Project

General

Profile

Issue #979

Windows 7+ / Windows Phone RWs with statically assigned IPs

Added by Sebastian Pfeiffer over 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.3.0
Resolution:
Duplicate

Description

I'm trying to add Windows7+ / Windows Phone Road Warriors with user certificates to our working Strongswan-5.3.0 config (site-to-site tunnels and IOS RWs).
Following your HOWTO https://wiki.strongswan.org/projects/strongswan/wiki/Windows7, tests succeeded with this configuration snippet:

#-----------------------------------------------------------------------------------------------
conn wnp10.1.1.22
keyexchange=ikev2
rightsourceip=10.1.1.22
rightdns=10.1.0.6
leftsubnet=0.0.0.0/0
rightauth=eap-tls
rightsendcert=never
eap_identity="/C=DE/ST=Bremen/L=Bremen/O=BREKOM GmbH/OU=SE/CN=Name1/E="
leftauth=pubkey
leftcert="/etc/ipsec.d/private/gwcert.pem"
auto=add
#-----------------------------------------------------------------------------------------------

This works with a single Windows/Windows Phone Road warrior.
Extending this scheme using identities and statically assigned IPs, I added more RWs:

#-----------------------------------------------------------------------------------------------
conn wnp10.1.1.23
keyexchange=ikev2
rightsourceip=10.1.1.23
rightdns=10.1.0.6
leftsubnet=0.0.0.0/0
rightauth=eap-tls
rightsendcert=never
eap_identity="/C=DE/ST=Bremen/L=Bremen/O=BREKOM GmbH/OU=SE/CN=Name2/E="
leftauth=pubkey
leftcert="/etc/ipsec.d/private/gwcert.pem"
auto=add
#-----------------------------------------------------------------------------------------------
conn wnp10.1.1.24
keyexchange=ikev2
rightsourceip=10.1.1.24
rightdns=10.1.0.6
leftsubnet=0.0.0.0/0
rightauth=eap-tls
rightsendcert=never
eap_identity="/C=DE/ST=Bremen/L=Bremen/O=BREKOM GmbH/OU=SE/CN=Name3/E="
leftauth=pubkey
leftcert="/etc/ipsec.d/private/gwcert.pem"
auto=add
#-----------------------------------------------------------------------------------------------

This is basically the scheme which works for IOS RWs (with IKEv1), but with IKEv2 using EAP-TLS, only one of the configured RWs (possibly the last added) can successfully connect.
The handling of EAP-TLS authentication seems to work completely different from IKE/RSA, as with EAP a matching config is chosen and if the identity doesn't match, no other configs are tried, correct?
I'm seeking for options, which allow multiple, explicitly named RWs with statically assigned IPs. Would EAP-Dynamic help in this case or do I have to use EAP-RADIUS (which makes a RADIUS server necessary)?

Thanks in advance
Sebastian Pfeiffer

Related issues

Is duplicate of Issue #628: Windows Phone 8.1 - Certificate Pattern MatchingNew26.06.2014

History

#1 Updated by Tobias Brunner over 10 years ago

  • Is duplicate of Issue #628: Windows Phone 8.1 - Certificate Pattern Matching added

#2 Updated by Tobias Brunner about 10 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate