Re: [strongSwan] routing based on rightid

Sun, 27 Oct 2013 11:43:56 -0700

Hi Martin
Hi Hans,


I added multiple certificates OU=<groupname> to the cert store, hoping
that Windows would ask me which one to use, with no luck.

I assume you are using Machine Certificates to authenticate the clients?
I'm not aware of a way to enforce a specific certificate in IKE
authentication.
correct

What you might try is to switch from Machine Certificates to EAP-TLS
authentication (in IKEv2). Microsoft uses EAP-TLS to authenticate users
(not the Machine) with certificates or Smartcards. When selecting "Smart
Card or certificate" as EAP method, you can even (un-)set a "Use simple
certificate selection" flag that sounds promising.

    

    If I recall correctly, with "use simple certificate selection" set,
    Windows is simply narrowing down the list of possible certificates
    for selection, I guess based on the DN of the remote cert.

    

    I've tried what you suggested with the following ipsec.conf entries:

    

    conn %default

              keyingtries=1

              ikelifetime=60m

              keylife=20m

              rekeymargin=3m

              keyexchange=ikev2

              compress=yes

              dpddelay=30

              dpdtimeout=120

              dpdaction=clear

              mobike=no

              esp=aes256-sha1-modp4096!

              ike=aes256-sha512-modp4096!

        

        conn dev

                rightsourceip=172.30.131.127/25

                eap_identity=dev-oti.dom.ch

                also=warriors

      

      conn test

              rightsourceip=172.30.131.127/25

              eap_identity=test-oti.dom.ch

              also=warriors

      

      conn warriors

              left=%defaultroute

              leftcert=oti-vpn.dom.ch.crt

              [email protected]

              leftsubnet=0.0.0.0/0

              leftfirewall=yes

              right=%any

              #rightdns=

              esp=aes256-sha1!

              ike=aes256-sha2_384-modp1024!

              dpddelay=300s

              rekey=no

              mobike=yes

              auto=add

              rightsendcert=never

              rightauth=eap-tls

    

    However I could not convince strongswan to select the connection
    based on the TLS certficate

    

    ...

    Oct 27 15:43:42 oti-5700 charon: 13[CFG] looking for peer configs
    matching 172.30.131.20[%any]...192.168.3.70[192.168.3.70]

    Oct 27 15:43:42 oti-5700 charon: 13[CFG]   candidate "dev", match:
    1/1/6 (me/other/ike)

    Oct 27 15:43:42 oti-5700 charon: 13[CFG]   candidate "test", match:
    1/1/6 (me/other/ike)

    Oct 27 15:43:42 oti-5700 charon: 13[CFG] selected peer config 'dev'

    Oct 27 15:43:42 oti-5700 charon: 13[IKE] using configured
    EAP-Identity dev-oti.zal.io

    ...

    

    selecting the dev-oti.dom.ch cert on the windows side brought up the
    connection. Selecting test-oti.dom.ch failed due to strongswan
    always using peer 'dev' (the first one) and the eap_identity
    missmatching. Looks like the peer config is selected before the
    eap-tls comes into play. Am I missing something here?

    

    Regards

    Hans

    

    AND I'm impressed by the work and support you guys provide, thank's
    a lot!

    
-- 
Hans Riethmann

ortecin GmbH
Waffenplatzstrasse 40, 8002 Zuerich

mobile: +41 79 689 1052, phone:  +41 44 280 2828



  


<<attachment: hans_riethmann.vcf>>
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users





















					Reply via email to