[strongSwan] Windows 7 IKEv2 Error 13806

Tiebing Zhang tzhang at advistatech.com
Thu May 17 20:33:37 CEST 2012 

Hi Andreas,

That is a big bummer. I thought Microsoft started supporting ECDSA 
starting with Vista.

Anyway, I created a new openssl-based CA using RSA-2048 instead of ECDSA 
P-384, and issued two certificates, win7 and "192.168.5.63", and 
reloaded both my Windows 7
computer and the StrongSwan server. Error 13806 still comes up.

I loaded the same "win7" certificates into another Ubuntu computer 
running strongswan as a client. It connected fine to the 192.168.5.63 
server. So it seems that my Strongswan
server is running Okay.

I have enabled both "clientAuth" and "serverAuth" EKU in the win7 
certificate, and the CA is imported correctly. The private key seems to 
be loaded correctly too.

Any other things that I should be checking?

Thanks again,

Best regards,

Todd


On 5/17/2012 10:36 AM, Andreas Steffen wrote:
> Hi Todd,
>
> your problem is that although the Microsoft Crypto API and the
> old IKEv1-based IPsec client support Elliptic Curve Cryptography,
> the Windows 7 IKEv2-based Agile VPN client doesn't. It just doesn't
> find ECDSA certificates. It seems that Windows 8 is going to offer
> ECC support, at least via the powershell command line.
>
> Regards
>
> Andreas
>
> On 05/17/2012 02:55 PM, Tiebing Zhang wrote:
>> Hi Andreas,
>>
>> Yes I did, as far as I can tell. After importing the certificate file,
>> two certificates showed up in the "Certificates(Local
>> Computer)->personal->certificates" store. One is the "win71" certificate
>> and one is the "CA" certificate. I moved the "CA" certificate to the
>> "Trusted Root Certificate Authorities" by dragging and dropping the
>> certificate. When I double click the "win71" certificate, it shows
>> something like this:
>>
>> Allows secure communication on the Internet
>> Ensures the identity of a remote computer
>> Proves your identity to a remote computer
>>
>> Issued to :win71
>> valid from 5/15/2012 to 5/15/2013
>>
>> *You have a private key that corresponds to this certificate.
>>
>> When I click on the "certificate path", it shows the path to the "CA"
>> certificate on the top of the dialog box and on the bottom it says "
>> this certificate is OK".
>>
>> I compared the CA certificate on the Win7 and the one on the StrongSwan.
>> They are the same CA certificate.
>>
>> Just one note: I use ECDSA P_384 in the certificate. I don't think this
>> is a problem but just wanted to mention that to you.
>>
>> Looking at the log file of the Strongswan, it seems like that Strongswan
>> hasn't got a chance to send the actual strongswan certificate to Win7.
>> It only sent the "CA" certificate to Win7, and somehow Win7 couldn't
>> validate that CA cert?
>>
>> Another note: The Win7 is without the Service Pack 1.
>>
>> Thank you for your gracious help.
>>
>> Best regards,
>>
>> Todd
>>
>> On 5/17/2012 1:45 AM, Andreas Steffen wrote:
>>> Hello Todd,
>>>
>>> did you pack the Windows 7 private key and matching X.509 certificate
>>> together with the Root CA certificate into a PCKS#12 file (*.p12) and
>>> imported this file into the Local Computer part of the Windows registry
>>> via the mmc? Does clicking on the imported Windows 7 certificate tell
>>> you that it has a matching private key?
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>> On 05/17/2012 01:16 AM, Tiebing Zhang wrote:
>>>> Dear all,
>>>>
>>>> I would like to connect to strongSwan with Windows 7 using IKEV2 and
>>>> Machine Certificate.
>>>> I followed the instructions in the strongSwan Wiki but couldn't get
>>>> it to work.
>>>> When trying to connect i receive an error 13806 telling me that
>>>> Windows is not able to find a valid machine certificate.
>>>>
>>>> What i did so far:
>>>>
>>>> - Created Root certificate, StrongSwan Certificate/private key, and
>>>> Windows 7 certificate/private key using Openssl.
>>>> - Imported the Windows 7 certificate and root Certificate to personal
>>>> store and Computer Trusted Root Authorities (Local computer)
>>>> respectively.
>>>> Windows 7 indicates the certificate is valid and can be traced to the
>>>> installed root certificate
>>>> - Strongswan certificates:
>>>> Subject: C=US, ST=CA, O=mycompany, CN=192.168.5.63
>>>> X509v3 extensions:
>>>> X509v3 Key Usage:
>>>> Digital Signature, Key Encipherment
>>>> X509v3 Extended Key Usage:
>>>> 1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client
>>>> Authentication
>>>> X509v3 Basic Constraints:
>>>> CA:FALSE
>>>> X509v3 CRL Distribution Points:
>>>> URI:http://192.168.5.204/ca.crl
>>>>
>>>> - Windows 7 certificate:
>>>> Subject: C=US, ST=CA, O=mycompany, CN=win71
>>>> X509v3 extensions:
>>>> X509v3 Key Usage:
>>>> Digital Signature, Key Encipherment
>>>> X509v3 Extended Key Usage:
>>>> 1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client
>>>> Authentication
>>>> X509v3 Subject Alternative Name:
>>>> DNS:rras1.mycompany.com
>>>> X509v3 Basic Constraints:
>>>> CA:FALSE
>>>> X509v3 CRL Distribution Points:
>>>> URI:http://192.168.5.204/ca.crl
>>>>
>>>> Strongswan is running okay. "ipsec listcerts" indicates that the
>>>> private key and the certificate are both loaded correctly.
>>>>
>>>> Strongswan log:
>>>> May 17 15:10:19 14[NET] received packet: from 192.168.5.204[52720] to
>>>> 192.168.5.63[500]
>>>> May 17 15:10:19 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
>>>> N(NATD_S_IP) N(NATD_D_IP) ]
>>>> May 17 15:10:19 14[IKE] 192.168.5.204 is initiating an IKE_SA
>>>> May 17 15:10:19 14[IKE] remote host is behind NAT
>>>> May 17 15:10:19 14[IKE] sending cert request for "C=US, ST=CA, L=LA,
>>>> O=mycompany, CN=mycompanyCA"
>>>> May 17 15:10:19 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No
>>>> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>>>> May 17 15:10:19 14[NET] sending packet: from 192.168.5.63[500] to
>>>> 192.168.5.204[52720]
>>>>
>>>> Windows 7 is giving the Error 13806 message.
>>>>
>>>> I even disabled the EKU checks according
>>>> tohttp://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq and
>>>> reboot the Windows 7 machine, still the 13806 error message.
>>>>
>>>> I would really appreciate some help.
>>>>
>>>> Thank you and best regards,
>>>>
>>>> Todd
>>>
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120517/216ef789/attachment.html>

More information about the Users mailing list