Hi Martin,
--On Tuesday, July 15, 2014 01:52:45 PM +0200 Martin Willi
<[email protected]> wrote:
With this connection active it doesn't matter if I set rightsendcert
to ifasked or yes in the default section or the specific connection
section of my linux roadwarrior. I can't connect because charon
doesn't send a certificate request.
If I remove the conn section for win 7 eap, I can connect.
Certificate requests are sent very early in the IKE negotiation. As a
responder, it is sent in the first IKE_SA_INIT response. At this
stage, charon can not reliably select a configuration, as no peer
identities or authentication methods are known yet.
If no IP address selectors are in place (using left/right), usually
just the first matching configuration is used. This probably is the
win7 connection in your configuration.
ah ok I see
I set rightsendcert = never as mentioned in the wiki page
While this recommendation is fine if you handle Windows clients only,
for mixed setups it can result in these issues. I'll add a note to the
wiki.
If you can't apply IP based selectors to your configuration using
left/right, you should consider removing the rightsendcert option.
Not sure why the behavior changed between 5.1.3 and 5.2.0 in this
regard; likely that it is related to the replaced ipsec.conf parser.
It's probably the new parser.
Checking the logs on the gateway running 5.1.3 I discovered that the
rightsendcert = never wasn't honoured for any connection. Windows 7 eap
clients received a cert request too. So your suggestion to remove this
option from our config should be no problem.
Thanks
Dirk
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
