[strongSwan] Struggling with Windows 7 IkeV2 - Error 13806

[Lars Hjersted]

> I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine Certificate. I followed the instructions in the strongSwan Wiki but couldnt get it to work. When tryining to connect i receive an error 13806 telling me that Windows is not able to find a valid machine certificate.
>
> What i did so far:
>
> Imported my Root Certificate to the Computer Trusted Root Authorities.
>
> Create a certificate for my Windows 7 machine with
> KeyUsage digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth, serverAuth
> SubjectAlternateName set to the DNS:win7client.vpntest.local
>
> Exported the cert+private key as pkcs12 and imported to the Computers - Personal Cerificate Store. Windows 7 tells me that the certificate is valid and trusted by my Root Certificate
>
> Create a certificate for my strongSWan Host with
> KeyUsage digitalSignature and KeyEncipherment, extendedKeyusage clientAuth, serverAuth
> SubjetAlterName set to the DNS:strongswan.vpntest.local
>
> Set this certificate as leftcert in ipsec.conf
> Configured ist private Key in ipsec.secrets.
>

Your description seems correct, but it appears that the Win7 client is not 
accepting the server certificate for some reason. A simple server 
certificate that works fine for me with Win7 clients can be created with 
the strongSwan PKI tool as follows:

ipsec pki --gen --outform der > serverKey.der
ipsec pki --pub --in serverKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=US, O=MyOrganization, CN=server" --san "myvpn.myDynamicDNS.com" --flag serverAuth --outform der > serverCert.der

where caCert.der and caKey.der are your CA certificate file and CA key 
file respectively. You might also try the above with CN=1.2.3.4 where 
1.2.3.4 is the IP address of the server and then omit the 
subjectAlternateName entirely (--san).  The CN can be set as the IP 
address or the DNS instead of setting a subjectAlternateName.

-Lars