Discussion:
Struggling with Windows 7 IkeV2 - Error 13806
Weber, Stefan (IT)
2011-05-23 13:59:41 UTC
Permalink
Dear all,

I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine Certificate. I followed the instructions in the strongSwan Wiki but couldnt get it to work. When tryining to connect i receive an error 13806 telling me that Windows is not able to find a valid machine certificate.

What i did so far:

Imported my Root Certificate to the Computer Trusted Root Authorities.

Create a certificate for my Windows 7 machine with
KeyUsage digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth, serverAuth
SubjectAlternateName set to the DNS:win7client.vpntest.local

Exported the cert+private key as pkcs12 and imported to the Computers - Personal Cerificate Store. Windows 7 tells me that the certificate is valid and trusted by my Root Certificate

Create a certificate for my strongSWan Host with
KeyUsage digitalSignature and KeyEncipherment, extendedKeyusage clientAuth, serverAuth
SubjetAlterName set to the DNS:strongswan.vpntest.local

Set this certificate as leftcert in ipsec.conf
Configured ist private Key in ipsec.secrets.

DNS name resolution is working of course ;-)

I also tried with certificates including IKEIntermediate in extendedKeyUsage.

When starting strongSwan with --debug-all i see IKE sending cert request immediatly followed by error 13806 on the Windows Box.

I hope anybody can help me out or lead me in the right direction.

Thank you in advance,

Stefan
Lars Hjersted
2011-05-23 14:42:37 UTC
Permalink
Post by Weber, Stefan (IT)
I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine Certificate. I followed the instructions in the strongSwan Wiki but couldnt get it to work. When tryining to connect i receive an error 13806 telling me that Windows is not able to find a valid machine certificate.
Imported my Root Certificate to the Computer Trusted Root Authorities.
Create a certificate for my Windows 7 machine with
KeyUsage digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth, serverAuth
SubjectAlternateName set to the DNS:win7client.vpntest.local
Exported the cert+private key as pkcs12 and imported to the Computers - Personal Cerificate Store. Windows 7 tells me that the certificate is valid and trusted by my Root Certificate
Create a certificate for my strongSWan Host with
KeyUsage digitalSignature and KeyEncipherment, extendedKeyusage clientAuth, serverAuth
SubjetAlterName set to the DNS:strongswan.vpntest.local
Set this certificate as leftcert in ipsec.conf
Configured ist private Key in ipsec.secrets.
Your description seems correct, but it appears that the Win7 client is not
accepting the server certificate for some reason. A simple server
certificate that works fine for me with Win7 clients can be created with
the strongSwan PKI tool as follows:

ipsec pki --gen --outform der > serverKey.der
ipsec pki --pub --in serverKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=US, O=MyOrganization, CN=server" --san "myvpn.myDynamicDNS.com" --flag serverAuth --outform der > serverCert.der

where caCert.der and caKey.der are your CA certificate file and CA key
file respectively. You might also try the above with CN=1.2.3.4 where
1.2.3.4 is the IP address of the server and then omit the
subjectAlternateName entirely (--san). The CN can be set as the IP
address or the DNS instead of setting a subjectAlternateName.

-Lars
Andreas Steffen
2011-05-23 14:43:29 UTC
Permalink
Hello Stefan,

I assume that both the Win 7 client and strongSwan host certificates
are signed by the same CA and that you put the Root CA certificate
into the /etc/ipsec.d/cacerts directory. Otherwise strongSwan will
not include the Root CA in its cert request list and thus the
Windows 7 client will not be able to find a matching machine
certificate.

Regards

Andreas

BTW - A strongSwan log file would help in debugging the problem
since all outgoing cert requests are logged.
Post by Weber, Stefan (IT)
Dear all,
I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine Certificate. I followed the instructions in the strongSwan Wiki but couldnt get it to work. When tryining to connect i receive an error 13806 telling me that Windows is not able to find a valid machine certificate.
Imported my Root Certificate to the Computer Trusted Root Authorities.
Create a certificate for my Windows 7 machine with
KeyUsage digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth, serverAuth
SubjectAlternateName set to the DNS:win7client.vpntest.local
Exported the cert+private key as pkcs12 and imported to the Computers - Personal Cerificate Store. Windows 7 tells me that the certificate is valid and trusted by my Root Certificate
Create a certificate for my strongSWan Host with
KeyUsage digitalSignature and KeyEncipherment, extendedKeyusage clientAuth, serverAuth
SubjetAlterName set to the DNS:strongswan.vpntest.local
Set this certificate as leftcert in ipsec.conf
Configured ist private Key in ipsec.secrets.
DNS name resolution is working of course ;-)
I also tried with certificates including IKEIntermediate in extendedKeyUsage.
When starting strongSwan with --debug-all i see IKE sending cert request immediatly followed by error 13806 on the Windows Box.
I hope anybody can help me out or lead me in the right direction.
Thank you in advance,
Stefan
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Weber, Stefan (IT)
2011-05-23 15:21:02 UTC
Permalink
Hello Andreas,

