Hi Martin,
--On Tuesday, July 15, 2014 11:24:04 AM +0200 Martin Willi
<[email protected]> wrote:
was there a change in 5.2 about charon asking for the certificate of
the peer? I can establish a connection when I add leftsendcert=yes to
the configuration of my roadwarrior.
None that I'm aware of. leftsendcert=ifasked was the policy ever
since.
If I don't add it I get a connection with 5.1.3 but on 5.2 I get:
[IKE] no trusted RSA public key found for 'C=DE, O=xxxx'
in the log of the server.
As the default policy is "ifasked", this most likely implies that your
server does not send a certificate request. By default certificate
requests are sent; what is your rightsendcert setting on the server?
Fascinating.
I don't have a setting in the default section.
But I have a special conn for windows 7 Users with eap in which section
I set rightsendcert = never as mentioned in the wiki page
<https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig>
With this connection active it doesn't matter if I set rightsendcert to
ifasked or yes in the default section or the specific connection
section of my linux roadwarrior. I can't connect because charon doesn't
send a certificate request.
If I remove the conn section for win 7 eap, I can connect.
charon logs the certificates and certificate requests sent/received
during the exchange, that should help in analyzing what is missing.
Yes charon doesn't send certificate requests as long as there is a
single connection setting with rightsendcert=never
Best Regards
Dirk
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
