[strongSwan] [IKEv2] 13806 Error on windows 7 PN client. No previous solutions solved this issue.

[francois.lacombe at infos-reseaux.com]

Hello Martin,

Thanks for you answer.

> Windows supports L2TP/IPsec for a long time, but this setup uses IKEv1.
> The new IKEv2 client in Windows 7 does plain IPsec, no L2TP tunneling is
> involved.
Ok, I understand.
I must say that it's my very first practical experience in this side  
of networking.
A few years ago I've got lessons about VPN and tunnelling but it  
wasn't very clear.

So, with IKEv2 I don't need to install and configure xl2tpd with  
strongswan, is it right?


> So if you have Windows 7 Clients only, I highly recommend to use IKEv2
> only.
I don't have Windows 7 client only. I plan to connect Android devices  
and OpenWrt routers with IPsec clients.
A friend of mine told me I would better using OpenSwan with PSK  
IPSEC/L2TP because it's the only native IPsec thing in Android world.
Honestly, I didn't take time yet to look forward about Android  
connectivity, the only W7 connection is a trial.

> You'll need the "Server Authentication" Extended Key usage
> (1.3.6.1.5.5.7.3.1) and the DNS name you configure in your Windows
> connection profile as a subjectAltName in the certificate. See [1] for
> details, [2] may be of help, too. If it doesn't work, you can try to
> temporarily (!) disable extended checks as outlined in [1]. If it still
> doesn't work, double check that your CA is installed correctly.
About this part of the deal, I can say I'm ok.
My certs were installed on the central W7 certification centre without  
any error (I can see the hierarchical tree between my CA and my cert  
in W7, no problems).
Moreover, I added the four EKU I mentioned before and of course write  
the subAltName.
In a nutshell, according to all the web pages I read since 1 week I  
think W7 has all the elements to see my cert and use it to build my  
tunnel.
I don't understand why it's not effectively what it's happening.

Brest regards,

François.