[strongSwan] Can't get IKEV2 machine certificates working for authentication (Windows 7 - Error 13806)
Anthony Moon
amoon at ezp.net
Tue Oct 26 21:20:08 CEST 2010
The Windows 7 error is "Error 13806: IKE failed to find valid machine
certificate"
Logs below:
[root at tony1 myCA]# ipsec start --nofork --debug-all
Starting strongSwan 4.4.1 IPsec [starter]...
| Default route found: iface=eth0, addr=66.199.171.245, nexthop=66.199.171.1
| Loading config setup
| plutostart=no
| Loading conn %default
| keyexchange=ikev2
| ike=aes256-sha1-modp1024!
| esp=aes256-sha1!
| dpdaction=clear
| dpddelay=300s
| rekey=no
| Loading conn 'win7'
| left=%defaultroute
| leftcert=vpnCert.pem
| leftsubnet=0.0.0.0/24
| leftid=@tony1.ezp.net
| right=%any
| rightsourceip=10.10.0.0/24
| keyexchange=ikev2
| auto=add
| Found netkey IPsec stack
| Attempting to start charon...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.1)
00[CFG] attr-sql plugin: database URI not set
00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned
NULL
00[KNL] listening on interfaces:
00[KNL] eth0
00[KNL] 66.199.171.245
00[KNL] 192.168.100.181
00[KNL] fe80::216:3eff:fe05:aa90
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CA, ST=BC, L=Vancouver, O=EZP,
CN=tony1.ezp.net" from '/usr/lo
cal/etc/ipsec.d/cacerts/ca.pem'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loaded RSA private key from
'/usr/local/etc/ipsec.d/private/aKey.pem'
00[CFG] sql plugin: database URI not set
00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
00[DMN] loaded plugins: aes des blowfish sha1 sha2 md4 md5 random x509
revocation pubkey pkcs1 pg
p dnskey pem mysql openssl gcrypt fips-prf xcbc hmac gmp attr resolve
kernel-netlink socket-raw f
arp stroke updown eap-mschapv2
00[JOB] spawning 16 worker threads
charon (4770) started after 40 ms
14[CFG] received stroke: add connection 'win7'
14[CFG] loaded certificate "C=CA, ST=BC, L=Vancouver, O=EZP,
CN=tony1.ezp.net" from 'vpnCert.pe
m'
14[CFG] added configuration 'win7'
14[CFG] adding virtual IP address pool 'win7': 10.10.0.0/24
15[NET] received packet: from 64.180.3.28[500] to 66.199.171.245[500]
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
15[IKE] 64.180.3.28 is initiating an IKE_SA
15[IKE] remote host is behind NAT
15[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=EZP,
CN=tony1.ezp.net"
15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUT
H) ]
15[NET] sending packet: from 66.199.171.245[500] to 64.180.3.28[500]
16[JOB] deleting half open IKE_SA after timeout
That's strongswan ipsec daemon starting and one windows 7 client connection
(that failed)
I'm following the strongstrong wiki article for setting up windows 7 clients
for machine certificates:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7MultipleConfig
And I've been following this blog for tips on the correct way to generate
the certificates:
http://www.carbonwind.net/blog/post/VPN-Reconnect-in-Windows-7-RC-redux.aspx
I've tried a ton of different combinations, maybe I've not compiled
something to get this working properly..
Here's the ./configure line I used:
./configure --enable-md4 --enable-md5 --enable-eap-mschapv2
--enable-nat-transport --enable-sql --enable-mysql --enable-mediation
--enable-openssl --enable-gcrypt --enable-farp --enable-blowfish
Please help!
--
Anthony Moon
EZProvider Networks, Inc.
http://ezp.net
1.888.397.7853 x203
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101026/840e0c13/attachment.html>
More information about the Users
mailing list