<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000066">
Hi Andreas,<br>
<br>
That is a big bummer. I thought Microsoft started supporting ECDSA
starting with Vista. <br>
<br>
Anyway, I created a new openssl-based CA using RSA-2048 instead of
ECDSA P-384, and issued two certificates, win7 and "192.168.5.63",
and reloaded both my Windows 7<br>
computer and the StrongSwan server. Error 13806 still comes up.<br>
<br>
I loaded the same "win7" certificates into another Ubuntu computer
running strongswan as a client. It connected fine to the
192.168.5.63 server. So it seems that my Strongswan<br>
server is running Okay.<br>
<br>
I have enabled both "clientAuth" and "serverAuth" EKU in the win7
certificate, and the CA is imported correctly. The private key seems
to be loaded correctly too.<br>
<br>
Any other things that I should be checking?<br>
<br>
Thanks again,<br>
<br>
Best regards,<br>
<br>
Todd<br>
<br>
<br>
On 5/17/2012 10:36 AM, Andreas Steffen wrote:
<blockquote cite="mid:4FB5370F.9020100@strongswan.org" type="cite">Hi
Todd,
<br>
<br>
your problem is that although the Microsoft Crypto API and the
<br>
old IKEv1-based IPsec client support Elliptic Curve Cryptography,
<br>
the Windows 7 IKEv2-based Agile VPN client doesn't. It just
doesn't
<br>
find ECDSA certificates. It seems that Windows 8 is going to offer
<br>
ECC support, at least via the powershell command line.
<br>
<br>
Regards
<br>
<br>
Andreas
<br>
<br>
On 05/17/2012 02:55 PM, Tiebing Zhang wrote:
<br>
<blockquote type="cite">Hi Andreas,
<br>
<br>
Yes I did, as far as I can tell. After importing the certificate
file,
<br>
two certificates showed up in the "Certificates(Local
<br>
Computer)->personal->certificates" store. One is the
"win71" certificate
<br>
and one is the "CA" certificate. I moved the "CA" certificate to
the
<br>
"Trusted Root Certificate Authorities" by dragging and dropping
the
<br>
certificate. When I double click the "win71" certificate, it
shows
<br>
something like this:
<br>
<br>
Allows secure communication on the Internet
<br>
Ensures the identity of a remote computer
<br>
Proves your identity to a remote computer
<br>
<br>
Issued to :win71
<br>
valid from 5/15/2012 to 5/15/2013
<br>
<br>
*You have a private key that corresponds to this certificate.
<br>
<br>
When I click on the "certificate path", it shows the path to the
"CA"
<br>
certificate on the top of the dialog box and on the bottom it
says "
<br>
this certificate is OK".
<br>
<br>
I compared the CA certificate on the Win7 and the one on the
StrongSwan.
<br>
They are the same CA certificate.
<br>
<br>
Just one note: I use ECDSA P_384 in the certificate. I don't
think this
<br>
is a problem but just wanted to mention that to you.
<br>
<br>
Looking at the log file of the Strongswan, it seems like that
Strongswan
<br>
hasn't got a chance to send the actual strongswan certificate to
Win7.
<br>
It only sent the "CA" certificate to Win7, and somehow Win7
couldn't
<br>
validate that CA cert?
<br>
<br>
Another note: The Win7 is without the Service Pack 1.
<br>
<br>
Thank you for your gracious help.
<br>
<br>
Best regards,
<br>
<br>
Todd
<br>
<br>
On 5/17/2012 1:45 AM, Andreas Steffen wrote:
<br>
<blockquote type="cite">Hello Todd,
<br>
<br>
did you pack the Windows 7 private key and matching X.509
certificate
<br>
together with the Root CA certificate into a PCKS#12 file
(*.p12) and
<br>
imported this file into the Local Computer part of the Windows
registry
<br>
via the mmc? Does clicking on the imported Windows 7
certificate tell
<br>
you that it has a matching private key?
<br>
<br>
Regards
<br>
<br>
Andreas
<br>
<br>
On 05/17/2012 01:16 AM, Tiebing Zhang wrote:
<br>
<blockquote type="cite">Dear all,
<br>
<br>
I would like to connect to strongSwan with Windows 7 using
IKEV2 and
<br>
Machine Certificate.
