<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <div class="moz-cite-prefix">On 1/17/2017 07:10, Yudi V wrote:<br>
    </div>
    <blockquote
cite="mid:CACo--mtHfKWiqn_0iGV2W0G+srjqye-uJmpfnj5HWwS7cq5X0w@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi,<br>
        <br>
        Error 13806<br>
        Authentication from Windows 10 client fails when trying to use
        just certificates but EAP-Mschapv2 it works fine.    <br>
        Error 13806, "IKE failed to find valid machine certificate"<br>
        <br>
        I followed the advise about certificate needs for windows.<br>
        All the keys are of type ecdsa:<br>
        <br>
        server cert:<br>
        Ipsec   pki --pub --in  serverKey.der --type ecdsa |  ipsec pki
        --issue --cacert caCert.der --cakey caKey.der --dn "O=xxx, CN=<a
          moz-do-not-send="true" href="http://home1234.ddns.com">home1234.ddns.com</a>"   
        --san="<a moz-do-not-send="true" href="http://home1234.ddns.com">home1234.ddns.com</a>" 
        --flag serverAuth --flag   ikeIntermediate   > serverCert.der<br>
        <br>
        client cert:<br>
        ipsec pki --pub --in clientKey.der   --type ecdsa | ipsec pki
        --issue --cacert caCert.der --cakey caKey.der --dn "O=xxx,
        CN=client"  > clientCert.der<br>
        <br>
        converted der files to pem and packaged them into pkcs12 file<br>
        <br>
        openssl pkcs12 -export -in clientCert.pem -name "client" -inkey
        clientKey.pem -certfile caCert.pem -caname "xxx CA" -out
        clientCert.p12<br>
        <br>
        the first time I imported caCert.pem and clientCert.p12 files
        into windwos cert store I made a mistake and imported them into
        the current user account.<br>
        Deleted them and imported them into the "computer account".<br>
        and checked that it looks as in the last two sreencaps at <a
          moz-do-not-send="true"
          href="https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs">https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs</a><br>
        it says you have a private key that corresponds to this
        certificate.<br>
        <br>
        the san and CN are same for the server.<br>
        <br>
        ipsec.conf settings are:<br>
        <br>
        # ipsec.conf - strongSwan IPsec configuration file<br>
        <br>
        # basic configuration<br>
        <br>
        config setup<br>
                # strictcrlpolicy=yes<br>
                # uniqueids = no<br>
        <br>
        conn %default<br>
                keyexchange=ikev2<br>
                dpdaction=clear<br>
                dpddelay=300s<br>
        <br>
        # Add connections here.<br>
        <br>
        <br>
        conn rw_pw                                       # this works<br>
                left=%any<br>
                leftsubnet=<a moz-do-not-send="true"
          href="http://0.0.0.0/0,::0">0.0.0.0/0,::0</a><br>
                leftauth=pubkey<br>
                leftcert=serverCert.der         <br>
                leftid=<a moz-do-not-send="true"
          href="http://home1234.ddns.com">home1234.ddns.com</a>     <br>
                leftfirewall=yes              <br>
                lefthostaccess=yes             <br>
                right=%any<br>
                rightauth=eap-mschapv2        <br>
                rightsourceip=%dhcp<br>
                rightdns=192.168.3.1<br>
                eap_identity=%any<br>
                auto=add<br>
        <br>
        conn rw_cert                               # this fails  <br>
                left=%any<br>
                leftsubnet=<a moz-do-not-send="true"
          href="http://0.0.0.0/0,::0">0.0.0.0/0,::0</a><br>
                leftauth=pubkey<br>
                leftcert=serverCert.der         <br>
                leftid=<a moz-do-not-send="true"
          href="http://home1234.ddns.com">home1234.ddns.com</a>      <br>
                leftfirewall=yes              <br>
                lefthostaccess=yes             <br>
                right=%any<br>
                rightauth=pubkey              <br>
                rightcert=clientCert.pem<br>
                rightsourceip=%dhcp<br>
