<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///D:%5CDOCUME%7E1%5Cqzj5g2%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><style>
<!--
/* Font Definitions */
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;
        mso-font-charset:0;
        mso-generic-font-family:swiss;
        mso-font-pitch:variable;
        mso-font-signature:536871559 0 0 0 415 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {mso-style-parent:"";
        margin:0in;
        margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:10.0pt;
        font-family:Verdana;
        mso-fareast-font-family:"Times New Roman";
        mso-bidi-font-family:"Times New Roman";}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;
        mso-header-margin:.5in;
        mso-footer-margin:.5in;
        mso-paper-source:0;}
div.Section1
        {page:Section1;}
-->
</style>
<p class="MsoNormal">I am having an issue getting my client to connect via a
smartcard.<span style=""> </span>When I connect from a windows
client it looks like the server sends a certificate request that contains two
certificate request payloads.<span style=""> </span>The client
sends two IP packets in response.<span style=""> </span>When I
connect from a linux client I only see one ip packet being sent in response.<span style=""> </span>Looking at a successful connection in windows
I see the following after the ike policies are negotiated.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The client/server negotiate IKE.</p>
<p class="MsoNormal">The server sends a certificate request that contains two
certificate request payloads.</p>
<p class="MsoNormal">The client sends two IP packets (fragmented) and then an
ISAKMP packet with an encrypted payload of 3632 bytes.</p>
<p class="MsoNormal">The server then sends two IP packets (fragmented) and then
an ISAKMP packet with an encrypted payload of 3456 bytes.</p>
<p class="MsoNormal">Then the client and server go into ISAKMP Quick Mode and the
ESP connection starts.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">When I connect from my linux client I see the following.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The client/server negotiate IKE.</p>
<p class="MsoNormal">The server sends a certificate request that contains two
certificate request payloads.</p>
<p class="MsoNormal">The client sends ONE IP packet (fragmented) and then an
ISAKMP packet with an encrypted payload of 2040 bytes.</p>
<p class="MsoNormal">The server never responds and the connection restarts until
it times out.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Here is the console output.</p><p class="MsoNormal"><br></p><p class="MsoNormal">002 "test" #1: initiating Main Mode<br>104 "test" #1: STATE_MAIN_I1: initiate<br>003 "test" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]<br>
003 "test" #1: ignoring Vendor ID payload [FRAGMENTATION]<br>003 "test" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>002 "test" #1: enabling possible NAT-traversal with method RFC 3947<br>
106 "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>003 "test" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed<br>002 "test" #1: we have a cert and are sending it upon request<br>
108 "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>010 "test" #1: STATE_MAIN_I3: retransmission; will wait 20s for response<br>010 "test" #1: STATE_MAIN_I3: retransmission; will wait 40s for response<br>
<br>I am running strongswan 4.3.5. Here is my ipsec.conf<br><br>conn test<br> right=<a href="http://my.tunnel.co.com">my.tunnel.co.com</a><br> rightid=@<a href="http://co.com">co.com</a><br> authby=rsasig<br>
left=%defaultroute<br> leftcert=%smartcard<br> auto=start<br></p>