[strongSwan] Error 13801 on Win 7 - with known good ca certificate
Gregg Hughes
ghughes at iscinternational.com
Fri Aug 2 23:44:39 CEST 2013
Good afternoon, Andy!
Yep, I see the Windows cert installed under Certificates (Local Computer)
and under Trusted Root Certification Authorities. The trusted ca shows as
root, and matched the details as shown on my working test machine.
Thanks!
gregg
-----Original Message-----
From: Paton, Andy [mailto:andy.paton at hp.com]
Sent: Friday, August 02, 2013 4:03 PM
To: Gregg Hughes
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Error 13801 on Win 7 - with known good ca
certificate
Greg,
So when I was trying tho the other week the two main causes were:
A) Certiicates not having SAN with DNS / IP.
B) Windows not loading certificate root of trust properly.
If you have the cert working I suggest checking the certificates on windows.
Are they installed in machine Certs? When you inspect them can in validate
the certificate chain?
Regards,
--
Andrew Paton
On 2 Aug 2013, at 22:00, "Gregg Hughes"
<ghughes at iscinternational.com<mailto:ghughes at iscinternational.com>> wrote:
Good afternoon, all!
I'm tracking down another problem on my VPN, this one arising from two Win7
connections.
The client machine is a Windows 7 Professional that is connecting via
EAP-MSCHAPV2. I have imported the self-signed certificate as shown on the
documentation. This certificate works for my test Win7 machine, so it's
known good and conforms to the needs of Win 7 as per
http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq.
The ipsec.conf is below.
# ipsec.conf - strongSwan1 IPsec configuration file
# basic configuration
# 7/18 set up for rw-cert
config setup
# plutodebug=all
crlcheckinterval=180
strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=no
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn net-net
left=192.168.1.102
leftsubnet=192.168.0.0/16
leftid=@vpn1.iscinternational.com<mailto:leftid=@vpn1.iscinternational.com>
leftfirewall=yes
right=67.53.158.25
rightsubnet=192.168.0.0/16
rightid=@vpn2.iscinternational.com<mailto:rightid=@vpn2.iscinternational.com
>
auto=add
conn rw-eap-bluemound
left=192.168.1.102
# leftsourceip=%config
leftsubnet=192.168.0.0/16
leftid=@vpn1.iscinternational.com<mailto:leftid=@vpn1.iscinternational.com>
leftcert=vpn1cert.pem
leftauth=pubkey
leftfirewall=yes
lefthostaccess = yes
right=%any
rightauth=eap-mschapv2
rightsendcert=never
rightsourceip=%dhcp
eap_identity=%any
auto=add
The rw-eap-bluemound connection works with a Win7 virtual machine inside the
network. The connection looks good - from syslog: Aug 2 15:42:14 vpn1
charon: 09[NET] sending packet: from 192.168.1.102[4500] to
192.168.200.251[4500] - but then the 13801 error pups up and the server does
this: Aug 2 15:42:44 vpn1 charon: 11[JOB] deleting half open IKE_SA after
timeout.
As I indicated, the certificate works with another Win 7 client, and I can
make a successful connection.
What other possible blocks can lead to this Windows 13801 error that come up
in Strongswan?
Thanks to all for looking at this!
Gregg
Gregg Hughes
IT Administrator
www.iscinternational.com<http://www.iscinternational.com>
_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list