[strongSwan] [IKEv2] 13806 Error on windows 7 PN client. No previous solutions solved this issue.
francois.lacombe at infos-reseaux.com
Tue Jan 24 20:07:55 CET 2012
I'm currently trying to connect with a VPN some of my computers running
windows 7 to a server-based LAN made to host some websites.
Strongswan (installed on a Linux Debian machine) is used as an IKEv2
IPsec/L2TP server and I didn't manage so far to create good certificates
which are compliant with the windows 7 validations rules.
In practice, the problem appear under the "Error 13806" label.
Even if we can find many issues testimonials about this error, I can't
encounter where mine is located which is emphasizing the
I'll try to best describe my configuration and the path which conduce me
to the actual situation :
First of all, I've created a CA ROOT auto signed (private key +
certificate) with openssl and I put the CA cert both in the directory
/etc/ipsec.d/cacerts and on my windows client computer's certificates
store (without any errors, both CA and cert is OK).
I've builded a whole PKI including private RSA 4096 key, .pem
certificate with those considerations and by using the previous CA ROOT
to sign it:
By adding these EKU, I thought i'll be compliant with W7 validation rules.
Server Authentication (18.104.22.168.22.214.171.124.1)
Intermediate IKE IP Security (126.96.36.199.188.8.131.52.2)
End-chain IP security (184.108.40.206.220.127.116.11.5)
IP Security user (18.104.22.168.22.214.171.124.7)
According to a link I found on the strongswan's wiki, I've added those
key usages : Digital Signature and Key Encipherment.
The subjectAltName is set to DNS:my.fqdn.dns.name too.
Despite this, my openssl certificate refuse to be selected in a relevant
way by the W7 VPN client.
A previous posted mail on the list indicates some ipsec ike commands to
produce certificates in another way :
But it is still without success.
Here is my /etc/ipsec.conf file :
# ipsec.conf - strongSwan IPsec configuration file
And my Charon's logs (startup + connection try) :
Jan 24 00:35:07 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
Jan 24 00:35:07 00[KNL] listening on interfaces:
Jan 24 00:35:07 00[KNL] eth0
Jan 24 00:35:07 00[KNL] IP
Jan 24 00:35:07 00[KNL] IP6
Jan 24 00:35:07 00[KNL] eth1
Jan 24 00:35:07 00[KNL] LAN_IP
Jan 24 00:35:07 00[KNL] LAN_IP6
Jan 24 00:35:07 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 24 00:35:07 00[CFG] loaded ca certificate "C=FR, ST=IDF, L=Paris,
O=STC Systems, OU=DSI, CN=STC Systems" from '/etc/ipsec.d/cacerts/CA.pem'
Jan 24 00:35:07 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 24 00:35:07 00[CFG] loading ocsp signer certificates from
Jan 24 00:35:07 00[CFG] loading attribute certificates from
Jan 24 00:35:07 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 24 00:35:07 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 24 00:35:07 00[CFG] loaded RSA private key from
Jan 24 00:35:07 00[CFG] loaded EAP secret for user
Jan 24 00:35:07 00[CFG] sql plugin: database URI not set
Jan 24 00:35:07 00[LIB] plugin 'sql': failed to load - sql_plugin_create
Jan 24 00:35:07 00[CFG] loaded 0 RADIUS server configurations
Jan 24 00:35:07 00[LIB] plugin 'medsrv' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared
object file: No such file or directory
Jan 24 00:35:07 00[CFG] mediation client database URI not defined, skipped
Jan 24 00:35:07 00[LIB] plugin 'medcli': failed to load -
medcli_plugin_create returned NULL
Jan 24 00:35:07 00[LIB] plugin 'nm' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object
file: No such file or directory
Jan 24 00:35:07 00[CFG] HA config misses local/remote address
Jan 24 00:35:07 00[LIB] plugin 'ha': failed to load - ha_plugin_create
Jan 24 00:35:07 00[DMN] loaded plugins: test-vectors curl ldap aes des
sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem
openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr
kernel-netlink resolve socket-raw f
arp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2
eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Jan 24 00:35:07 00[JOB] spawning 16 worker threads
Jan 24 00:35:07 04[CFG] received stroke: add connection 'L2TP-PSK-NAT'
Jan 24 00:35:07 04[CFG] left nor right host is our side, assuming left=local
Jan 24 00:35:07 04[CFG] loaded certificate "C=FR, O=STC Systems,
CN=my.fqdn.dns.name" from '/home/lacombef/stcCA/SS/serverCert.der'
Jan 24 00:35:07 04[CFG] added configuration 'L2TP-PSK-NAT'
Jan 24 00:35:07 04[CFG] adding virtual IP address pool 'L2TP-PSK-NAT':
Jan 24 00:35:07 09[CFG] received stroke: add connection 'win7'
Jan 24 00:35:07 09[CFG] left nor right host is our side, assuming left=local
Jan 24 00:35:07 09[CFG] loaded certificate "C=FR, O=STC Systems,
CN=my.fqdn.dns.name" from '/path/to/my/certificate/authority/serverCert.der'
Jan 24 00:35:07 09[CFG] added configuration 'win7'
Jan 24 00:35:07 09[CFG] adding virtual IP address pool 'win7':
Jan 24 00:40:15 12[NET] received packet: from client_IP to IP
Jan 24 00:40:15 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Jan 24 00:40:15 12[IKE] client_IP is initiating an IKE_SA
Jan 24 00:40:15 12[IKE] remote host is behind NAT
Jan 24 00:40:15 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jan 24 00:40:15 12[NET] sending packet: from IP to client_IP
Jan 24 00:40:45 13[JOB] deleting half open IKE_SA after timeout
Can someone help to solve this issue and stop this 13806 error poping on
Thanks a lot in advance.
More information about the Users