<br>
I followed the instructions in the strongSwan Wiki but
couldn't get
<br>
it to work.
<br>
When trying to connect i receive an error 13806 telling me
that
<br>
Windows is not able to find a valid machine certificate.
<br>
<br>
What i did so far:
<br>
<br>
- Created Root certificate, StrongSwan Certificate/private
key, and
<br>
Windows 7 certificate/private key using Openssl.
<br>
- Imported the Windows 7 certificate and root Certificate to
personal
<br>
store and Computer Trusted Root Authorities (Local computer)
<br>
respectively.
<br>
Windows 7 indicates the certificate is valid and can be
traced to the
<br>
installed root certificate
<br>
- Strongswan certificates:
<br>
Subject: C=US, ST=CA, O=mycompany, CN=192.168.5.63
<br>
X509v3 extensions:
<br>
X509v3 Key Usage:
<br>
Digital Signature, Key Encipherment
<br>
X509v3 Extended Key Usage:
<br>
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web
Client
<br>
Authentication
<br>
X509v3 Basic Constraints:
<br>
CA:FALSE
<br>
X509v3 CRL Distribution Points:
<br>
URI:<a class="moz-txt-link-freetext" href="http://192.168.5.204/ca.crl">http://192.168.5.204/ca.crl</a>
<br>
<br>
- Windows 7 certificate:
<br>
Subject: C=US, ST=CA, O=mycompany, CN=win71
<br>
X509v3 extensions:
<br>
X509v3 Key Usage:
<br>
Digital Signature, Key Encipherment
<br>
X509v3 Extended Key Usage:
<br>
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web
Client
<br>
Authentication
<br>
X509v3 Subject Alternative Name:
<br>
DNS:rras1.mycompany.com
<br>
X509v3 Basic Constraints:
<br>
CA:FALSE
<br>
X509v3 CRL Distribution Points:
<br>
URI:<a class="moz-txt-link-freetext" href="http://192.168.5.204/ca.crl">http://192.168.5.204/ca.crl</a>
<br>
<br>
Strongswan is running okay. "ipsec listcerts" indicates that
the
<br>
private key and the certificate are both loaded correctly.
<br>
<br>
Strongswan log:
<br>
May 17 15:10:19 14[NET] received packet: from
192.168.5.204[52720] to
<br>
192.168.5.63[500]
<br>
May 17 15:10:19 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No
<br>
N(NATD_S_IP) N(NATD_D_IP) ]
<br>
May 17 15:10:19 14[IKE] 192.168.5.204 is initiating an
IKE_SA
<br>
May 17 15:10:19 14[IKE] remote host is behind NAT
<br>
May 17 15:10:19 14[IKE] sending cert request for "C=US,
ST=CA, L=LA,
<br>
O=mycompany, CN=mycompanyCA"
<br>
May 17 15:10:19 14[ENC] generating IKE_SA_INIT response 0 [
SA KE No
<br>
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
<br>
May 17 15:10:19 14[NET] sending packet: from
192.168.5.63[500] to
<br>
192.168.5.204[52720]
<br>
<br>
Windows 7 is giving the Error 13806 message.
<br>
<br>
I even disabled the EKU checks according
<br>
tohttp://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
and
<br>
reboot the Windows 7 machine, still the 13806 error message.
<br>
<br>
I would really appreciate some help.
<br>
<br>
Thank you and best regards,
<br>
<br>
Todd
<br>
</blockquote>
<br>
</blockquote>
</blockquote>
<br>
======================================================================
<br>
Andreas Steffen
<a class="moz-txt-link-abbreviated" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>
<br>
strongSwan - the Linux VPN Solution!
<a class="moz-txt-link-abbreviated" href="http://www.strongswan.org">www.strongswan.org</a>
<br>
Institute for Internet Technologies and Applications
<br>
University of Applied Sciences Rapperswil
<br>
CH-8640 Rapperswil (Switzerland)
<br>
===========================================================[ITA-HSR]==
<br>
</blockquote>
</body>
</html>