<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000066">
<br>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<pre>Dear all,
I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine Certificate.
I followed the instructions in the strongSwan Wiki but couldn't get it to work.
When trying to connect i receive an error 13806 telling me that Windows is not able to find a valid machine certificate.
What i did so far:
- Created Root certificate, StrongSwan Certificate/private key, and Windows 7 certificate/private key using Openssl.
- Imported the Windows 7 certificate and root Certificate to personal store and Computer Trusted Root Authorities (Local computer) respectively.
Windows 7 indicates the certificate is valid and can be traced to the installed root certificate
- Strongswan certificates:
Subject: C=US, ST=CA, O=mycompany, CN=192.168.5.63
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
URI:<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://192.168.5.204/ca.crl">http://192.168.5.204/ca.crl</a>
- Windows 7 certificate:
Subject: C=US, ST=CA, O=mycompany, CN=win71
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:rras1.mycompany.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
URI:<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://192.168.5.204/ca.crl">http://192.168.5.204/ca.crl</a>
Strongswan is running okay. "ipsec listcerts" indicates that the private key and the certificate are both loaded correctly.
Strongswan log:
May 17 15:10:19 14[NET] received packet: from 192.168.5.204[52720] to 192.168.5.63[500]
May 17 15:10:19 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May 17 15:10:19 14[IKE] 192.168.5.204 is initiating an IKE_SA
May 17 15:10:19 14[IKE] remote host is behind NAT
May 17 15:10:19 14[IKE] sending cert request for "C=US, ST=CA, L=LA, O=mycompany, CN=mycompanyCA"
May 17 15:10:19 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May 17 15:10:19 14[NET] sending packet: from 192.168.5.63[500] to 192.168.5.204[52720]
Windows 7 is giving the Error 13806 message.
I even disabled the EKU checks according to <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq">http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq</a> and reboot the Windows 7 machine, still the 13806 error message.
I would really appreciate some help.
Thank you and best regards,
Todd
</pre>
<h1><br>
</h1>
</body>
</html>