[strongSwan] Struggling with Windows 7 IkeV2 - Error 13806

Andreas Steffen andreas.steffen at strongswan.org
Mon May 23 16:43:29 CEST 2011


Hello Stefan,

I assume that both the Win 7 client and strongSwan host certificates
are signed by the same CA and that you put the Root CA certificate
into the /etc/ipsec.d/cacerts directory. Otherwise strongSwan will
not include the Root CA in its cert request list and thus the
Windows 7 client will not be able to find a matching machine
certificate.

Regards

Andreas

BTW - A strongSwan log file would help in debugging the problem
      since all outgoing cert requests are logged.

On 23.05.2011 15:59, Weber, Stefan (IT) wrote:
> Dear all,
> 
> I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine Certificate. I followed the instructions in the strongSwan Wiki but couldnt get it to work. When tryining to connect i receive an error 13806 telling me that Windows is not able to find a valid machine certificate. 
> 
> What i did so far:
> 
> Imported my Root Certificate to the Computer Trusted Root Authorities.
> 
> Create a certificate for my Windows 7 machine with
> KeyUsage digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth, serverAuth
> SubjectAlternateName set to the DNS:win7client.vpntest.local
> 
> Exported the cert+private key as pkcs12 and imported to the Computers - Personal Cerificate Store. Windows 7 tells me that the certificate is valid and trusted by my Root Certificate
> 
> Create a certificate for my strongSWan Host with
> KeyUsage digitalSignature and KeyEncipherment, extendedKeyusage clientAuth, serverAuth
> SubjetAlterName set to the DNS:strongswan.vpntest.local
> 
> Set this certificate as leftcert in ipsec.conf
> Configured ist private Key in ipsec.secrets.
> 
> DNS name resolution is working of course ;-)
> 
> I also tried with certificates including IKEIntermediate in extendedKeyUsage.
> 
> When starting strongSwan with --debug-all i see IKE sending cert request immediatly followed by error 13806 on the Windows Box.
> 
> I hope anybody can help me out or lead me in the right direction.
> 
> Thank you in advance,
> 
> Stefan
> 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list