Andreas,
Finally I got my setup to work. The problem is (I think) that the
CN(Common Name) and SAN(Subject Alternative Name) for the Windows 7
certificates. I was using "win7" or "win71". This time I used
"win7.mycompany.local" on both CN and SAN, and it made a difference. I
am going to experiment with different combinations and see what is the
bare minimum requirements.
Another issue I ran into after the certificate problem was solved was
NAT. My windows 7 was running in a VirtualBox virtual machine, which ran
NAT to the network where the StrongSwan was. Apparently in that setup
Windows 7 could not finish the IKEv2 negotiation. It did start sending
and receiving packets from StrongSwan, but when Strongswan sent Windows
7 the final IKE Auth 1 packet, Windows 7 seemed either missed it or not
able to interpret it, so it continued to send the previous packet to
StrongSwan and Strongswan just kept retransmitting the last packet.
Eventually Windows 7 timed out.
When I changed the VirtualBox network setting from NAT to Bridge,
Windows 7 was able to finish the setup and establish the SA. Not sure
why, since IKEv2 is supposed to be compatible with NAT, right?
I will probably follow up with a blog with more details.
Thanks for your help. Words cannot express my gratitude.
Best regards,
Tiebing
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
