field in the DN). > > Yes, this should be no problem. But the client must authenticate with an > identity that is contained in the certificate. > > Regards > Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
