I've installed strongswan vpn on my ubuntu server. Set up certificate authentication. I've set up my android-phone and it works fine. But connection didn't established on the windows machine. I copied ca-cert into root ca and client certificate into personal store. But I get an error 13806 (wrong certificate). What am i doing wrong?
/etc/ipsec.conf
config setup
# strictcrlpolicy=yes
uniqueids = no
charondebug="ike 4"
include /var/lib/strongswan/ipsec.conf.inc
conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=300s
fragmentation=yes
rekey=no
ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024
esp=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024
# left - local (server) side
left=%any
leftauth=pubkey
leftcert=server.crt
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
# right - remote (client) side
right=%any
rightauth=pubkey
rightsourceip=192.168.103.0/24,2002:25f7:7489:3::/112
rightdns=8.8.8.8,2001:4860:4860::8888
conn ikev2-pubkey
keyexchange=ikev2
auto=add
conn ikev2-pubkey-osx
also="ikev2-pubkey"
leftid=ip_address_server
/etc/ipsec.secrets
: RSA server.key
server-cert
subject: "CN=domain_name"
issuer: "CN=IPsec CA"
validity: not before Apr 18 10:07:00 2022, ok
not after Apr 02 10:07:00 2025, ok (expires in 1079 days)
serial: a9:e3:a4:
altNames: ip_address_server
flags: serverAuth
authkeyId: 13:f8:f0:
subjkeyId: 5a:a8:11:
pubkey: RSA 2048 bits, has private key
client-cert
subject: "CN=client"
issuer: "CN=IPsec CA"
validity: not before Apr 18 10:07:19 2022, ok
not after Apr 02 10:07:19 2025, ok (expires in 1079 days)
serial: 4c:e2:46:09:81:87:14:60:96:79:cf:bb:d6:62:13:68
altNames: client
flags: clientAuth
and that's log
09[IKE] sending cert request for "CN=IPsec CA"
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
09[NET] sending packet: from server_ip[500] to client_ip[500] (353 bytes)
07[NET] received packet: from client_ip[500] to server_ip[500] (40 bytes)
07[ENC] payload type NOTIFY was not encrypted
07[ENC] could not decrypt payloads
07[IKE] integrity check failed
07[IKE] INFORMATIONAL request with message ID 0 processing failed
As you can see I set ip address as SAN in server certificate, because connect over ip address. Dut it's still doesn't work.