[strongSwan] Win7 client not finding machine certificate

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 16 17:28:29 CET 2010 

Hello Matthias,

Microsoft's new Agile VPN Client unfortunately does not support
elliptic curve certificates [yet], so that installed ECC machine
certificates are just not visible for IKEv2 connection.
ECC certificates can currently be used for IKEv1 connections only
which are set up by the "old" Advanced Firewall client.

Regards

Andreas

Matthias Dahl wrote:
> Hi everyone.
> 
> Today I would have needed my tunnel on a windows machine and I just couldn't 
> get it to work. I keep on getting an error that windows is uable to find a 
> valid client machine certificate. I have imported both the client certificate 
> along the CA certificate properly (machine account, ...).
> 
> I have searched the web and I am totally out of ideas, honestly. By the way, I 
> created all certificates w/ strongswan's pki utility and converted to pkcs#12 
> with openssl 0.9.8m.
> 
> This is my CA certificate:
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             AXED
>         Signature Algorithm: ecdsa-with-SHA512
>         Issuer: C=DE, O=Axed Name, CN=Axed Name CA
>         Validity
>             Not Before: Mar  6 15:34:21 2010 GMT
>             Not After : Feb 18 15:34:21 2013 GMT
>         Subject: C=DE, O=Axed Name, CN=Axed Name CA
>         Subject Public Key Info:
>             Public Key Algorithm: id-ecPublicKey
>             EC Public Key:
>                 pub: 
>                     AXED
>                 ASN1 OID: secp384r1
>         X509v3 extensions:
>             X509v3 Basic Constraints: critical
>                 CA:TRUE
>             X509v3 Subject Key Identifier: 
>                 AXED
>             X509v3 Authority Key Identifier: 
>                 keyid:AXED
> 
>     Signature Algorithm: ecdsa-with-SHA512
>         AXED
> 
> And this is my client certificate:
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             AXED
>         Signature Algorithm: ecdsa-with-SHA512
>         Issuer: C=DE, O=Axed Name, CN=Axed Name CA
>         Validity
>             Not Before: Mar 16 08:38:22 2010 GMT
>             Not After : Feb 28 08:38:22 2013 GMT
>         Subject: C=DE, O=Axed Name, CN=someid at somewhere Windows7
>         Subject Public Key Info:
>             Public Key Algorithm: id-ecPublicKey
>             EC Public Key:
>                 pub: 
>                     AXED
>                 ASN1 OID: secp384r1
>         X509v3 extensions:
>             X509v3 Authority Key Identifier: 
>                 keyid:AXED
> 
>             X509v3 Extended Key Usage: 
>                 TLS Web Client Authentication
>     Signature Algorithm: ecdsa-with-SHA512
>         AXED
> 
> Oh and this is my server certificate but I doubt something is wrong with that 
> because it never gets to that point obviously:
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             AXED
>         Signature Algorithm: ecdsa-with-SHA512
>         Issuer: C=DE, O=Axed Name, CN=Axed Name CA
>         Validity
>             Not Before: Mar 16 10:19:40 2010 GMT
>             Not After : Feb 28 10:19:40 2013 GMT
>         Subject: C=DE, O=Axed Name, CN=server-fqdn
>         Subject Public Key Info:
>             Public Key Algorithm: id-ecPublicKey
>             EC Public Key:
>                 pub: 
>                     AXED
>                 ASN1 OID: secp384r1
>         X509v3 extensions:
>             X509v3 Authority Key Identifier: 
>                 keyid:AXED
> 
>             X509v3 Subject Alternative Name: 
>                 DNS:server-fqdn
>             X509v3 Extended Key Usage: 
>                 TLS Web Server Authentication
>     Signature Algorithm: ecdsa-with-SHA512
>         AXED
> 
> The log shows the following on the server side for each try windows makes:
> 
> Mar 16 09:15:10 charon: 13[NET] received packet: from clientip[500] to 
> serverip[500]
> Mar 16 09:15:10 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
> N(NATD_S_IP) N(NATD_D_IP) ]
> Mar 16 09:15:10 charon: 13[IKE] clientip is initiating an IKE_SA
> Mar 16 09:15:10 charon: 13[IKE] remote host is behind NAT
> Mar 16 09:15:10 charon: 13[IKE] sending cert request for "C=DE, O=Axed Name, 
> CN=Axed Name CA"
> Mar 16 09:15:10 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No 
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Mar 16 09:15:10 charon: 13[NET] sending packet: from serverip[500] to 
> clientip[500]
> Mar 16 09:15:40 charon: 16[JOB] deleting half open IKE_SA after timeout
> 
> Like I said, I am out of ideas. I works just flawlessly under Linux in the 
> same network enviroment behind the same router on the same machine.
> 
> I'd really appreciate any ideas, hints, suggestions or help. Thanks a lot in 
> advance.
> 
> So long,
> matthias
> 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list