<div dir="ltr">Hi,<br><br>Error 13806<br>Authentication from Windows 10 client fails when trying to use just certificates but EAP-Mschapv2 it works fine.    <br>Error 13806, "IKE failed to find valid machine certificate"<br><br>I followed the advise about certificate needs for windows.<br>All the keys are of type ecdsa:<br><br>server cert:<br>Ipsec   pki --pub --in  serverKey.der --type ecdsa |  ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "O=xxx, CN=<a href="http://home1234.ddns.com">home1234.ddns.com</a>"    --san="<a href="http://home1234.ddns.com">home1234.ddns.com</a>"  --flag serverAuth --flag   ikeIntermediate   > serverCert.der<br><br>client cert:<br>ipsec pki --pub --in clientKey.der   --type ecdsa | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "O=xxx, CN=client"  > clientCert.der<br><br>converted der files to pem and packaged them into pkcs12 file<br><br>openssl pkcs12 -export -in clientCert.pem -name "client" -inkey clientKey.pem -certfile caCert.pem -caname "xxx CA" -out clientCert.p12<br><br>the first time I imported caCert.pem and clientCert.p12 files into windwos cert store I made a mistake and imported them into the current user account.<br>Deleted them and imported them into the "computer account".<br>and checked that it looks as in the last two sreencaps at <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs">https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs</a><br>it says you have a private key that corresponds to this certificate.<br><br>the san and CN are same for the server.<br><br>ipsec.conf settings are:<br><br># ipsec.conf - strongSwan IPsec configuration file<br><br># basic configuration<br><br>config setup<br>        # strictcrlpolicy=yes<br>        # uniqueids = no<br><br>conn %default<br>        keyexchange=ikev2<br>        dpdaction=clear<br>        dpddelay=300s<br><br># Add connections here.<br><br><br>conn rw_pw                                       # this works<br>        left=%any<br>        leftsubnet=<a href="http://0.0.0.0/0,::0">0.0.0.0/0,::0</a><br>        leftauth=pubkey<br>        leftcert=serverCert.der         <br>        leftid=<a href="http://home1234.ddns.com">home1234.ddns.com</a>     <br>        leftfirewall=yes              <br>        lefthostaccess=yes             <br>        right=%any<br>        rightauth=eap-mschapv2        <br>        rightsourceip=%dhcp<br>        rightdns=192.168.3.1<br>        eap_identity=%any<br>        auto=add<br><br>conn rw_cert                               # this fails  <br>        left=%any<br>        leftsubnet=<a href="http://0.0.0.0/0,::0">0.0.0.0/0,::0</a><br>        leftauth=pubkey<br>        leftcert=serverCert.der         <br>        leftid=<a href="http://home1234.ddns.com">home1234.ddns.com</a>      <br>        leftfirewall=yes              <br>        lefthostaccess=yes             <br>        right=%any<br>        rightauth=pubkey              <br>        rightcert=clientCert.pem<br>        rightsourceip=%dhcp<br>        rightdns=192.168.3.1<br>        auto=add<br><br><br>Any suggestion on how to fix this issue?<br><br>regards<br>Yudi</div>