Yes that is the case. Here is the debug log i got: Maybe it would help if i knew how i could debug the Windows 7 side of the process. Unfortunarly i couldnt find any information where Windows 7 is logging or how i could enable logging there :-(

00[JOB] spawning 16 worker threads
charon (1923) started after 100 ms
07[CFG] received stroke: add connection 'win7'
07[CFG] left nor right host is our side, assuming left=local
07[CFG] loaded certificate "C=DE, O=MyOrg, OU=Test, CN=strongswan.vpntest.local" from 'vpnserver.crt.pem'
07[CFG] added configuration 'win7'
07[CFG] adding virtual IP address pool 'win7': 10.10.3.0/24
loading ca certificates from '/etc/ipsec.d/cacerts'
loaded ca certificate from '/etc/ipsec.d/cacerts/vpntestrootca.crt.pem'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
loading attribute certificates from '/etc/ipsec.d/acerts'
spawning 4 worker threads
listening for IKE messages
adding interface eth0/eth0 192.168.150.55:500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
loaded private key from 'vpnserver.key.pem'
no secrets filename matched "/var/lib/strongswan/ipsec.secrets.inc"
connection must specify host IP address for our side
12[NET] received packet: from 192.168.150.52[500] to 192.168.150.55[500]
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
12[IKE] 192.168.150.52 is initiating an IKE_SA
12[IKE] sending cert request for "C=DE, O=MyOrg, OU=RootCA, CN=VPNTest ROOT CA, E=ca-***@public.gmane.org"
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
12[NET] sending packet: from 192.168.150.55[500] to 192.168.150.52[500]
13[JOB] deleting half open IKE_SA after timeout

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen-***@public.gmane.org]
Sent: Montag, 23. Mai 2011 16:43
To: Weber, Stefan (IT)
Cc: users-3+4lAyCyj6DkhV4RL1hkzWD2FQJk+8+***@public.gmane.org
Subject: Re: [strongSwan] Struggling with Windows 7 IkeV2 - Error 13806

Hello Stefan,

I assume that both the Win 7 client and strongSwan host certificates are signed by the same CA and that you put the Root CA certificate into the /etc/ipsec.d/cacerts directory. Otherwise strongSwan will not include the Root CA in its cert request list and thus the Windows 7 client will not be able to find a matching machine certificate.

