[strongSwan] Windows 7 IKEv2 Error 13806

Andreas Steffen andreas.steffen at strongswan.org
Thu May 17 10:45:46 CEST 2012


Hello Todd,

did you pack the Windows 7 private key and matching X.509 certificate
together with the Root CA certificate into a PCKS#12 file (*.p12) and
imported this file into the Local Computer part of the Windows registry
via the mmc? Does clicking on the imported Windows 7 certificate tell
you that it has a matching private key?

Regards

Andreas

On 05/17/2012 01:16 AM, Tiebing Zhang wrote:
> Dear all,
>
> I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine Certificate.
> I followed the instructions in the strongSwan Wiki but couldn't get it to work.
> When trying to connect i receive an error 13806 telling me that Windows is not able to find a valid machine certificate.
>
> What i did so far:
>
> - Created Root certificate, StrongSwan Certificate/private key, and Windows 7 certificate/private key using Openssl.
> - Imported the Windows 7 certificate and root Certificate to personal store and Computer Trusted Root Authorities (Local computer) respectively.
>     Windows 7 indicates the certificate is valid and can be traced to the installed root certificate
> - Strongswan certificates:
>    Subject: C=US, ST=CA, O=mycompany, CN=192.168.5.63
>    X509v3 extensions:
>              X509v3 Key Usage:
>                  Digital Signature, Key Encipherment
>              X509v3 Extended Key Usage:
>                  1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication
>              X509v3 Basic Constraints:
>                  CA:FALSE
>              X509v3 CRL Distribution Points:
>                  URI:http://192.168.5.204/ca.crl
>
> - Windows 7 certificate:
>    Subject: C=US, ST=CA, O=mycompany, CN=win71
>    X509v3 extensions:
>              X509v3 Key Usage:
>                  Digital Signature, Key Encipherment
>              X509v3 Extended Key Usage:
>                  1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication
>              X509v3 Subject Alternative Name:
>                  DNS:rras1.mycompany.com
>              X509v3 Basic Constraints:
>                  CA:FALSE
>              X509v3 CRL Distribution Points:
>                  URI:http://192.168.5.204/ca.crl
>
> Strongswan is running okay. "ipsec listcerts" indicates that the private key and the certificate are both loaded correctly.
>
> Strongswan log:
> May 17 15:10:19 14[NET] received packet: from 192.168.5.204[52720] to 192.168.5.63[500]
> May 17 15:10:19 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> May 17 15:10:19 14[IKE] 192.168.5.204 is initiating an IKE_SA
> May 17 15:10:19 14[IKE] remote host is behind NAT
> May 17 15:10:19 14[IKE] sending cert request for "C=US, ST=CA, L=LA, O=mycompany, CN=mycompanyCA"
> May 17 15:10:19 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> May 17 15:10:19 14[NET] sending packet: from 192.168.5.63[500] to 192.168.5.204[52720]
>
> Windows 7 is giving the Error 13806 message.
>
> I even disabled the EKU checks according tohttp://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq  and reboot the Windows 7 machine, still the 13806 error message.
>
> I would really appreciate some help.
>
> Thank you and best regards,
>
> Todd

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list