                rightdns=192.168.3.1<br>
                auto=add<br>
        <br>
        <br>
        Any suggestion on how to fix this issue?<br>
        <br>
        regards<br>
        Yudi</div>
      <br>
      <br>
    </blockquote>
    <br>
    Windows 10 is hosed in the head (as are other windows versions);
    here's what I have, and it works -- but it took a while to figure it
    out by turning debugging up and chasing what the two sides were
    saying to each other.  You do not want eap-mschapv2 unless you're
    using a password; for a machine certificate you want eap-tls (which
    may not be in your build; if not you will have to add it), and the
    eap_identity clause is also required.<br>
    <br>
    Snip from ipsec.conf:<br>
    <br>
    conn WinUserCert<br>
            left=%any<br>
            leftsubnet=0.0.0.0/0<br>
            leftcert=genesis.denninger.net.crt<br>
            leftauth=pubkey<br>
            right=%any<br>
            rightsourceip=192.168.2.0/24<br>
            rightauth=eap-tls<br>
            eap_identity=%identity<br>
            auto=add<br>
            dpdaction=clear<br>
            dpddelay=300s<br>
    <br>
    And then the cert must contain:<br>
    <br>
    Certificate:<br>
        Data:<br>
            Version: 3 (0x2)<br>
            Serial Number: 61 (0x3d)<br>
        Signature Algorithm: sha256WithRSAEncryption<br>
            Issuer: C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC,
    CN=Cuda Syste<br>
    ms LLC CA/emailAddress=Cuda Systems LLC CA<br>
            Validity<br>
                Not Before: Dec 18 19:45:35 2016 GMT<br>
                Not After : Dec 17 19:45:35 2021 GMT<br>
            Subject: C=US, ST=Florida, O=Cuda Systems LLC,
    <a class="moz-txt-link-abbreviated" href="mailto:CN=karl@denninger.net">CN=karl@denninger.net</a><br>
            Subject Public Key Info:<br>
                Public Key Algorithm: rsaEncryption<br>
                    Public-Key: (4096 bit)<br>
                    Modulus:<br>
                        00:cd:8d:e6:66:b1:b3:b3:64:a1:8f:60:e4:d3:31:<br>
                        15:69:65:d1:36:22:3b:b8:17:ac:66:53:a3:7a:b6:<br>
    .....<br>
    <br>
                    Exponent: 65537 (0x10001)<br>
            X509v3 extensions:<br>
                Authority Information Access:<br>
                    OCSP - URI:<a class="moz-txt-link-freetext" href="http://cudasystems.net:8888">http://cudasystems.net:8888</a><br>
    <br>
                X509v3 Basic Constraints:<br>
                    CA:FALSE<br>
                Netscape Cert Type:<br>
                    SSL Client, S/MIME<br>
                X509v3 Key Usage:<br>
                    Digital Signature, Non Repudiation, Key Encipherment<br>
                Netscape Comment:<br>
                    OpenSSL Generated Certificate<br>
                X509v3 Subject Key Identifier:<br>
                   
    A5:F0:08:DF:2F:BB:E7:5A:69:F4:0D:30:EA:F2:47:C7:C4:68:47:F3<br>
                X509v3 Authority Key Identifier:<br>
                   
    keyid:24:71:9B:9D:85:7D:FC:DD:DD:BD:B0:CA:92:94:03:A1:FA:D3:6D:35<br>
    <br>
                X509v3 Subject Alternative Name:<br>
                    <a class="moz-txt-link-abbreviated" href="mailto:email:karl@denninger.net">email:karl@denninger.net</a><br>
        Signature Algorithm: sha256WithRSAEncryption<br>
             62:07:a3:25:ba:0c:58:25:d7:1c:0f:c6:e8:67:fb:bc:77:c5:<br>
    ....<br>
    <br>
    Note that BOTH SAN and CN are set in the user certificate.  SAN is
    there because I use this cert/key pair for S/MIME as well.  However,
    if you don't set CN to the same thing (which is usually not done if
    SAN is set) then Win10 will send the CN, whatever it may be (e.g.
    the user's full name), and StrongSwan won't find the cert because
    when it looks for it in the certificate store it compares against
    SAN and the comparison fails.<br>
    <br>
    <br>
    <div class="moz-signature">-- <br>
      Karl Denninger<br>
      <a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
      <i>The Market Ticker</i><br>
      <font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
    </div>
  </body>
</html>