If you're doing pure certificate auth, not eap I think you need both certs. They do need to be installed under the local computer account. Install the CA cert in the trusted root CA store, put the machine cert in the personal store. I also think it may be necessary to put the full asn1_dn of the server and client certs in the src_id and dst_id lines of the iked config.
On Wed, Apr 12, 2017 at 6:45 AM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2017-04-12, Markus Rosjat <ros...@ghweb.de> wrote: > > Am 12.04.2017 um 11:49 schrieb Martijn van Duren: > >> On 04/12/17 11:42, Stuart Henderson wrote: > >>> On 2017-04-11, Markus Rosjat <ros...@ghweb.de> wrote: > >>>> I think the problem is with the windows site because it tells me there > >>>> is no certificate to be found. I added the certificate to local > machine > >>>> store -> own certificates (at least in the german UI is no personal > folder) > >>> > >>> I think you're adding this cert to the wrong one of the many cert > stores > >>> on Windows. It worked for me in trusted CAs, though there may be a > better > >>> option that also works. > >>> > >> One thing that also bit me was that I had to put them in the system-wide > >> store and not in the personal store. > >> > > > > well I put the CA certs in the trusted CA Folder and the cert for the > > machine in "Eigene Zertifikate" in the local machine store > > > > it seems to be a problem on the windows site thought > > You only want the CA certificate, not the machine certificate.
