[strongSwan] Struggling with Windows 7 IkeV2 - Error 13806

Weber, Stefan (IT) s.weber at noerr.com
Mon May 23 17:21:02 CEST 2011

Hello Andreas,

Yes that is the case. Here is the debug log i got: Maybe it would help if i knew how i could debug the Windows 7 side of the process. Unfortunarly i couldnt find any information where Windows 7 is logging or how i could enable logging there :-(

00[JOB] spawning 16 worker threads
charon (1923) started after 100 ms
07[CFG] received stroke: add connection 'win7'
07[CFG] left nor right host is our side, assuming left=local
07[CFG]   loaded certificate "C=DE, O=MyOrg, OU=Test, CN=strongswan.vpntest.local" from 'vpnserver.crt.pem'
07[CFG] added configuration 'win7'
07[CFG] adding virtual IP address pool 'win7':
loading ca certificates from '/etc/ipsec.d/cacerts'
  loaded ca certificate from '/etc/ipsec.d/cacerts/vpntestrootca.crt.pem'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
loading attribute certificates from '/etc/ipsec.d/acerts'
spawning 4 worker threads
listening for IKE messages
adding interface eth0/eth0
adding interface lo/lo
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
  loaded private key from 'vpnserver.key.pem'
no secrets filename matched "/var/lib/strongswan/ipsec.secrets.inc"
connection must specify host IP address for our side
12[NET] received packet: from[500] to[500]
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
12[IKE] is initiating an IKE_SA
12[IKE] sending cert request for "C=DE, O=MyOrg, OU=RootCA, CN=VPNTest ROOT CA, E=ca at vpntest.local"
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
12[NET] sending packet: from[500] to[500]
13[JOB] deleting half open IKE_SA after timeout 

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Montag, 23. Mai 2011 16:43
To: Weber, Stefan (IT)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Struggling with Windows 7 IkeV2 - Error 13806

Hello Stefan,

I assume that both the Win 7 client and strongSwan host certificates are signed by the same CA and that you put the Root CA certificate into the /etc/ipsec.d/cacerts directory. Otherwise strongSwan will not include the Root CA in its cert request list and thus the Windows 7 client will not be able to find a matching machine certificate.



BTW - A strongSwan log file would help in debugging the problem
      since all outgoing cert requests are logged.

On 23.05.2011 15:59, Weber, Stefan (IT) wrote:
> Dear all,
> I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine Certificate. I followed the instructions in the strongSwan Wiki but couldnt get it to work. When tryining to connect i receive an error 13806 telling me that Windows is not able to find a valid machine certificate. 
> What i did so far:
> Imported my Root Certificate to the Computer Trusted Root Authorities.
> Create a certificate for my Windows 7 machine with KeyUsage 
> digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth, 
> serverAuth SubjectAlternateName set to the 
> DNS:win7client.vpntest.local
> Exported the cert+private key as pkcs12 and imported to the Computers 
> - Personal Cerificate Store. Windows 7 tells me that the certificate 
> is valid and trusted by my Root Certificate
> Create a certificate for my strongSWan Host with KeyUsage 
> digitalSignature and KeyEncipherment, extendedKeyusage clientAuth, 
> serverAuth SubjetAlterName set to the DNS:strongswan.vpntest.local
> Set this certificate as leftcert in ipsec.conf Configured ist private 
> Key in ipsec.secrets.
> DNS name resolution is working of course ;-)
> I also tried with certificates including IKEIntermediate in extendedKeyUsage.
> When starting strongSwan with --debug-all i see IKE sending cert request immediatly followed by error 13806 on the Windows Box.
> I hope anybody can help me out or lead me in the right direction.
> Thank you in advance,
> Stefan

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==

More information about the Users mailing list