<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12px"><div id="yui_3_16_0_1_1444978777443_2911" dir="ltr">I am trying to get my Server 2012 and Windows 10 clients to connect to my strongswan server but ran into some trouble. I keep getting the Windows Error 13806: IKE failed to find a valid machine certificate. The output of my certificate is shown below. Is there a field I am missing? I thought I followed all of the Windows client certificate requirements.</div><div id="yui_3_16_0_1_1444978777443_2911" dir="ltr"><br></div><div id="yui_3_16_0_1_1444978777443_2911" dir="ltr">This strongswan server works fine with Linux and Android clients. Are there still problems with ECDSA certificates in Windows Server 2012/10? I know Windows 7/2008 did not support it, but I figured it was fixed by now.</div><div id="yui_3_16_0_1_1444978777443_2911" dir="ltr"><br></div><div id="yui_3_16_0_1_1444978777443_2911" dir="ltr">Certificate:<br></div><div id="yui_3_16_0_1_1444978777443_2911" class="">    Data:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">        Version: 3 (0x2)</div><div id="yui_3_16_0_1_1444978777443_2911" class="">        Serial Number: 10171425542929775975 (0x8d2829a409a9fd67)</div><div id="yui_3_16_0_1_1444978777443_2911" class="">    Signature Algorithm: ecdsa-with-SHA384</div><div id="yui_3_16_0_1_1444978777443_2911" class="">        Issuer: C=US, ST=MD, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7</div><div id="yui_3_16_0_1_1444978777443_2911" class="">        Validity</div><div id="yui_3_16_0_1_1444978777443_2911" class="">            Not Before: Oct 16 06:29:43 2015 GMT</div><div id="yui_3_16_0_1_1444978777443_2911" class="">            Not After : Oct 15 06:29:43 2016 GMT</div><div id="yui_3_16_0_1_1444978777443_2911" class="">        Subject: C=US, ST=MD, L=SELF, OU=SS, CN=SERVER2012.homelan.com</div><div id="yui_3_16_0_1_1444978777443_2911" class="">        Subject Public Key Info:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">            Public Key Algorithm: id-ecPublicKey</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                Public-Key: (384 bit)</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                pub:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                    04:72:ea:85:84:5e:5c:c6:3a:6c:23:ff:cd:47:97:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                    7d:a7:d2:0a:4c:21:41:cf:5e:a3:1e:7c:2b:a3:7a:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                    5f:91:62:bf:8f:01:cc:6b:13:1e:d6:60:58:d5:10:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                    bd:60:f6:2a:00:c1:d2:46:5f:ea:75:b3:6e:24:6c:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                    16:97:5f:51:df:8d:bf:77:ef:92:f9:66:40:4a:44:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                    2c:25:4b:56:8b:48:93:86:d0:cb:0c:4f:e1:5a:95:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                    67:f8:bc:73:53:88:b6</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                ASN1 OID: secp384r1</div><div id="yui_3_16_0_1_1444978777443_2911" class="">        X509v3 extensions:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">            X509v3 Basic Constraints:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                CA:FALSE</div><div id="yui_3_16_0_1_1444978777443_2911" class="">            X509v3 Key Usage:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                Digital Signature, Non Repudiation, Key Encipherment</div><div id="yui_3_16_0_1_1444978777443_2911" class="">            X509v3 Extended Key Usage:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication</div><div id="yui_3_16_0_1_1444978777443_2911" class="">            X509v3 Subject Alternative Name:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">                DNS:192.168.1.43, DNS:192.168.1.7</div><div id="yui_3_16_0_1_1444978777443_2911" class="">    Signature Algorithm: ecdsa-with-SHA384</div><div id="yui_3_16_0_1_1444978777443_2911" class="">         30:66:02:31:00:ca:96:73:a0:a0:b5:28:2e:48:1b:9f:49:3a:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">         