<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    On 1/24/2017 04:12, Yudi V wrote:<br>
    <blockquote
cite="mid:CACo--msQJWj5MPoTYmNkouAGqyLq+uSjZtuyuiODBikNORwPJQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div><br>
        </div>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Wed, Jan 18, 2017 at 1:12 AM, Karl
            Denninger <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:karl@denninger.net" target="_blank">karl@denninger.net</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div bgcolor="#FFFFFF">
                <div>
                  <div class="gmail-h5"> <br>
                    <div
                      class="gmail-m_-1619276895783112996moz-cite-prefix">On
                      1/17/2017 07:10, Yudi V wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr">Hi,<br>
                        <br>
                        Error 13806<br>
                        Authentication from Windows 10 client fails when
                        trying to use just certificates but EAP-Mschapv2
                        it works fine.    <br>
                        Error 13806, "IKE failed to find valid machine
                        certificate"<br>
                        <br>
                        I followed the advise about certificate needs
                        for windows.<br>
                        All the keys are of type ecdsa:<br>
                        <br>
                        server cert:<br>
                        Ipsec   pki --pub --in  serverKey.der --type
                        ecdsa |  ipsec pki --issue --cacert caCert.der
                        --cakey caKey.der --dn "O=xxx, CN=<a
                          moz-do-not-send="true"
                          href="http://home1234.ddns.com"
                          target="_blank">home1234.ddns.com</a>"   
                        --san="<a moz-do-not-send="true"
                          href="http://home1234.ddns.com"
                          target="_blank">home1234.ddns.com</a>"  --flag
                        serverAuth --flag   ikeIntermediate   >
                        serverCert.der<br>
                        <br>
                        client cert:<br>
                        ipsec pki --pub --in clientKey.der   --type
                        ecdsa | ipsec pki --issue --cacert caCert.der
                        --cakey caKey.der --dn "O=xxx, CN=client"  >
                        clientCert.der<br>
                        <br>
                        converted der files to pem and packaged them
                        into pkcs12 file<br>
                        <br>
                        openssl pkcs12 -export -in clientCert.pem -name
                        "client" -inkey clientKey.pem -certfile
                        caCert.pem -caname "xxx CA" -out clientCert.p12<br>
                        <br>
                        the first time I imported caCert.pem and
                        clientCert.p12 files into windwos cert store I
                        made a mistake and imported them into the
                        current user account.<br>
                        Deleted them and imported them into the
                        "computer account".<br>
                        and checked that it looks as in the last two
                        sreencaps at <a moz-do-not-send="true"
                          href="https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs"
                          target="_blank">https://wiki.strongswan.org/<wbr>projects/strongswan/wiki/<wbr>Win7Certs</a><br>
                        it says you have a private key that corresponds
                        to this certificate.<br>
                        <br>
                        the san and CN are same for the server.<br>
                        <br>
                        ipsec.conf settings are:<br>
                        <br>
                        # ipsec.conf - strongSwan IPsec configuration
                        file<br>
                        <br>
                        # basic configuration<br>
                        <br>
                        config setup<br>
                                # strictcrlpolicy=yes<br>
                                # uniqueids = no<br>
                        <br>
                        conn %default<br>
                                keyexchange=ikev2<br>
                                dpdaction=clear<br>
                                dpddelay=300s<br>
                        <br>
                        # Add connections here.<br>
                        <br>
                        <br>
                        conn rw_pw                         <wbr>             
                        # this works<br>
                                left=%any<br>
                                leftsubnet=<a moz-do-not-send="true"
                          href="http://0.0.0.0/0,::0" target="_blank">0.0.0.0/0,::0</a><br>
                                leftauth=pubkey<br>
                                leftcert=serverCert.der         <br>
                                leftid=<a moz-do-not-send="true"
                          href="http://home1234.ddns.com"
                          target="_blank">home1234.ddns.com</a>     <br>
                                leftfirewall=yes              <br>
                                lefthostaccess=yes             <br>
                                right=%any<br>
                                rightauth=eap-mschapv2        <br>
                                rightsourceip=%dhcp<br>
                                rightdns=192.168.3.1<br>
