[strongSwan] Windows 7 IKEv2 Error 13806

Tiebing Zhang tzhang at advistatech.com
Thu May 17 14:55:25 CEST 2012 

Hi Andreas,

Yes I did, as far as I can tell. After importing the certificate file, 
two certificates showed up in the "Certificates(Local 
Computer)->personal->certificates" store. One is the "win71" certificate 
and one is the "CA" certificate. I moved the "CA" certificate to the 
"Trusted Root Certificate Authorities" by dragging and dropping the 
certificate. When I double click the "win71" certificate, it shows 
something like this:

  Allows secure communication on the Internet
  Ensures the identity of a remote computer
  Proves your identity to a remote computer

  Issued to :win71
  valid from 5/15/2012 to 5/15/2013

  *You have a private key that corresponds to this certificate.

When I click on the "certificate path", it shows the path to the "CA" 
certificate on the top of the dialog box and on the bottom it says " 
this certificate is OK".

I compared the CA certificate on the Win7 and the one on the StrongSwan. 
They are the same CA certificate.

Just one note: I use ECDSA P_384 in the certificate. I don't think this 
is a problem but just wanted to mention that to you.

Looking at the log file of the Strongswan, it seems like that Strongswan 
hasn't got a chance to send the actual strongswan certificate to Win7. 
It only sent the "CA" certificate to Win7, and somehow Win7 couldn't 
validate that CA cert?

Another note: The Win7 is without the Service Pack 1.

Thank you for your gracious help.

Best regards,

Todd

On 5/17/2012 1:45 AM, Andreas Steffen wrote:
> Hello Todd,
>
> did you pack the Windows 7 private key and matching X.509 certificate
> together with the Root CA certificate into a PCKS#12 file (*.p12) and
> imported this file into the Local Computer part of the Windows registry
> via the mmc? Does clicking on the imported Windows 7 certificate tell
> you that it has a matching private key?
>
> Regards
>
> Andreas
>
> On 05/17/2012 01:16 AM, Tiebing Zhang wrote:
>> Dear all,
>>
>> I would like to connect to strongSwan with Windows 7 using IKEV2 and 
>> Machine Certificate.
>> I followed the instructions in the strongSwan Wiki but couldn't get 
>> it to work.
>> When trying to connect i receive an error 13806 telling me that 
>> Windows is not able to find a valid machine certificate.
>>
>> What i did so far:
>>
>> - Created Root certificate, StrongSwan Certificate/private key, and 
>> Windows 7 certificate/private key using Openssl.
>> - Imported the Windows 7 certificate and root Certificate to personal 
>> store and Computer Trusted Root Authorities (Local computer) 
>> respectively.
>>     Windows 7 indicates the certificate is valid and can be traced to 
>> the installed root certificate
>> - Strongswan certificates:
>>    Subject: C=US, ST=CA, O=mycompany, CN=192.168.5.63
>>    X509v3 extensions:
>>              X509v3 Key Usage:
>>                  Digital Signature, Key Encipherment
>>              X509v3 Extended Key Usage:
>>                  1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, 
>> TLS Web Client Authentication
>>              X509v3 Basic Constraints:
>>                  CA:FALSE
>>              X509v3 CRL Distribution Points:
>>                  URI:http://192.168.5.204/ca.crl
>>
>> - Windows 7 certificate:
>>    Subject: C=US, ST=CA, O=mycompany, CN=win71
>>    X509v3 extensions:
>>              X509v3 Key Usage:
>>                  Digital Signature, Key Encipherment
>>              X509v3 Extended Key Usage:
>>                  1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, 
>> TLS Web Client Authentication
>>              X509v3 Subject Alternative Name:
>>                  DNS:rras1.mycompany.com
>>              X509v3 Basic Constraints:
>>                  CA:FALSE
>>              X509v3 CRL Distribution Points:
>>                  URI:http://192.168.5.204/ca.crl
>>
>> Strongswan is running okay. "ipsec listcerts" indicates that the 
>> private key and the certificate are both loaded correctly.
>>
>> Strongswan log:
>> May 17 15:10:19 14[NET] received packet: from 192.168.5.204[52720] to 
>> 192.168.5.63[500]
>> May 17 15:10:19 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
>> N(NATD_S_IP) N(NATD_D_IP) ]
>> May 17 15:10:19 14[IKE] 192.168.5.204 is initiating an IKE_SA
>> May 17 15:10:19 14[IKE] remote host is behind NAT
>> May 17 15:10:19 14[IKE] sending cert request for "C=US, ST=CA, L=LA, 
>> O=mycompany, CN=mycompanyCA"
>> May 17 15:10:19 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No 
>> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> May 17 15:10:19 14[NET] sending packet: from 192.168.5.63[500] to 
>> 192.168.5.204[52720]
>>
>> Windows 7 is giving the Error 13806 message.
>>
>> I even disabled the EKU checks according 
>> tohttp://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq  
>> and reboot the Windows 7 machine, still the 13806 error message.
>>
>> I would really appreciate some help.
>>
>> Thank you and best regards,
>>
>> Todd
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120517/32574391/attachment.html>

More information about the Users mailing list