[strongSwan] Error 13801 on Win 7 - with known good ca certificate

Paton, Andy andy.paton at hp.com
Fri Aug 2 23:03:26 CEST 2013 

Greg,

So when I was trying tho the other week the two main causes were:

A) Certiicates not having SAN with DNS / IP.
B) Windows not loading certificate root of trust properly.

If you have the cert working I suggest checking the certificates on windows. Are they installed in machine Certs? When you inspect them can in validate the certificate chain?

Regards,

--
Andrew Paton



On 2 Aug 2013, at 22:00, "Gregg Hughes" <ghughes at iscinternational.com<mailto:ghughes at iscinternational.com>> wrote:

Good afternoon, all!

I’m tracking down another problem on my VPN, this one arising from two Win7 connections.

The client machine  is a Windows 7 Professional that is connecting via EAP-MSCHAPV2.  I have imported the self-signed certificate as shown on the documentation.  This certificate works for my test Win7 machine, so it’s known good and conforms to the needs of Win 7 as per http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq.


The ipsec.conf is below.

# ipsec.conf - strongSwan1 IPsec configuration file

# basic configuration
# 7/18 set up for rw-cert

config setup
                # plutodebug=all
                crlcheckinterval=180
                strictcrlpolicy=no
                # cachecrls=yes
                # nat_traversal=yes
                charonstart=yes
                plutostart=no

# Add connections here.

conn %default
                ikelifetime=60m
                keylife=20m
                rekeymargin=3m
                keyingtries=1
                keyexchange=ikev2

conn net-net
                left=192.168.1.102
                leftsubnet=192.168.0.0/16
                leftid=@vpn1.iscinternational.com<mailto:leftid=@vpn1.iscinternational.com>
                leftfirewall=yes
                right=67.53.158.25
                rightsubnet=192.168.0.0/16
                rightid=@vpn2.iscinternational.com<mailto:rightid=@vpn2.iscinternational.com>
                auto=add

conn rw-eap-bluemound
                left=192.168.1.102
                # leftsourceip=%config
                leftsubnet=192.168.0.0/16
                leftid=@vpn1.iscinternational.com<mailto:leftid=@vpn1.iscinternational.com>
                leftcert=vpn1cert.pem
                leftauth=pubkey
                leftfirewall=yes
                lefthostaccess = yes
                right=%any
                rightauth=eap-mschapv2
                rightsendcert=never
                rightsourceip=%dhcp
                eap_identity=%any
                auto=add

The rw-eap-bluemound connection works with a Win7 virtual machine inside the network.  The connection looks good – from syslog:  Aug  2 15:42:14 vpn1 charon: 09[NET] sending packet: from 192.168.1.102[4500] to 192.168.200.251[4500] – but then the 13801 error pups up and the server does this:  Aug  2 15:42:44 vpn1 charon: 11[JOB] deleting half open IKE_SA after timeout.

As I indicated, the certificate works with another Win 7 client, and I can make a successful connection.

What other possible blocks can lead to this Windows 13801 error that come up in Strongswan?

Thanks to all for looking at this!


Gregg

Gregg Hughes
IT Administrator
www.iscinternational.com<http://www.iscinternational.com>




_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list