[strongSwan] Can't get IKEV2 machine certificates working for authentication (Windows 7 - Error 13806)

Anthony Moon amoon at ezp.net
Tue Oct 26 21:20:08 CEST 2010


The Windows 7 error is "Error 13806: IKE failed to find valid machine
certificate"

 

Logs below:

 

[root at tony1 myCA]# ipsec start --nofork --debug-all

Starting strongSwan 4.4.1 IPsec [starter]...

| Default route found: iface=eth0, addr=66.199.171.245, nexthop=66.199.171.1

| Loading config setup

|   plutostart=no

| Loading conn %default

|   keyexchange=ikev2

|   ike=aes256-sha1-modp1024!

|   esp=aes256-sha1!

|   dpdaction=clear

|   dpddelay=300s

|   rekey=no

| Loading conn 'win7'

|   left=%defaultroute

|   leftcert=vpnCert.pem

|   leftsubnet=0.0.0.0/24

|   leftid=@tony1.ezp.net

|   right=%any

|   rightsourceip=10.10.0.0/24

|   keyexchange=ikev2

|   auto=add

| Found netkey IPsec stack

| Attempting to start charon...

00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.1)

00[CFG] attr-sql plugin: database URI not set

00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned
NULL

00[KNL] listening on interfaces:

00[KNL]   eth0

00[KNL]     66.199.171.245

00[KNL]     192.168.100.181

00[KNL]     fe80::216:3eff:fe05:aa90

00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'

00[CFG]   loaded ca certificate "C=CA, ST=BC, L=Vancouver, O=EZP,
CN=tony1.ezp.net" from '/usr/lo
cal/etc/ipsec.d/cacerts/ca.pem'

00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'

00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'

00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'

00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'

00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'

00[CFG]   loaded RSA private key from
'/usr/local/etc/ipsec.d/private/aKey.pem'

00[CFG] sql plugin: database URI not set

00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL

00[DMN] loaded plugins: aes des blowfish sha1 sha2 md4 md5 random x509
revocation pubkey pkcs1 pg
p dnskey pem mysql openssl gcrypt fips-prf xcbc hmac gmp attr resolve
kernel-netlink socket-raw f
arp stroke updown eap-mschapv2

00[JOB] spawning 16 worker threads

charon (4770) started after 40 ms

14[CFG] received stroke: add connection 'win7'

14[CFG]   loaded certificate "C=CA, ST=BC, L=Vancouver, O=EZP,
CN=tony1.ezp.net" from 'vpnCert.pe
m'

14[CFG] added configuration 'win7'

14[CFG] adding virtual IP address pool 'win7': 10.10.0.0/24

15[NET] received packet: from 64.180.3.28[500] to 66.199.171.245[500]

15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

15[IKE] 64.180.3.28 is initiating an IKE_SA

15[IKE] remote host is behind NAT

15[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=EZP,
CN=tony1.ezp.net"

15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUT
H) ]

15[NET] sending packet: from 66.199.171.245[500] to 64.180.3.28[500]

16[JOB] deleting half open IKE_SA after timeout

 

That's strongswan ipsec daemon starting and one windows 7 client connection
(that failed)

 

I'm following the strongstrong wiki article for setting up windows 7 clients
for machine certificates:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7MultipleConfig

 

And I've been following this blog for tips on the correct way to generate
the certificates:
http://www.carbonwind.net/blog/post/VPN-Reconnect-in-Windows-7-RC-redux.aspx

 

I've tried a ton of different combinations, maybe I've not compiled
something to get this working properly..

 

Here's the ./configure line I used:

 

./configure --enable-md4 --enable-md5 --enable-eap-mschapv2
--enable-nat-transport --enable-sql --enable-mysql --enable-mediation
--enable-openssl --enable-gcrypt --enable-farp --enable-blowfish

 

Please help!

 

 

 

-- 

Anthony Moon

EZProvider Networks, Inc.

http://ezp.net

1.888.397.7853 x203

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101026/840e0c13/attachment.html>


More information about the Users mailing list