                                eap_identity=%any<br>
                                auto=add<br>
                        <br>
                        conn rw_cert                       <wbr>       
                        # this fails  <br>
                                left=%any<br>
                                leftsubnet=<a moz-do-not-send="true"
                          href="http://0.0.0.0/0,::0" target="_blank">0.0.0.0/0,::0</a><br>
                                leftauth=pubkey<br>
                                leftcert=serverCert.der         <br>
                                leftid=<a moz-do-not-send="true"
                          href="http://home1234.ddns.com"
                          target="_blank">home1234.ddns.com</a>      <br>
                                leftfirewall=yes              <br>
                                lefthostaccess=yes             <br>
                                right=%any<br>
                                rightauth=pubkey              <br>
                                rightcert=clientCert.pem<br>
                                rightsourceip=%dhcp<br>
                                rightdns=192.168.3.1<br>
                                auto=add<br>
                        <br>
                        <br>
                        Any suggestion on how to fix this issue?<br>
                        <br>
                        regards<br>
                        Yudi</div>
                      <br>
                      <br>
                    </blockquote>
                    <br>
                  </div>
                </div>
                Windows 10 is hosed in the head (as are other windows
                versions); here's what I have, and it works -- but it
                took a while to figure it out by turning debugging up
                and chasing what the two sides were saying to each
                other.  You do not want eap-mschapv2 unless you're using
                a password; for a machine certificate you want eap-tls
                (which may not be in your build; if not you will have to
                add it), and the eap_identity clause is also required.<br>
                <br>
                Snip from ipsec.conf:<br>
                <br>
                conn WinUserCert<br>
                        left=%any<br>
                        leftsubnet=<a moz-do-not-send="true"
                  href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
                        leftcert=genesis.denninger.<wbr>net.crt<br>
                        leftauth=pubkey<br>
                        right=%any<br>
                        rightsourceip=<a moz-do-not-send="true"
                  href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a><br>
                        rightauth=eap-tls<br>
                        eap_identity=%identity<br>
                        auto=add<br>
                        dpdaction=clear<br>
                        dpddelay=300s<br>
                <br>
                And then the cert must contain:<br>
                <br>
                Certificate:<br>
                    Data:<br>
                        Version: 3 (0x2)<br>
                        Serial Number: 61 (0x3d)<br>
                    Signature Algorithm: sha256WithRSAEncryption<br>
                        Issuer: C=US, ST=Florida, L=Niceville, O=Cuda
                Systems LLC, CN=Cuda Syste<br>
                ms LLC CA/emailAddress=Cuda Systems LLC CA<br>
                        Validity<br>
                            Not Before: Dec 18 19:45:35 2016 GMT<br>
                            Not After : Dec 17 19:45:35 2021 GMT<br>
                        Subject: C=US, ST=Florida, O=Cuda Systems LLC, <a
                  moz-do-not-send="true"
                  class="gmail-m_-1619276895783112996moz-txt-link-abbreviated"
                  href="mailto:CN=karl@denninger.net" target="_blank">CN=karl@denninger.net</a><br>
                        Subject Public Key Info:<br>
                            Public Key Algorithm: rsaEncryption<br>
                                Public-Key: (4096 bit)<br>
                                Modulus:<br>
                                    00:cd:8d:e6:66:b1:b3:b3:64:a1:<wbr>8f:60:e4:d3:31:<br>
                                    15:69:65:d1:36:22:3b:b8:17:ac:<wbr>66:53:a3:7a:b6:<br>
                .....<br>
                <br>
                                Exponent: 65537 (0x10001)<br>
                        X509v3 extensions:<br>
                            Authority Information Access:<br>
                                OCSP - URI:<a moz-do-not-send="true"
                  class="gmail-m_-1619276895783112996moz-txt-link-freetext"
                  href="http://cudasystems.net:8888" target="_blank">http://cudasystems.net:<wbr>8888</a><br>
                <br>
                            X509v3 Basic Constraints:<br>
                                CA:FALSE<br>
                            Netscape Cert Type:<br>
                                SSL Client, S/MIME<br>
                            X509v3 Key Usage:<br>
                                Digital Signature, Non Repudiation, Key
                Encipherment<br>
                            Netscape Comment:<br>
                                OpenSSL Generated Certificate<br>
                            X509v3 Subject Key Identifier:<br>
                                A5:F0:08:DF:2F:BB:E7:5A:69:F4:<wbr>0D:30:EA:F2:47:C7:C4:68:47:F3<br>
                            X509v3 Authority Key Identifier:<br>
