On Thu, May 31, 2012 at 12:47 +0200, Peter J. Philipp wrote: > On Thu, May 31, 2012 at 12:28:47PM +0200, Mike Belopuhov wrote: > > > My iked config looks like this: > > > > > > > do you have a "user" specification in your iked.conf? > > which user are you trying to authenticate as? > > "user" specification occupies a separate line and looks > > like that: > > > > user "username" "password" > > > > iked can't consult the local password database or radius > > or any other authentication service at the moment except > > this internal "database". > > Yes I do have a user entry, right at the top. I didn't think posting > it was a good idea. > > > also, have you tried w/o mschap? you need to select the > > "Computerzertifikate verwenden" radio button to turn eap off. > > I tried that but it had an error, which made me want to try EAP again. > > > > ikev2 "win7" passive esp \ > > > from 172.16.20.0/24 to 0.0.0.0/0 local any peer any \ > > > srcid 10.0.0.1 \ > > > eap "mschap-v2" \ > > > config address 172.16.20.1 \ > > > config name-server 212.18.3.5 \ > > > tag "$name-$id" > > > > > > > looks fine except of absent of the "user" specification. > > i'd ditch the "tag" though as i didn't test it but it shouldn't > > affect anything. > > Hmm. What to do... Any hint on how to debug this best? >
try to verify that certificates are installed correctly on windows and are valid. make sure you didn't install them by doubleclicking (as i initially wrote) but imported them via mmc into the right section (under Komputerkonto). try to change "to 0.0.0.0/0" to something like "to 10.50.0.1", where you can assign 10.50.0.1 to lo1. make sure that certificates were created by commands like: ikectl ca <CA> certificate 10.0.0.1 create and host using FQDN. srcid must match that otherwise windows refuses to connect. and at last, please provice output from the iked -dvv. cheers, mike