[strongSwan] Windows 7 IKEv2 Error 13806

Andreas Steffen andreas.steffen at strongswan.org
Thu May 17 19:36:15 CEST 2012


Hi Todd,

your problem is that although the Microsoft Crypto API and the
old IKEv1-based IPsec client support Elliptic Curve Cryptography,
the Windows 7 IKEv2-based Agile VPN client doesn't. It just doesn't
find ECDSA certificates. It seems that Windows 8 is going to offer
ECC support, at least via the powershell command line.

Regards

Andreas

On 05/17/2012 02:55 PM, Tiebing Zhang wrote:
> Hi Andreas,
>
> Yes I did, as far as I can tell. After importing the certificate file,
> two certificates showed up in the "Certificates(Local
> Computer)->personal->certificates" store. One is the "win71" certificate
> and one is the "CA" certificate. I moved the "CA" certificate to the
> "Trusted Root Certificate Authorities" by dragging and dropping the
> certificate. When I double click the "win71" certificate, it shows
> something like this:
>
> Allows secure communication on the Internet
> Ensures the identity of a remote computer
> Proves your identity to a remote computer
>
> Issued to :win71
> valid from 5/15/2012 to 5/15/2013
>
> *You have a private key that corresponds to this certificate.
>
> When I click on the "certificate path", it shows the path to the "CA"
> certificate on the top of the dialog box and on the bottom it says "
> this certificate is OK".
>
> I compared the CA certificate on the Win7 and the one on the StrongSwan.
> They are the same CA certificate.
>
> Just one note: I use ECDSA P_384 in the certificate. I don't think this
> is a problem but just wanted to mention that to you.
>
> Looking at the log file of the Strongswan, it seems like that Strongswan
> hasn't got a chance to send the actual strongswan certificate to Win7.
> It only sent the "CA" certificate to Win7, and somehow Win7 couldn't
> validate that CA cert?
>
> Another note: The Win7 is without the Service Pack 1.
>
> Thank you for your gracious help.
>
> Best regards,
>
> Todd
>
> On 5/17/2012 1:45 AM, Andreas Steffen wrote:
>> Hello Todd,
>>
>> did you pack the Windows 7 private key and matching X.509 certificate
>> together with the Root CA certificate into a PCKS#12 file (*.p12) and
>> imported this file into the Local Computer part of the Windows registry
>> via the mmc? Does clicking on the imported Windows 7 certificate tell
>> you that it has a matching private key?
>>
>> Regards
>>
>> Andreas
>>
>> On 05/17/2012 01:16 AM, Tiebing Zhang wrote:
>>> Dear all,
>>>
>>> I would like to connect to strongSwan with Windows 7 using IKEV2 and
>>> Machine Certificate.
>>> I followed the instructions in the strongSwan Wiki but couldn't get
>>> it to work.
>>> When trying to connect i receive an error 13806 telling me that
>>> Windows is not able to find a valid machine certificate.
>>>
>>> What i did so far:
>>>
>>> - Created Root certificate, StrongSwan Certificate/private key, and
>>> Windows 7 certificate/private key using Openssl.
>>> - Imported the Windows 7 certificate and root Certificate to personal
>>> store and Computer Trusted Root Authorities (Local computer)
>>> respectively.
>>> Windows 7 indicates the certificate is valid and can be traced to the
>>> installed root certificate
>>> - Strongswan certificates:
>>> Subject: C=US, ST=CA, O=mycompany, CN=192.168.5.63
>>> X509v3 extensions:
>>> X509v3 Key Usage:
>>> Digital Signature, Key Encipherment
>>> X509v3 Extended Key Usage:
>>> 1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client
>>> Authentication
>>> X509v3 Basic Constraints:
>>> CA:FALSE
>>> X509v3 CRL Distribution Points:
>>> URI:http://192.168.5.204/ca.crl
>>>
>>> - Windows 7 certificate:
>>> Subject: C=US, ST=CA, O=mycompany, CN=win71
>>> X509v3 extensions:
>>> X509v3 Key Usage:
>>> Digital Signature, Key Encipherment
>>> X509v3 Extended Key Usage:
>>> 1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client
>>> Authentication
>>> X509v3 Subject Alternative Name:
>>> DNS:rras1.mycompany.com
>>> X509v3 Basic Constraints:
>>> CA:FALSE
>>> X509v3 CRL Distribution Points:
>>> URI:http://192.168.5.204/ca.crl
>>>
>>> Strongswan is running okay. "ipsec listcerts" indicates that the
>>> private key and the certificate are both loaded correctly.
>>>
>>> Strongswan log:
>>> May 17 15:10:19 14[NET] received packet: from 192.168.5.204[52720] to
>>> 192.168.5.63[500]
>>> May 17 15:10:19 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
>>> N(NATD_S_IP) N(NATD_D_IP) ]
>>> May 17 15:10:19 14[IKE] 192.168.5.204 is initiating an IKE_SA
>>> May 17 15:10:19 14[IKE] remote host is behind NAT
>>> May 17 15:10:19 14[IKE] sending cert request for "C=US, ST=CA, L=LA,
>>> O=mycompany, CN=mycompanyCA"
>>> May 17 15:10:19 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No
>>> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>>> May 17 15:10:19 14[NET] sending packet: from 192.168.5.63[500] to
>>> 192.168.5.204[52720]
>>>
>>> Windows 7 is giving the Error 13806 message.
>>>
>>> I even disabled the EKU checks according
>>> tohttp://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq and
>>> reboot the Windows 7 machine, still the 13806 error message.
>>>
>>> I would really appreciate some help.
>>>
>>> Thank you and best regards,
>>>
>>> Todd
>>

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list