>Chris, >Assuming elcKey.pem is the private key associated with the certificate >elcCert.pem (used for conn teknerds), shouldn't there be another private key >associated with server_cert.crt used in conn rclientscerts? Just >wondering >since you are using separate (left) certificates for the connections...
Nothing has been changed in the ipsec.secret file except ios secret commented out. This worked for months without any issues. Kimmo, a user here on the list, configured it and tested it and it was working. The last thing that was done was SLES strongSwan update from 4.3 to 4.4. The other conn, teknerds, works fine. >The ipsec.secrets should be more like > : RSA eleKey.pem > : RSA server_Key.pem <"my-passphrase"> > >Where the passphrase is needed only if the private key is password protected. On Mon, Dec 31, 2012 at 10:55 AM, Chris Arnold < [email protected] > wrote: <blockquote> strongSwan 4.4.06 on SLES 11 SP2. This use to work, i am working on adding users with ios to strongSwan but have commented that out of ipsec.conf and ipsec.secret to verify this is not the problem. User with Windows 7 with client cert connects and receives: Error 13801: IKE Authentication Credentials are unacceptable All other VPN connections work (like the conn teknerds which is strongSwan to sonicwall). Error in the charon.log: 13[IKE] received end entity cert "O=Chris VPN service, CN=Client2" 13[CFG] looking for peer configs matching 192.168.1.18[%any]...public.ip[O=Chris VPN service, CN=Client2] 13[CFG] selected peer config 'rclientscerts' 13[CFG] using certificate "O=Chris VPN service, CN=Client2" 13[CFG] using trusted ca certificate "C=US, ST=NC, L=Durham, O=Edens Land Corp, OU=ELC, CN=Jarrod, E=email@address" 13[CFG] checking certificate status of "O=Chris VPN service, CN=Client2" 13[CFG] certificate status is not available 13[CFG] reached self-signed root ca with a path length of 0 13[IKE] authentication of 'O=Chris VPN service, CN=Client2' with RSA signature successful 13[IKE] peer supports MOBIKE 13[IKE] no private key found for 'O=Chris VPN service, CN=70.63.136.95' 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Here is ipsec.conf: config setup # plutodebug=all crlcheckinterval=600 strictcrlpolicy=no # cachecrls=yes nat_traversal=yes # charonstart=no plutostart=no #charondebug="cfg 3,lib=3" # Add connections here. conn %default ikelifetime=28800s keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no conn rclientseap rekey=no left=%any leftauth=pubkey leftcert=server_cert.crt [email protected] leftsubnet= 0.0.0.0/0 right=%any rightsourceip= 192.168.2.0/24 rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any mobike=yes auto=ignore conn rclientscerts rekey=no left=%any leftauth=pubkey leftcert=server_cert.crt [email protected] leftsubnet= 0.0.0.0/0 right=%any rightsourceip= 192.168.2.0/24 #rightauth=eap-mschapv2 #rightsendcert=never #eap_identity=%any mobike=yes auto=add conn teknerds left=%defaultroute leftcert=elcCert.pem leftsubnet= 192.168.1.0/24 #leftid="C=XX, O=X, CN=Edens Land Corp VPN" #leftfirewall=yes right=sonicwall.public.ip rightsubnet= 192.168.123.0/24 rightcert=teknerdsCert.pem rightid="C=XX, O=X, CN=Tek-Nerds VPN" auto=add #conn iOS # keyexchange=ikev1 # authby=xauthrsasig # xauth=server # left=%defaultroute # leftsubnet= 192.168.1.0/24 # leftcert=elcCert.pem # right=%any # rightsourceip= 192.168.3.0/24 # #rightcert= # pfs=no # auto=add Here is ipsec.secret: : RSA elcKey.pem Any help with this is greatly appreciated _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users </blockquote> _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
