> With this connection active it doesn't matter if I set rightsendcert to > ifasked or yes in the default section or the specific connection > section of my linux roadwarrior. I can't connect because charon doesn't > send a certificate request. > > If I remove the conn section for win 7 eap, I can connect.
Certificate requests are sent very early in the IKE negotiation. As a responder, it is sent in the first IKE_SA_INIT response. At this stage, charon can not reliably select a configuration, as no peer identities or authentication methods are known yet. If no IP address selectors are in place (using left/right), usually just the first matching configuration is used. This probably is the win7 connection in your configuration. > I set rightsendcert = never as mentioned in the wiki page While this recommendation is fine if you handle Windows clients only, for mixed setups it can result in these issues. I'll add a note to the wiki. If you can't apply IP based selectors to your configuration using left/right, you should consider removing the rightsendcert option. Not sure why the behavior changed between 5.1.3 and 5.2.0 in this regard; likely that it is related to the replaced ipsec.conf parser. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
