<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000066">
<font face="Cambria">Hi Andreas,</font><br>
<br>
Yes I did, as far as I can tell. After importing the certificate
file, two certificates showed up in the "Certificates(Local
Computer)->personal->certificates" store. One is the "win71"
certificate and one is the "CA" certificate. I moved the "CA"
certificate to the "Trusted Root Certificate Authorities" by
dragging and dropping the certificate. When I double click the
"win71" certificate, it shows something like this:<br>
<br>
Allows secure communication on the Internet<br>
Ensures the identity of a remote computer<br>
Proves your identity to a remote computer<br>
<br>
Issued to :win71<br>
valid from 5/15/2012 to 5/15/2013<br>
<br>
*You have a private key that corresponds to this certificate.<br>
<br>
When I click on the "certificate path", it shows the path to the
"CA" certificate on the top of the dialog box and on the bottom it
says " this certificate is OK".<br>
<br>
I compared the CA certificate on the Win7 and the one on the
StrongSwan. They are the same CA certificate.<br>
<br>
Just one note: I use ECDSA P_384 in the certificate. I don't think
this is a problem but just wanted to mention that to you.<br>
<br>
Looking at the log file of the Strongswan, it seems like that
Strongswan hasn't got a chance to send the actual strongswan
certificate to Win7. It only sent the "CA" certificate to Win7, and
somehow Win7 couldn't validate that CA cert?<br>
<br>
Another note: The Win7 is without the Service Pack 1.<br>
<br>
Thank you for your gracious help.<br>
<br>
Best regards,<br>
<br>
Todd<br>
<br>
On 5/17/2012 1:45 AM, Andreas Steffen wrote:
<blockquote cite="mid:4FB4BABA.9020802@strongswan.org" type="cite">Hello
Todd,
<br>
<br>
did you pack the Windows 7 private key and matching X.509
certificate
<br>
together with the Root CA certificate into a PCKS#12 file (*.p12)
and
<br>
imported this file into the Local Computer part of the Windows
registry
<br>
via the mmc? Does clicking on the imported Windows 7 certificate
tell
<br>
you that it has a matching private key?
<br>
<br>
Regards
<br>
<br>
Andreas
<br>
<br>
On 05/17/2012 01:16 AM, Tiebing Zhang wrote:
<br>
<blockquote type="cite">Dear all,
<br>
<br>
I would like to connect to strongSwan with Windows 7 using IKEV2
and Machine Certificate.
<br>
I followed the instructions in the strongSwan Wiki but couldn't
get it to work.
<br>
When trying to connect i receive an error 13806 telling me that
Windows is not able to find a valid machine certificate.
<br>
<br>
What i did so far:
<br>
<br>
- Created Root certificate, StrongSwan Certificate/private key,
and Windows 7 certificate/private key using Openssl.
<br>
- Imported the Windows 7 certificate and root Certificate to
personal store and Computer Trusted Root Authorities (Local
computer) respectively.
<br>
Windows 7 indicates the certificate is valid and can be
traced to the installed root certificate
<br>
- Strongswan certificates:
<br>
Subject: C=US, ST=CA, O=mycompany, CN=192.168.5.63
<br>
X509v3 extensions:
<br>
X509v3 Key Usage:
<br>
Digital Signature, Key Encipherment
<br>
X509v3 Extended Key Usage:
<br>
1.3.6.1.5.5.8.2.2, TLS Web Server
Authentication, TLS Web Client Authentication
<br>
X509v3 Basic Constraints:
<br>
CA:FALSE
<br>
X509v3 CRL Distribution Points:
<br>
URI:<a class="moz-txt-link-freetext" href="http://192.168.5.204/ca.crl">http://192.168.5.204/ca.crl</a>
<br>
<br>
- Windows 7 certificate:
<br>
Subject: C=US, ST=CA, O=mycompany, CN=win71
<br>
X509v3 extensions:
<br>
X509v3 Key Usage:
<br>
Digital Signature, Key Encipherment
<br>
X509v3 Extended Key Usage:
<br>
1.3.6.1.5.5.8.2.2, TLS Web Server
Authentication, TLS Web Client Authentication
<br>
X509v3 Subject Alternative Name:
<br>
DNS:rras1.mycompany.com
<br>
X509v3 Basic Constraints:
<br>
CA:FALSE
<br>
X509v3 CRL Distribution Points:
<br>
URI:<a class="moz-txt-link-freetext" href="http://192.168.5.204/ca.crl">http://192.168.5.204/ca.crl</a>
<br>
<br>
Strongswan is running okay. "ipsec listcerts" indicates that the
private key and the certificate are both loaded correctly.
<br>
<br>
Strongswan log:
<br>
May 17 15:10:19 14[NET] received packet: from
192.168.5.204[52720] to 192.168.5.63[500]
<br>
May 17 15:10:19 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
<br>
May 17 15:10:19 14[IKE] 192.168.5.204 is initiating an IKE_SA
<br>
May 17 15:10:19 14[IKE] remote host is behind NAT
<br>
May 17 15:10:19 14[IKE] sending cert request for "C=US, ST=CA,
L=LA, O=mycompany, CN=mycompanyCA"
<br>
May 17 15:10:19 14[ENC] generating IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
<br>
May 17 15:10:19 14[NET] sending packet: from 192.168.5.63[500]
to 192.168.5.204[52720]
<br>
<br>
Windows 7 is giving the Error 13806 message.
<br>
<br>
I even disabled the EKU checks according
tohttp://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
and reboot the Windows 7 machine, still the 13806 error message.
<br>
<br>
I would really appreciate some help.
<br>
<br>
Thank you and best regards,
<br>
<br>
Todd
<br>
</blockquote>
<br>
======================================================================
<br>
Andreas Steffen
<a class="moz-txt-link-abbreviated" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>
<br>
strongSwan - the Linux VPN Solution!
<a class="moz-txt-link-abbreviated" href="http://www.strongswan.org">www.strongswan.org</a>
<br>
Institute for Internet Technologies and Applications
<br>
University of Applied Sciences Rapperswil
<br>
CH-8640 Rapperswil (Switzerland)
<br>
===========================================================[ITA-HSR]==
<br>
</blockquote>
</body>
</html>