[strongSwan] [IKEv2] 13806 Error on windows 7 PN client. No previous solutions solved this issue.

François Lacombe francois.lacombe at infos-reseaux.com
Tue Jan 24 20:07:55 CET 2012 

Dear all,

I'm currently trying to connect with a VPN some of my computers running 
windows 7 to a server-based LAN made to host some websites.
Strongswan (installed on a Linux Debian machine) is used as an IKEv2 
IPsec/L2TP server and I didn't manage so far to create good certificates 
which are compliant with the windows 7 validations rules.

In practice, the problem appear under the "Error 13806" label.
Even if we can find many issues testimonials about this error, I can't 
encounter where mine is located which is emphasizing the 
misunderstanding feeling.

I'll try to best describe my configuration and the path which conduce me 
to the actual situation :

First of all, I've created a CA ROOT auto signed (private key + 
certificate) with openssl and I put the CA cert both in the directory 
/etc/ipsec.d/cacerts and on my windows client computer's certificates 
store (without any errors, both CA and cert is OK).

I've builded a whole PKI including private RSA 4096 key, .pem 
certificate with those considerations and by using the previous CA ROOT 
to sign it:
By adding these EKU, I thought i'll be compliant with W7 validation rules.
Server Authentication (1.6.6.1.5.5.7.3.1)
Intermediate IKE IP Security (1.3.6.1.5.5.8.2.2)
End-chain IP security (1.3.6.1.5.5.7.3.5)
IP Security user (1.3.6.1.5.5.7.3.7)

According to a link I found on the strongswan's wiki, I've added those 
key usages : Digital Signature and Key Encipherment.
The subjectAltName is set to DNS:my.fqdn.dns.name too.

Despite this, my openssl certificate refuse to be selected in a relevant 
way by the W7 VPN client.

A previous posted mail on the list indicates some ipsec ike commands to 
produce certificates in another way : 
https://lists.strongswan.org/pipermail/users/2011-May/006214.html
But it is still without success.

Here is my /etc/ipsec.conf file :
# ipsec.conf - strongSwan IPsec configuration file

config setup
         plutostart=no
         charonstart=yes
         nat_traversal=yes

conn L2TP-PSK-NAT
         rightsubnet=vhost:%priv
         also=win7

conn %default
         keyexchange=ikev2
         ike=aes256-sha1-modp1024!
         esp=aes256-sha1!
         dpdaction=clear
         dpddelay=300s
         rekey=no

conn win7
         left=%any
         leftsubnet=10.100.100.0/24
         leftauth=pubkey
         leftcert=/path/to/my/certificateAuthority/serverCert.der
         leftid=@my.fqdn.dns.name
         leftfirewall=yes
         leftprotoport=17/1701
         right=%any
         rightsourceip=10.100.200.0/24
         rightauth=eap-mschapv2
         rightsendcert=never
         rightprotoport=17/1701
         eap_identity=%any
         auto=add
         pfs=no

And my Charon's logs (startup + connection try) :
Jan 24 00:35:07 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
Jan 24 00:35:07 00[KNL] listening on interfaces:
Jan 24 00:35:07 00[KNL]   eth0
Jan 24 00:35:07 00[KNL]     IP
Jan 24 00:35:07 00[KNL]     IP6
Jan 24 00:35:07 00[KNL]   eth1
Jan 24 00:35:07 00[KNL]     LAN_IP
Jan 24 00:35:07 00[KNL]     LAN_IP6
Jan 24 00:35:07 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 24 00:35:07 00[CFG]   loaded ca certificate "C=FR, ST=IDF, L=Paris, 
O=STC Systems, OU=DSI, CN=STC Systems" from '/etc/ipsec.d/cacerts/CA.pem'
Jan 24 00:35:07 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 24 00:35:07 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Jan 24 00:35:07 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
Jan 24 00:35:07 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 24 00:35:07 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 24 00:35:07 00[CFG]   loaded RSA private key from 
'/path/to/my/certificate/authority/serverKey.der'
Jan 24 00:35:07 00[CFG]   loaded EAP secret for user
Jan 24 00:35:07 00[CFG] sql plugin: database URI not set
Jan 24 00:35:07 00[LIB] plugin 'sql': failed to load - sql_plugin_create 
returned NULL
Jan 24 00:35:07 00[CFG] loaded 0 RADIUS server configurations
Jan 24 00:35:07 00[LIB] plugin 'medsrv' failed to load: 
/usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared 
object file: No such file or directory
Jan 24 00:35:07 00[CFG] mediation client database URI not defined, skipped
Jan 24 00:35:07 00[LIB] plugin 'medcli': failed to load - 
medcli_plugin_create returned NULL
Jan 24 00:35:07 00[LIB] plugin 'nm' failed to load: 
/usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object 
file: No such file or directory
Jan 24 00:35:07 00[CFG] HA config misses local/remote address
Jan 24 00:35:07 00[LIB] plugin 'ha': failed to load - ha_plugin_create 
returned NULL
Jan 24 00:35:07 00[DMN] loaded plugins: test-vectors curl ldap aes des 
sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem 
openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr 
kernel-netlink resolve socket-raw f
arp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 
eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Jan 24 00:35:07 00[JOB] spawning 16 worker threads
Jan 24 00:35:07 04[CFG] received stroke: add connection 'L2TP-PSK-NAT'
Jan 24 00:35:07 04[CFG] left nor right host is our side, assuming left=local
Jan 24 00:35:07 04[CFG]   loaded certificate "C=FR, O=STC Systems, 
CN=my.fqdn.dns.name" from '/home/lacombef/stcCA/SS/serverCert.der'
Jan 24 00:35:07 04[CFG] added configuration 'L2TP-PSK-NAT'
Jan 24 00:35:07 04[CFG] adding virtual IP address pool 'L2TP-PSK-NAT': 
10.100.200.0/32
Jan 24 00:35:07 09[CFG] received stroke: add connection 'win7'
Jan 24 00:35:07 09[CFG] left nor right host is our side, assuming left=local
Jan 24 00:35:07 09[CFG]   loaded certificate "C=FR, O=STC Systems, 
CN=my.fqdn.dns.name" from '/path/to/my/certificate/authority/serverCert.der'
Jan 24 00:35:07 09[CFG] added configuration 'win7'
Jan 24 00:35:07 09[CFG] adding virtual IP address pool 'win7': 
10.100.200.0/24

Jan 24 00:40:15 12[NET] received packet: from client_IP[500] to IP[500]
Jan 24 00:40:15 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) ]
Jan 24 00:40:15 12[IKE] client_IP is initiating an IKE_SA
Jan 24 00:40:15 12[IKE] remote host is behind NAT
Jan 24 00:40:15 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jan 24 00:40:15 12[NET] sending packet: from IP[500] to client_IP[500]
Jan 24 00:40:45 13[JOB] deleting half open IKE_SA after timeout

Can someone help to solve this issue and stop this 13806 error poping on 
my screen?

Thanks a lot in advance.


François

More information about the Users mailing list