Hello Martin, Thanks for you answer.
> Windows supports L2TP/IPsec for a long time, but this setup uses IKEv1. > The new IKEv2 client in Windows 7 does plain IPsec, no L2TP tunneling is > involved. Ok, I understand. I must say that it's my very first practical experience in this side of networking. A few years ago I've got lessons about VPN and tunnelling but it wasn't very clear. So, with IKEv2 I don't need to install and configure xl2tpd with strongswan, is it right? > So if you have Windows 7 Clients only, I highly recommend to use IKEv2 > only. I don't have Windows 7 client only. I plan to connect Android devices and OpenWrt routers with IPsec clients. A friend of mine told me I would better using OpenSwan with PSK IPSEC/L2TP because it's the only native IPsec thing in Android world. Honestly, I didn't take time yet to look forward about Android connectivity, the only W7 connection is a trial. > You'll need the "Server Authentication" Extended Key usage > (1.3.6.1.5.5.7.3.1) and the DNS name you configure in your Windows > connection profile as a subjectAltName in the certificate. See [1] for > details, [2] may be of help, too. If it doesn't work, you can try to > temporarily (!) disable extended checks as outlined in [1]. If it still > doesn't work, double check that your CA is installed correctly. About this part of the deal, I can say I'm ok. My certs were installed on the central W7 certification centre without any error (I can see the hierarchical tree between my CA and my cert in W7, no problems). Moreover, I added the four EKU I mentioned before and of course write the subAltName. In a nutshell, according to all the web pages I read since 1 week I think W7 has all the elements to see my cert and use it to build my tunnel. I don't understand why it's not effectively what it's happening. Brest regards, François. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
