Re: [strongSwan] A couple of offerings for the community
Hi Derek, >> Does Windows require the complete chain for the client >> certificate? > > If you deliberately delete the CA certificate of the client > certificate on Windows, then when you try to connect, you will get an > error message in red, "Invalid certificate type." This is an > "all-purpose" error message Windows gives when it does not like > something about your certificates. If you look in Windows Event > Viewer, you will see an error from source RasClient saying, "The error > code returned on failure is 13819." Again, this is an "all-purpose" > error code for certificates. Interesting, so I guess if you can't use PKCS#12 files with the complete chain (because Windows doesn't import the CA certs correctly and it's not possible to correct this programmaticall), you might have to be prepared to parse two keys in case the CA certificates are not the same. local.ca for the CA certificate of the client certificate and remote.cert (to be compatible with our format) for the CA certificate required to verify the server certificate. If they are the same, only one of these has to be specified (ideally remote.cert so the same file could be used for Android as well). Regards, Tobias
Re: [strongSwan] A couple of offerings for the community
On Mon, Jan 28, 2019 at 2:29 AM Tobias Brunner wrote: > Does Windows require the complete chain for the client > certificate? If you deliberately delete the CA certificate of the client certificate on Windows, then when you try to connect, you will get an error message in red, "Invalid certificate type." This is an "all-purpose" error message Windows gives when it does not like something about your certificates. If you look in Windows Event Viewer, you will see an error from source RasClient saying, "The error code returned on failure is 13819." Again, this is an "all-purpose" error code for certificates. Derek.
Re: [strongSwan] A couple of offerings for the community
Hi Derek, > Originally I wanted to use p12 files with everything in them (CA cert, > client cert, client key), but this created messiness on the Windows > end. As mentioned in the previous mail, the CA certificate that issued the client and server certificates don't have to be the same (often they aren't). Does Windows require the complete chain for the client certificate? > This is why I separated out the CA cert, with the client cert and > the client key going into a pfx file. Because you expect the PKCS#12/PFX file in local.p12 to contain CA certificates? That isn't necessarily the case, it could just as well be only the client certificate and key (because the issuing CA certificate is not required on Android). Providing CA certificates to verify the server certificate (if it's even necessary) via remote.cert is usually better anyway as that avoids warnings on older Android releases (and maybe cleaner if the CAs are different). Regards, Tobias
Re: [strongSwan] A couple of offerings for the community
I will look into changing local.ca to something more appropriate. Originally I wanted to use p12 files with everything in them (CA cert, client cert, client key), but this created messiness on the Windows end. This is why I separated out the CA cert, with the client cert and the client key going into a pfx file. Regards, Derek. On Mon, Jan 28, 2019 at 1:32 AM Tobias Brunner wrote: > > Hi Derek, > > > (1) An IKEv2 profile importer for Windows 10, modeled on the > > strongSwan profile importer for Android: > > https://github.com/dcamero2016/vpn-importer > > Nice idea. local.ca is wrong, though, it's the CA certificate to verify > the remote's certificate, it hasn't necessarily anything to do with the > client's authentication or certificate (i.e. should be remote.ca, or > remote.cert to keep it compatible with our format). And why change > local.p12 to local.pfx? (It's still a PKCS#12 container, no?) > > Regards, > Tobias
Re: [strongSwan] A couple of offerings for the community
Hi Derek, > (1) An IKEv2 profile importer for Windows 10, modeled on the > strongSwan profile importer for Android: > https://github.com/dcamero2016/vpn-importer Nice idea. local.ca is wrong, though, it's the CA certificate to verify the remote's certificate, it hasn't necessarily anything to do with the client's authentication or certificate (i.e. should be remote.ca, or remote.cert to keep it compatible with our format). And why change local.p12 to local.pfx? (It's still a PKCS#12 container, no?) Regards, Tobias
[strongSwan] A couple of offerings for the community
Good afternoon, A couple of offerings that might interest you: (1) An IKEv2 profile importer for Windows 10, modeled on the strongSwan profile importer for Android: https://github.com/dcamero2016/vpn-importer (2) Step-by-step, end-to-end tutorial for installing strongSwan 5.7.2 on Debian 10 Buster server and Android client: https://dc77312.wordpress.com Kind regards, Derek Cameron.