                                keyid:24:71:9B:9D:85:7D:FC:DD:<wbr>DD:BD:B0:CA:92:94:03:A1:FA:D3:<wbr>6D:35<br>
                <br>
                            X509v3 Subject Alternative Name:<br>
                                <a moz-do-not-send="true"
                  class="gmail-m_-1619276895783112996moz-txt-link-abbreviated"
                  href="mailto:email:karl@denninger.net" target="_blank">email:karl@denninger.net</a><br>
                    Signature Algorithm: sha256WithRSAEncryption<br>
                         62:07:a3:25:ba:0c:58:25:d7:1c:<wbr>0f:c6:e8:67:fb:bc:77:c5:<br>
                ....<br>
                <br>
                Note that BOTH SAN and CN are set in the user
                certificate.  SAN is there because I use this cert/key
                pair for S/MIME as well.  However, if you don't set CN
                to the same thing (which is usually not done if SAN is
                set) then Win10 will send the CN, whatever it may be
                (e.g. the user's full name), and StrongSwan won't find
                the cert because when it looks for it in the certificate
                store it compares against SAN and the comparison fails.<span
                  class="gmail-HOEnZb"><font color="#888888"><br>
                    <br>
                    <br>
                    <div
                      class="gmail-m_-1619276895783112996moz-signature">--
                      <br>
                      Karl Denninger<br>
                      <a moz-do-not-send="true"
                        href="mailto:karl@denninger.net" target="_blank">karl@denninger.net</a><br>
                      <i>The Market Ticker</i><br>
                      <font size="-2"><i>[S/MIME encrypted email
                          preferred]</i></font> </div>
                  </font></span></div>
              <br>
              ______________________________<wbr>_________________<br>
              Users mailing list<br>
              <a moz-do-not-send="true"
                href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
              <a moz-do-not-send="true"
                href="https://lists.strongswan.org/mailman/listinfo/users"
                rel="noreferrer" target="_blank">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a><br>
            </blockquote>
          </div>
          <br>
          <br clear="all">
          <div>
            <div>
              <div>Hi Karl,<br>
                <br>
              </div>
              Sorry about the delayed reply.<br>
              I was finally able to use EAP-TLS, I think not having SAN
              same as CN on the client certificate caused it to fail. I
              cannot be 100% sure as I also had incorrect config to
              start with. <br>
              <br>
              <br>
            </div>
            I just got one more issue to sort out. How does the server
            decide which "conn" to use when a peer is trying to connect.<br>
          </div>
          <div>when I try to connect from the windows client, I can
            connect to either rw_cert or rw_pw when one of them is
            commented out.  But if both of them are listed, then it
            always tries to use rw_pw (ie, eap-mschapv2) if it is listed
            before rw_cert.<br>
          </div>
          <div>If I swap the order of rw_pw and rw_cert (listed before
            rw_pw) then it always tries to use eap-tls. <br>
          </div>
          <div><br>
          </div>
          <div>I am guessing the information sent by the client to the
            server has some bearing on which "conn" to use. <br>
          </div>
          <div>Is there anyway to dictate which "conn" should be used?<br>
          </div>
          <div><br>
          </div>
          My current config looks like below:<br>
          <br>
          conn %default<br>
                  keyexchange=ikev2<br>
                  dpdaction=clear<br>
                  dpddelay=300s<br>
          <br>
                  left=%any<br>
                  leftsubnet=<a moz-do-not-send="true"
            href="http://0.0.0.0/0,::0">0.0.0.0/0,::0</a><br>
                  leftauth=pubkey<br>
                  leftcert=serverCert.der        <br>
                  leftid=<a moz-do-not-send="true"
            href="http://home1234.ddns.com" target="_blank">home1234.ddns.com</a>     
          <br>
                  leftfirewall=yes              <br>
                  lefthostaccess=yes            <br>
          <br>
                  right=%any<br>
                  rightsourceip=%dhcp<br>
                  rightdns=192.168.3.1<br>
          <br>
          conn rw_pw<br>
                  rightauth=eap-mschapv2         #using password<br>
                  eap_identity=%any<br>
                  auto=add<br>
          <br>
          conn rw_cert<br>
                  rightauth=eap-tls              #using certificate<br>
                  rightsendcert=never<br>
                  eap_identity=%any<br>
                  auto=add<br>
          <br>
          <div>thanks!<br>
          </div>
          yudi<br>
          <br>
        </div>
      </div>
    </blockquote>
    Whichever one it can match options with first.  If you have multiple
    client types connecting you need to be careful what order the
    various required options are listed in within the config file.<br>
    <br>
    <div class="moz-signature">-- <br>
      Karl Denninger<br>
      <a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
      <i>The Market Ticker</i><br>
      <font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
    </div>
  </body>
</html>