[strongSwan] Struggling with Windows 7 IkeV2 - Error 13806
lars at hjersted.com
Mon May 23 16:42:37 CEST 2011
> I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine Certificate. I followed the instructions in the strongSwan Wiki but couldnt get it to work. When tryining to connect i receive an error 13806 telling me that Windows is not able to find a valid machine certificate.
> What i did so far:
> Imported my Root Certificate to the Computer Trusted Root Authorities.
> Create a certificate for my Windows 7 machine with
> KeyUsage digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth, serverAuth
> SubjectAlternateName set to the DNS:win7client.vpntest.local
> Exported the cert+private key as pkcs12 and imported to the Computers - Personal Cerificate Store. Windows 7 tells me that the certificate is valid and trusted by my Root Certificate
> Create a certificate for my strongSWan Host with
> KeyUsage digitalSignature and KeyEncipherment, extendedKeyusage clientAuth, serverAuth
> SubjetAlterName set to the DNS:strongswan.vpntest.local
> Set this certificate as leftcert in ipsec.conf
> Configured ist private Key in ipsec.secrets.
Your description seems correct, but it appears that the Win7 client is not
accepting the server certificate for some reason. A simple server
certificate that works fine for me with Win7 clients can be created with
the strongSwan PKI tool as follows:
ipsec pki --gen --outform der > serverKey.der
ipsec pki --pub --in serverKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=US, O=MyOrganization, CN=server" --san "myvpn.myDynamicDNS.com" --flag serverAuth --outform der > serverCert.der
where caCert.der and caKey.der are your CA certificate file and CA key
file respectively. You might also try the above with CN=220.127.116.11 where
18.104.22.168 is the IP address of the server and then omit the
subjectAlternateName entirely (--san). The CN can be set as the IP
address or the DNS instead of setting a subjectAlternateName.
More information about the Users