Regards

Andreas

BTW - A strongSwan log file would help in debugging the problem
since all outgoing cert requests are logged.
Post by Weber, Stefan (IT)
Dear all,
I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine Certificate. I followed the instructions in the strongSwan Wiki but couldnt get it to work. When tryining to connect i receive an error 13806 telling me that Windows is not able to find a valid machine certificate.
Imported my Root Certificate to the Computer Trusted Root Authorities.
Create a certificate for my Windows 7 machine with KeyUsage
digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth,
serverAuth SubjectAlternateName set to the
DNS:win7client.vpntest.local
Exported the cert+private key as pkcs12 and imported to the Computers
- Personal Cerificate Store. Windows 7 tells me that the certificate
is valid and trusted by my Root Certificate
Create a certificate for my strongSWan Host with KeyUsage
digitalSignature and KeyEncipherment, extendedKeyusage clientAuth,
serverAuth SubjetAlterName set to the DNS:strongswan.vpntest.local
Set this certificate as leftcert in ipsec.conf Configured ist private
Key in ipsec.secrets.
DNS name resolution is working of course ;-)
I also tried with certificates including IKEIntermediate in extendedKeyUsage.
When starting strongSwan with --debug-all i see IKE sending cert request immediatly followed by error 13806 on the Windows Box.
I hope anybody can help me out or lead me in the right direction.
Thank you in advance,
Stefan
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
Shanthi Thomas
2013-09-27 19:05:45 UTC
Permalink
Post by Weber, Stefan (IT)
Hello Andreas,
Yes that is the case. Here is the debug log i got: Maybe it would help if
i knew how i could debug the Windows 7
Post by Weber, Stefan (IT)
side of the process. Unfortunarly i couldnt find any information where
Windows 7 is logging or how i could
Post by Weber, Stefan (IT)
enable logging there
00[JOB] spawning 16 worker threads
charon (1923) started after 100 ms
07[CFG] received stroke: add connection 'win7'
07[CFG] left nor right host is our side, assuming left=local
07[CFG] loaded certificate "C=DE, O=MyOrg, OU=Test,
CN=strongswan.vpntest.local" from 'vpnserver.crt.pem'
Post by Weber, Stefan (IT)
07[CFG] added configuration 'win7'
07[CFG] adding virtual IP address pool 'win7': 10.10.3.0/24
loading ca certificates from '/etc/ipsec.d/cacerts'
loaded ca certificate from '/etc/ipsec.d/cacerts/vpntestrootca.crt.pem'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
loading attribute certificates from '/etc/ipsec.d/acerts'
spawning 4 worker threads
listening for IKE messages
adding interface eth0/eth0 192.168.150.55:500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
loaded private key from 'vpnserver.key.pem'
no secrets filename matched "/var/lib/strongswan/ipsec.secrets.inc"
connection must specify host IP address for our side
12[NET] received packet: from 192.168.150.52[500] to 192.168.150.55[500]
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N
(NATD_D_IP) ]
Post by Weber, Stefan (IT)
12[IKE] 192.168.150.52 is initiating an IKE_SA
12[IKE] sending cert request for "C=DE, O=MyOrg, OU=RootCA, CN=VPNTest
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N
(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Post by Weber, Stefan (IT)
12[NET] sending packet: from 192.168.150.55[500] to 192.168.150.52[500]
13[JOB] deleting half open IKE_SA after timeout
-----Original Message-----
Sent: Montag, 23. Mai 2011 16:43
To: Weber, Stefan (IT)
Subject: Re: [strongSwan] Struggling with Windows 7 IkeV2 - Error 13806
Hello Stefan,
I assume that both the Win 7 client and strongSwan host certificates are
signed by the same CA and that you put
Post by Weber, Stefan (IT)
the Root CA certificate into the /etc/ipsec.d/cacerts directory.
Otherwise strongSwan will not
Post by Weber, Stefan (IT)
include the Root CA in its cert request list and thus the Windows 7
client will not be able to find a matching
Post by Weber, Stefan (IT)
machine certificate.
Regards
Andreas
BTW - A strongSwan log file would help in debugging the problem
since all outgoing cert requests are logged.
Post by Weber, Stefan (IT)
Dear all,
I would like to connect to strongSwan with Windows 7 using IKEV2 and
Machine Certificate. I followed the
Post by Weber, Stefan (IT)
instructions in the strongSwan Wiki but couldnt get it to work. When
tryining to connect i receive an error
Post by Weber, Stefan (IT)
13806 telling me that Windows is not able to find a valid machine
certificate.
Post by Weber, Stefan (IT)
Post by Weber, Stefan (IT)
Imported my Root Certificate to the Computer Trusted Root Authorities.
Create a certificate for my Windows 7 machine with KeyUsage
digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth,
serverAuth SubjectAlternateName set to the
DNS:win7client.vpntest.local
Exported the cert+private key as pkcs12 and imported to the Computers
- Personal Cerificate Store. Windows 7 tells me that the certificate
is valid and trusted by my Root Certificate
Create a certificate for my strongSWan Host with KeyUsage
digitalSignature and KeyEncipherment, extendedKeyusage clientAuth,
serverAuth SubjetAlterName set to the DNS:strongswan.vpntest.local
Set this certificate as leftcert in ipsec.conf Configured ist private
Key in ipsec.secrets.
DNS name resolution is working of course
I also tried with certificates including IKEIntermediate in
extendedKeyUsage.
Post by Weber, Stefan (IT)
Post by Weber, Stefan (IT)
When starting strongSwan with --debug-all i see IKE sending cert
request immediatly followed by error
Post by Weber, Stefan (IT)
13806 on the Windows Box.
Post by Weber, Stefan (IT)
I hope anybody can help me out or lead me in the right direction.
Thank you in advance,
Stefan
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications University of
Applied Sciences Rapperswil
Post by Weber, Stefan (IT)
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Hi Stefan,



Did you solve this? I have the same problem and have been poring over

strongswan logs, sniffer packets, etc. My strongswan gateway cert has the

required extensions and there does not seem to be any errors as seen from

the gateway logs. It is the win 7 client that is causing problems. And of

course other than error 13806 "IKE authentication credentials are

unacceptable" windows does not give any further useful info.







Any info would be appreciated.







thanks,



Shanthi

Loading...