Hi all,
I have used the scepclient (strongswan 5.1.1) and NDES to enroll a certificate
to a linux box. Then I configured a host-host connection and I am able to
establish a SA from right to left (using ICMP ping from the server).
When the left side initiates the IKE negotiation, the server never responds to
the IKE_SA_INIT message. The event log says:
-----------------------------
EventID 4653
An IPsec main mode negotiation failed.
Additional Information:
Keying Module Name:IKEv2
Authentication Method:Unknown authentication
Role:Responder
Impersonation State:Not enabled
Main Mode Filter ID:0
Failure Information:
Failure Point:Local computer
Failure Reason:No policy configured
-----------------------------
The left cert already has the additional server/client auth. usages added:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0-.%+.....7........Z...&...Y...d.A..m...?..d...
X509v3 Extended Key Usage:
1.3.6.1.4.1.311.20.2.1, TLS Web Server Authentication,
1.3.6.1.5.5.8.2.2, TLS Web Client Authentication
1.3.6.1.4.1.311.21.10:
-----------------------------
The ipsec.conf includes:
conn %default
ikelifetime=480m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ike
ike=3des-sha1,3des-sha1-modp1024!
esp=3des-sha1,3des-sha1-modp1024!
aggressive=no
conn host-host
left=192.168.0.3
leftcert=fccCert.der
right=192.168.0.2
rightid=%any
type=transport
leftauth=pubkey
rightauth=pubkey
compress=no
auto=add
-----------------------------
Right side IKE is also set to 3DES,SHA1,DH group 2.
To me it looks like a problem on the right side, so I also sent the question to
Microsoft, but they asked me to submit a support request. Maybe someone here
are running host-host scenarios and can help me out?
Thanks for any help, I can provide more information if needed.
Regards,
Lars
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users