<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:12.0pt;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’m trying to get Windows 10 clients connecting to our StrongSwan server with machine certificates (only), but I’m hitting a roadblock with the following error:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">“Verifying username and password...IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Error in Windows Event Viewer is 13806, which appears to be pretty common, but despite looking at various sources, I cannot make it work.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We’re using a PKI-as-a-service (SecureW2) for our certs and have placed intermediate and root CA certs into /etc/ipsec.d/cacerts, along with StrongSwan server’s cert in /etc/ipsec.d/certs and its private key
in /etc/ipsec.d/private/. Server device cert has Server and Client authentication set for EKU and hostname.domain.com for CN and SAN.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The Windows test device has its own cert in the machine store, along with CA intermediate and root certs in the appropriate cert stores. VPN connection is configured with PowerShell, and MachineCertificate
set as authentication method and VPN address is hostname.domain.com which matches CN on StrongSwan device cert. Machine cert is hostname.domain.com for CN and SAN and has Client Authentication set for EKU.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Events from /var/log/syslog:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[NET] received packet: from XXX.XXX.XXX.XXX[500] to XXX.XXX.XXX.XXX [500] (344 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[CFG] looking for an ike config for XXX.XXX.XXX.XXX... XXX.XXX.XXX.XXX<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[CFG] candidate: %any...%any, prio 28<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[CFG] found matching ike config: %any...%any with prio 28<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[IKE] received MS-Negotiation Discovery Capable vendor ID<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[IKE] received Vid-Initial-Contact vendor ID<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[IKE] IKE_SA (unnamed)[7] state change: CREATED => CONNECTING<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[CFG] selecting proposal:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[CFG] proposal matches<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[IKE] local host is behind NAT, sending keep alives<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[IKE] remote host is behind NAT<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, CN=Org Device Root CA"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, CN=Org Device Intermediate CA"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 07[NET] sending packet: from XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (293 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 09[NET] received packet: from XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (344 bytes)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nov 3 16:40:18 swan charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We have this setup working with macOS devices, so we know that the server is able to accept and establish connections.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Many thanks in advance,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
<div style="mso-line-height-rule:exactly;-webkit-text-size-adjust:100%;"><table cellpadding="0" cellspacing="0" border="0" style="width:100%;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><br /><span style="font-family:remialcxesans;font-size:1px;color:#FFFFFF;line-height:1px;"></span><br /></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;line-height:normal;"><tr style="font-size:0;"><td align="left" style="padding:0 10px;vertical-align:top;"><img src="https://s3-eu-west-1.amazonaws.com/assets.techahoy.co.uk/email/image001-coral.png" width="110" height="54" border="0" alt="" style="width:110px;min-width:110px;max-width:110px;height:54px;min-height:54px;max-height:54px;font-size:0;" /></td></tr></table></td><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,sans-serif;">3rd Floor, Vivo Building, 30 Stamford Street, London SE1 9LQ</td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">P: 020 3422 0000 <br /></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><span style="font-family:Calibri,sans-serif;">• </span>M: <a href="tel:07763%20230443" target="_blank" id="LPlnk689713" style="text-decoration:none;color:#000001;"><strong style="font-weight:400;">07763 230443 <br /></strong></a></td><td align="left" style="vertical-align:middle;font-family:Calibri,sans-serif;">• <br /></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">E: <span style="color:#044A91;"><a href="mailto:mike.hill@techahoy.com" target="_blank" id="LPlnk689713" style="text-decoration:none;color:#044A91;"><strong style="font-weight:400;">mike.hill@techahoy.com</strong></a></span></td></tr></table></td></tr><tr style="font-size:14.67px;color:#044A91;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><a href="https://www.techahoy.com/" target="_blank" id="LPlnk689713" title="www.techahoy.com" style="text-decoration:none;color:#044A91;"><strong style="font-weight:400;">www.techahoy.co</strong></a>m</td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"> <br /></td></tr></table></div></body>
</html>