[strongSwan] Can't get IKEV2 machine certificates working for authentication (Windows 7 - Error 13806)

Andreas Steffen andreas.steffen at strongswan.org
Tue Oct 26 23:18:10 CEST 2010 

Hello Anthony,

it looks as if the gateway certificate vpnCert.pem and the
CA certificate ca.pem are identical:

loaded ca certificate
  "C=CA, ST=BC, L=Vancouver, O=EZP, CN=tony1.ezp.net"
from '/usr/local/etc/ipsec.d/cacerts/ca.pem'

loaded certificate
  "C=CA, ST=BC, L=Vancouver, O=EZP, CN=tony1.ezp.net"
from 'vpnCert.pem'

This cannot possibly be because the Win7 certificate must also
be issued by the CA certificate. Did you set up a certificate
hierarchy where a self-signed CA certificate issued and signed
both the strongSwan and Win7 certificate?

Regards

Andreas

On 26.10.2010 21:20, Anthony Moon wrote:
> The Windows 7 error is “Error 13806: IKE failed to find valid machine
> certificate”
> 
>  
> 
> Logs below:
> 
>  
> 
> [root at tony1 myCA]# ipsec start --nofork --debug-all
> 
> Starting strongSwan 4.4.1 IPsec [starter]...
> 
> | Default route found: iface=eth0, addr=66.199.171.245, nexthop=66.199.171.1
> 
> | Loading config setup
> 
> |   plutostart=no
> 
> | Loading conn %default
> 
> |   keyexchange=ikev2
> 
> |   ike=aes256-sha1-modp1024!
> 
> |   esp=aes256-sha1!
> 
> |   dpdaction=clear
> 
> |   dpddelay=300s
> 
> |   rekey=no
> 
> | Loading conn 'win7'
> 
> |   left=%defaultroute
> 
> |   leftcert=vpnCert.pem
> 
> |   leftsubnet=0.0.0.0/24
> 
> |   leftid=@tony1.ezp.net
> 
> |   right=%any
> 
> |   rightsourceip=10.10.0.0/24
> 
> |   keyexchange=ikev2
> 
> |   auto=add
> 
> | Found netkey IPsec stack
> 
> | Attempting to start charon...
> 
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.1)
> 
> 00[CFG] attr-sql plugin: database URI not set
> 
> 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create
> returned NULL
> 
> 00[KNL] listening on interfaces:
> 
> 00[KNL]   eth0
> 
> 00[KNL]     66.199.171.245
> 
> 00[KNL]     192.168.100.181
> 
> 00[KNL]     fe80::216:3eff:fe05:aa90
> 
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 
> 00[CFG]   loaded ca certificate "C=CA, ST=BC, L=Vancouver, O=EZP,
> CN=tony1.ezp.net" from
> '/usr/lo                                                                                                         
> cal/etc/ipsec.d/cacerts/ca.pem'
> 
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
> 
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 
> 00[CFG]   loaded RSA private key from
> '/usr/local/etc/ipsec.d/private/aKey.pem'
> 
> 00[CFG] sql plugin: database URI not set
> 
> 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
> 
> 00[DMN] loaded plugins: aes des blowfish sha1 sha2 md4 md5 random x509
> revocation pubkey pkcs1
> pg                                                                                                         
> p dnskey pem mysql openssl gcrypt fips-prf xcbc hmac gmp attr resolve
> kernel-netlink socket-raw
> f                                                                                                         
> arp stroke updown eap-mschapv2
> 
> 00[JOB] spawning 16 worker threads
> 
> charon (4770) started after 40 ms
> 
> 14[CFG] received stroke: add connection 'win7'
> 
> 14[CFG]   loaded certificate "C=CA, ST=BC, L=Vancouver, O=EZP,
> CN=tony1.ezp.net" from
> 'vpnCert.pe                                                                                
>                          m'
> 
> 14[CFG] added configuration 'win7'
> 
> 14[CFG] adding virtual IP address pool 'win7': 10.10.0.0/24
> 
> 15[NET] received packet: from 64.180.3.28[500] to 66.199.171.245[500]
> 
> 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 
> 15[IKE] 64.180.3.28 is initiating an IKE_SA
> 
> 15[IKE] remote host is behind NAT
> 
> 15[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=EZP,
> CN=tony1.ezp.net"
> 
> 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) CERTREQ
> N(MULT_AUT                                                                                                         
> H) ]
> 
> 15[NET] sending packet: from 66.199.171.245[500] to 64.180.3.28[500]
> 
> 16[JOB] deleting half open IKE_SA after timeout
> 
>  
> 
> That’s strongswan ipsec daemon starting and one windows 7 client
> connection (that failed)
> 
>  
> 
> I’m following the strongstrong wiki article for setting up windows 7
> clients for machine certificates:
> http://wiki.strongswan.org/projects/strongswan/wiki/Win7MultipleConfig
> 
>  
> 
> And I’ve been following this blog for tips on the correct way to
> generate the certificates:
> http://www.carbonwind.net/blog/post/VPN-Reconnect-in-Windows-7-RC-redux.aspx
> 
>  
> 
> I’ve tried a ton of different combinations, maybe I’ve not compiled
> something to get this working properly..
> 
>  
> 
> Here’s the ./configure line I used:
> 
> ./configure --enable-md4 --enable-md5 --enable-eap-mschapv2
> --enable-nat-transport --enable-sql --enable-mysql --enable-mediation
> --enable-openssl --enable-gcrypt --enable-farp --enable-blowfish
> 
> Please help!
> Anthony Moon
> 
> EZProvider Networks, Inc.
> http://ezp.net
> 1.888.397.7853 x203

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list