Anvar Kuchkartaev <[email protected]> writes: > I think you are using right=[IP] try to use hostname specified in remote > server certificate.
Thanks for taking your time! I'm using "right=server dns name". The server dns name is mentioned in the certificate, as far as I can see. Nevertheless ipsec seems to complain about the ip address. The ip address is that of the internal server, I believe the server is NAT:ed. > > Anvar Kuchkartaev > [email protected] > Original Message > From: [email protected] > Sent: viernes, 17 de noviembre de 2017 10:02 p.m. > To: [email protected] > Subject: [strongSwan] Difficulty connecting to windows server with linux > strongswan client > > > Hello, > > I'm trying to use a ubuntu strongswan client to connect to a windows vpn > server. I'm a strongswan newbie. Also I'm not managing the windows > server, but the admin is pretty helpful. > > The config is anonymized a bit. I tried a lot of different > configurations and this is just the latest one. > > The idea is that first should psk be used, and then smartcard cert > should be used for the 2nd phase. > > It seems that the psk phase works AFAICS, but then negotiation stops, > seemingly because the received cert doesnt match the ip or something. > > The end of the log looks like: > 12[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ] > 12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > 12[TLS] server certificate does not match to '192.168.220.3' > 12[TLS] sending fatal TLS alert 'access denied' > 12[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ] > > Is there some way around this? Is there some way to add an exception for > this certificate or something? > > Mac clients are able to connect to the > same server as well as windows based clients. > > > The config. > > config setup > strictcrlpolicy=no > uniqueids = yes > #charondebug="all" > charondebug="ike 4, knl 4,cfg 4,lib 4,tls 4" > # nat_traversal=yes > > # Add connections here. > conn my-ipsec > leftid=user@domain > > leftcert=%smartcard:45 > authby=pubkey > rightid=%any > > right=theserver > rightcert2=sstputvupa.cer > > leftauth=eap > rightauth=psk > auto=start -- Joakim Verona [email protected] +46705459454
