Hi Johannes, > # create pubkey for win7 "klapperkasten" > ipsec pki --pub --in /etc/ipsec.d/private/klapperkastenKey.pem | ipsec > pki --issue --cacert /etc/ipsec.d/cacerts/caCert.der --cakey > /etc/ipsec.d/private/caKey.der --dn "C=DE, O=Heim, CN=klapperkasten" > --san klapperkasten --san "192.168.0.207" --flag serverAuth --flag > ikeIntermediate --outform pem > /etc/ipsec.d/certs/klapperkastenCert.pem
Windows will reject the certificate if the Extended Key Usage flags don't contain the clientAuth flag, unless the flags are omitted altogether. So either remove all --flag arguments or add --flag clientAuth. By the way, support for the ikeIntermediate flag was added with 5.0, so if you use an older release it will be silently ignored. I added a table with working combinations to [1] and updated some stuff on the rest of the Windows wiki pages regarding authentication with user certificates. For instance, I noticed that one still has to install the CA certificate to authenticate the server in the machine keystore, I added some notes about the EAP-TLS endpoint verification, and the example server config now uses leftauth=pubkey because Windows does not support mutual EAP authentication. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
