Hi Max,
the error occurring is: Jul 12 12:27:27 14[IKE] <IPSec-IKEv2-EAP|1> no private key found for '40.30.20.10' i.e. the VPN server cannot find its server certificate. Since EAP-MSCHAPv2 is a weak authentication method, the server must always authenticate itself with a public key method. Therefore you must change the following two things: - In /etc/ipsec.conf enable leftcert=vpnHostCert.pem - The client assumes a server identity of 40.30.20.10. This IPv4 address must be contained as a subjectAltName in the server certificate, otherwise the authentication will not work. A much better solution is to configure the client to send the fully qualified domain name, i.e. the hostname of the server and to include the hostname as a subjectAltName in the server certificate. In that case you have to add the following entry in ipsec.conf: leftid=<fully qualified hostname of vpnHost> Best regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
