windowsCertRequirements

[dnsbzb]

Checklist

• [x] I searched existing Issues, and did not find a similar enhancement request
• [x] This enhancement request is about the VPN setup scripts, and not IPsec VPN itself
• [x] I read the README
• [x] I read the Important notes
• [x] I followed instructions to configure VPN clients
• [x] I checked Troubleshooting and VPN status

Describe the enhancement request A clear and concise description of your enhancement request.

Is your enhancement request related to a problem? Please describe. (If applicable) A clear and concise description of what the problem is.

Additional context You need to add --extSAN parameters for windows See: https://docs.strongswan.org/strongswan-docs/5.9/interop/windowsCertRequirements.html

[hwdsl2]

@dnsbzb Hello! In the IKEv2 helper script, the --extSAN parameter is already added when creating the server certificate. See: https://github.com/hwdsl2/setup-ipsec-vpn/blob/9e58aace4809737bdd255c09ecc803261cdf8517/extras/ikev2setup.sh#L1021-L1052

Client certificates do NOT have this requirement, only the VPN server certificate.

[dnsbzb]

@dnsbzb Hello! In the IKEv2 helper script, the --extSAN parameter is already added when creating the server certificate. See:

https://github.com/hwdsl2/setup-ipsec-vpn/blob/9e58aace4809737bdd255c09ecc803261cdf8517/extras/ikev2setup.sh#L1021-L1052

Client certificates do NOT have this requirement, only the VPN server certificate.

Yes, I agree, I see it in the documentation. But until I added this - I was getting error 13801 when connecting a client with windows 10. Very strange!

[hwdsl2]

@dnsbzb Error 13801 could occur when the VPN server address specified on your VPN client device does not exactly match the server address in the output of the IKEv2 helper script. See: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#ike-authentication-credentials-are-unacceptable