[strongSwan] Can't get IKEV2 machine certificates working for authentication (Windows 7 - Error 13806)

Anthony Moon amoon at ezp.net
Tue Oct 26 21:20:08 CEST 2010

The Windows 7 error is "Error 13806: IKE failed to find valid machine


Logs below:


[root at tony1 myCA]# ipsec start --nofork --debug-all

Starting strongSwan 4.4.1 IPsec [starter]...

| Default route found: iface=eth0, addr=, nexthop=

| Loading config setup

|   plutostart=no

| Loading conn %default

|   keyexchange=ikev2

|   ike=aes256-sha1-modp1024!

|   esp=aes256-sha1!

|   dpdaction=clear

|   dpddelay=300s

|   rekey=no

| Loading conn 'win7'

|   left=%defaultroute

|   leftcert=vpnCert.pem

|   leftsubnet=

|   leftid=@tony1.ezp.net

|   right=%any

|   rightsourceip=

|   keyexchange=ikev2

|   auto=add

| Found netkey IPsec stack

| Attempting to start charon...

00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.1)

00[CFG] attr-sql plugin: database URI not set

00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned

00[KNL] listening on interfaces:

00[KNL]   eth0



00[KNL]     fe80::216:3eff:fe05:aa90

00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'

00[CFG]   loaded ca certificate "C=CA, ST=BC, L=Vancouver, O=EZP,
CN=tony1.ezp.net" from '/usr/lo

00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'

00[CFG] loading ocsp signer certificates from

00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'

00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'

00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'

00[CFG]   loaded RSA private key from

00[CFG] sql plugin: database URI not set

00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL

00[DMN] loaded plugins: aes des blowfish sha1 sha2 md4 md5 random x509
revocation pubkey pkcs1 pg
p dnskey pem mysql openssl gcrypt fips-prf xcbc hmac gmp attr resolve
kernel-netlink socket-raw f
arp stroke updown eap-mschapv2

00[JOB] spawning 16 worker threads

charon (4770) started after 40 ms

14[CFG] received stroke: add connection 'win7'

14[CFG]   loaded certificate "C=CA, ST=BC, L=Vancouver, O=EZP,
CN=tony1.ezp.net" from 'vpnCert.pe

14[CFG] added configuration 'win7'

14[CFG] adding virtual IP address pool 'win7':

15[NET] received packet: from[500] to[500]

15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

15[IKE] is initiating an IKE_SA

15[IKE] remote host is behind NAT

15[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=EZP,

15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
H) ]

15[NET] sending packet: from[500] to[500]

16[JOB] deleting half open IKE_SA after timeout


That's strongswan ipsec daemon starting and one windows 7 client connection
(that failed)


I'm following the strongstrong wiki article for setting up windows 7 clients
for machine certificates:


And I've been following this blog for tips on the correct way to generate
the certificates:


I've tried a ton of different combinations, maybe I've not compiled
something to get this working properly..


Here's the ./configure line I used:


./configure --enable-md4 --enable-md5 --enable-eap-mschapv2
--enable-nat-transport --enable-sql --enable-mysql --enable-mediation
--enable-openssl --enable-gcrypt --enable-farp --enable-blowfish


Please help!





Anthony Moon

EZProvider Networks, Inc.


1.888.397.7853 x203


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101026/840e0c13/attachment.html>

More information about the Users mailing list