Join Log in
Score:0
avatar Server

Strongswan VPN certificate authentication failed

sz flag
user18848352

I've installed strongswan vpn on my ubuntu server. Set up certificate authentication. I've set up my android-phone and it works fine. But connection didn't established on the windows machine. I copied ca-cert into root ca and client certificate into personal store. But I get an error 13806 (wrong certificate). What am i doing wrong?

/etc/ipsec.conf

config setup
        # strictcrlpolicy=yes
        uniqueids = no
        charondebug="ike 4"

include /var/lib/strongswan/ipsec.conf.inc

conn %default
        dpdaction=clear
        dpddelay=35s
        dpdtimeout=300s

        fragmentation=yes
        rekey=no

        ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024

        esp=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024
        # left - local (server) side
        left=%any
        leftauth=pubkey
        leftcert=server.crt
        leftsendcert=always
        leftsubnet=0.0.0.0/0,::/0

        # right - remote (client) side
        right=%any
        rightauth=pubkey
        rightsourceip=192.168.103.0/24,2002:25f7:7489:3::/112
        rightdns=8.8.8.8,2001:4860:4860::8888

conn ikev2-pubkey
        keyexchange=ikev2
        auto=add

conn ikev2-pubkey-osx
        also="ikev2-pubkey"
        leftid=ip_address_server

/etc/ipsec.secrets

: RSA server.key

server-cert

 subject:  "CN=domain_name"
  issuer:   "CN=IPsec CA"
  validity:  not before Apr 18 10:07:00 2022, ok
             not after  Apr 02 10:07:00 2025, ok (expires in 1079 days)
  serial:    a9:e3:a4:
  altNames:  ip_address_server
  flags:     serverAuth
  authkeyId: 13:f8:f0:
  subjkeyId: 5a:a8:11:
  pubkey:    RSA 2048 bits, has private key

client-cert

subject:  "CN=client"
  issuer:   "CN=IPsec CA"
  validity:  not before Apr 18 10:07:19 2022, ok
             not after  Apr 02 10:07:19 2025, ok (expires in 1079 days)
  serial:    4c:e2:46:09:81:87:14:60:96:79:cf:bb:d6:62:13:68
  altNames:  client
  flags:     clientAuth

and that's log

09[IKE] sending cert request for "CN=IPsec CA"
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
09[NET] sending packet: from server_ip[500] to client_ip[500] (353 bytes)
07[NET] received packet: from client_ip[500] to server_ip[500] (40 bytes)
07[ENC] payload type NOTIFY was not encrypted
07[ENC] could not decrypt payloads
07[IKE] integrity check failed
07[IKE] INFORMATIONAL request with message ID 0 processing failed
59
0 + 0
vpn
cn flag
ecdsa
Check the log of the other end. You might find the reason why it sent an unencrypted notify payload there.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.