Chris, Assuming elcKey.pem is the private key associated with the certificate elcCert.pem (used for conn teknerds), shouldn't there be another private key associated with server_cert.crt used in conn rclientscerts? Just wondering since you are using separate (left) certificates for the connections...
The ipsec.secrets should be more like : RSA eleKey.pem : RSA server_Key.pem <"my-passphrase"> Where the passphrase is needed only if the private key is password protected. Thanks, Bharath Kumar On Mon, Dec 31, 2012 at 10:55 AM, Chris Arnold <[email protected]>wrote: > >> strongSwan 4.4.06 on SLES 11 SP2. This use to work, i am working on >> adding users with ios to strongSwan but have commented that out of >> ipsec.conf and ipsec.secret to verify this is not the problem. User with >> Windows 7 with client cert connects and receives: >> Error 13801: IKE Authentication Credentials are unacceptable >> >> All other VPN connections work (like the conn teknerds which is >> strongSwan to sonicwall). >> >> Error in the charon.log: >> 13[IKE] received end entity cert "O=Chris VPN service, CN=Client2" >> 13[CFG] looking for peer configs matching >> 192.168.1.18[%any]...public.ip[O=Chris VPN service, CN=Client2] >> 13[CFG] selected peer config 'rclientscerts' >> 13[CFG] using certificate "O=Chris VPN service, CN=Client2" >> 13[CFG] using trusted ca certificate "C=US, ST=NC, L=Durham, O=Edens >> Land Corp, OU=ELC, CN=Jarrod, E=email@address" >> 13[CFG] checking certificate status of "O=Chris VPN service, CN=Client2" >> 13[CFG] certificate status is not available >> 13[CFG] reached self-signed root ca with a path length of 0 >> 13[IKE] authentication of 'O=Chris VPN service, CN=Client2' with RSA >> signature successful >> 13[IKE] peer supports MOBIKE >> 13[IKE] no private key found for 'O=Chris VPN service, CN=70.63.136.95' >> 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] >> >> Here is ipsec.conf: >> config setup >> # plutodebug=all >> crlcheckinterval=600 >> strictcrlpolicy=no >> # cachecrls=yes >> nat_traversal=yes >> # charonstart=no >> plutostart=no >> #charondebug="cfg 3,lib=3" >> >> # Add connections here. >> >> conn %default >> ikelifetime=28800s >> keylife=20m >> rekeymargin=3m >> keyingtries=1 >> keyexchange=ikev2 >> mobike=no >> >> conn rclientseap >> rekey=no >> left=%any >> leftauth=pubkey >> leftcert=server_cert.crt >> [email protected] >> leftsubnet=0.0.0.0/0 >> right=%any >> rightsourceip=192.168.2.0/24 >> rightauth=eap-mschapv2 >> rightsendcert=never >> eap_identity=%any >> mobike=yes >> auto=ignore >> >> conn rclientscerts >> rekey=no >> left=%any >> leftauth=pubkey >> leftcert=server_cert.crt >> [email protected] >> leftsubnet=0.0.0.0/0 >> right=%any >> rightsourceip=192.168.2.0/24 >> #rightauth=eap-mschapv2 >> #rightsendcert=never >> #eap_identity=%any >> mobike=yes >> auto=add >> >> >> >> >> conn teknerds >> left=%defaultroute >> leftcert=elcCert.pem >> leftsubnet=192.168.1.0/24 >> #leftid="C=XX, O=X, CN=Edens Land Corp VPN" >> #leftfirewall=yes >> right=sonicwall.public.ip >> rightsubnet=192.168.123.0/24 >> rightcert=teknerdsCert.pem >> rightid="C=XX, O=X, CN=Tek-Nerds VPN" >> auto=add >> >> >> #conn iOS >> # keyexchange=ikev1 >> # authby=xauthrsasig >> # xauth=server >> # left=%defaultroute >> # leftsubnet=192.168.1.0/24 >> # leftcert=elcCert.pem >> # right=%any >> # rightsourceip=192.168.3.0/24 >> # #rightcert= >> # pfs=no >> # auto=add >> >> Here is ipsec.secret: >> : RSA elcKey.pem >> >> Any help with this is greatly appreciated >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users >> > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
