[strongSwan] Win7 client not finding machine certificate
Matthias Dahl
ml-strongswan at binary-island.eu
Tue Mar 16 17:21:44 CET 2010
Hi everyone.
Today I would have needed my tunnel on a windows machine and I just couldn't
get it to work. I keep on getting an error that windows is uable to find a
valid client machine certificate. I have imported both the client certificate
along the CA certificate properly (machine account, ...).
I have searched the web and I am totally out of ideas, honestly. By the way, I
created all certificates w/ strongswan's pki utility and converted to pkcs#12
with openssl 0.9.8m.
This is my CA certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
AXED
Signature Algorithm: ecdsa-with-SHA512
Issuer: C=DE, O=Axed Name, CN=Axed Name CA
Validity
Not Before: Mar 6 15:34:21 2010 GMT
Not After : Feb 18 15:34:21 2013 GMT
Subject: C=DE, O=Axed Name, CN=Axed Name CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
AXED
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
AXED
X509v3 Authority Key Identifier:
keyid:AXED
Signature Algorithm: ecdsa-with-SHA512
AXED
And this is my client certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
AXED
Signature Algorithm: ecdsa-with-SHA512
Issuer: C=DE, O=Axed Name, CN=Axed Name CA
Validity
Not Before: Mar 16 08:38:22 2010 GMT
Not After : Feb 28 08:38:22 2013 GMT
Subject: C=DE, O=Axed Name, CN=someid at somewhere Windows7
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
AXED
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:AXED
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: ecdsa-with-SHA512
AXED
Oh and this is my server certificate but I doubt something is wrong with that
because it never gets to that point obviously:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
AXED
Signature Algorithm: ecdsa-with-SHA512
Issuer: C=DE, O=Axed Name, CN=Axed Name CA
Validity
Not Before: Mar 16 10:19:40 2010 GMT
Not After : Feb 28 10:19:40 2013 GMT
Subject: C=DE, O=Axed Name, CN=server-fqdn
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
AXED
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:AXED
X509v3 Subject Alternative Name:
DNS:server-fqdn
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: ecdsa-with-SHA512
AXED
The log shows the following on the server side for each try windows makes:
Mar 16 09:15:10 charon: 13[NET] received packet: from clientip[500] to
serverip[500]
Mar 16 09:15:10 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Mar 16 09:15:10 charon: 13[IKE] clientip is initiating an IKE_SA
Mar 16 09:15:10 charon: 13[IKE] remote host is behind NAT
Mar 16 09:15:10 charon: 13[IKE] sending cert request for "C=DE, O=Axed Name,
CN=Axed Name CA"
Mar 16 09:15:10 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 16 09:15:10 charon: 13[NET] sending packet: from serverip[500] to
clientip[500]
Mar 16 09:15:40 charon: 16[JOB] deleting half open IKE_SA after timeout
Like I said, I am out of ideas. I works just flawlessly under Linux in the
same network enviroment behind the same router on the same machine.
I'd really appreciate any ideas, hints, suggestions or help. Thanks a lot in
advance.
So long,
matthias
More information about the Users
mailing list