bc:59:b0:de:ee:43:69:2a:dc:5f:3b:e4:62:64:54:9b:3d:97:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">         c8:55:ef:34:2f:9d:b0:14:5b:c9:b3:08:93:2d:96:f0:8d:02:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">         31:00:fb:ae:cd:c0:f5:48:16:4e:54:c8:53:55:ff:36:83:7e:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">         a5:1f:68:0a:97:c4:86:ef:1c:15:3a:08:e1:8e:7d:eb:98:53:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">         9d:88:b2:9d:02:f3:ea:ae:92:62:29:4d:bb:c4</div><div id="yui_3_16_0_1_1444978777443_2911" class=""><br></div><div id="yui_3_16_0_1_1444978777443_2911" class=""><br></div><div id="yui_3_16_0_1_1444978777443_2911" class="">Here is what I see in the strongswan logs;</div><div id="yui_3_16_0_1_1444978777443_2911" class=""><br></div><div id="yui_3_16_0_1_1444978777443_2911" class=""><br></div><div id="yui_3_16_0_1_1444978777443_2911" class="">12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div id="yui_3_16_0_1_1444978777443_2911" class="">12[LIB] size of DH secret exponent: 1023 bits</div><div id="yui_3_16_0_1_1444978777443_2911" class="">12[IKE] sending cert request for "C=US, ST=MD, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"</div><div id="yui_3_16_0_1_1444978777443_2911" class="">12[NET] sending packet: from 192.168.1.7[500] to 192.168.1.10[500] (333 bytes)</div><div id="yui_3_16_0_1_1444978777443_2911" class="">04[NET] received packet: from 192.168.1.10[500] to 192.168.1.7[500] (40 bytes)</div><div id="yui_3_16_0_1_1444978777443_2911" class="">04[IKE] integrity check failed</div><div id="yui_3_16_0_1_1444978777443_2911" class="">04[IKE] INFORMATIONAL request with message ID 0 processing failed</div><div id="yui_3_16_0_1_1444978777443_2911" class="">08[JOB] deleting half open IKE_SA after timeout</div><div id="yui_3_16_0_1_1444978777443_2911" class="">09[JOB] deleting half open IKE_SA after timeout</div><div id="yui_3_16_0_1_1444978777443_2911" class=""><br></div><div id="yui_3_16_0_1_1444978777443_2911" class=""><br></div><div id="yui_3_16_0_1_1444978777443_2911" class=""><br></div><div id="yui_3_16_0_1_1444978777443_2911" class="">Also to note is that this config does not work for Windows 2012/10 clients;<br></div><div id="yui_3_16_0_1_1444978777443_2911" dir="ltr" class=""><br id="yui_3_16_0_1_1444978777443_3302" class=""></div><div id="yui_3_16_0_1_1444978777443_2911" dir="ltr" class="">esp=aes256-sha384-ecp384!<br id="yui_3_16_0_1_1444978777443_3305" class=""></div><div id="yui_3_16_0_1_1444978777443_2911" dir="ltr" class="">ike=aes256-sha384-ecp384!</div><div id="yui_3_16_0_1_1444978777443_2911" dir="ltr" class=""><br id="yui_3_16_0_1_1444978777443_3309" class=""></div><div id="yui_3_16_0_1_1444978777443_2911" dir="ltr" class="">I have to allow the it to negotiate or I get the following</div><div dir="ltr" id="yui_3_16_0_1_1444978777443_3229" class=""><br id="yui_3_16_0_1_1444978777443_3231" class=""></div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG]   no acceptable ENCRYPTION_ALGORITHM found</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG] selecting proposal:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG] selecting proposal:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG]   no acceptable ENCRYPTION_ALGORITHM found</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG] selecting proposal:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG] selecting proposal:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG]   no acceptable ENCRYPTION_ALGORITHM found</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG] selecting proposal:</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024</div><div id="yui_3_16_0_1_1444978777443_2911" class="">13[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384</div><div id="yui_3_16_0_1_1444978777443_2911" class="" dir="ltr">13[IKE] received proposals inacceptable</div><div id="yui_3_16_0_1_1444978777443_2911" class=""><br></div><div id="yui_3_16_0_1_1444978777443_2911" class=""><br></div><div dir="ltr" id="yui_3_16_0_1_1444978777443_3154" class=""><br id="yui_3_16_0_1_1444978777443_3156" class=""></div><div dir="ltr" id="yui_3_16_0_1_1444978777443_3042" class=""><br id="yui_3_16_0_1_1444978777443_3044" class=""></div></div></body></html>