[strongSwan] Struggling with Windows 7 IkeV2 - Error 13806

Shanthi Thomas Shanthi.Thomas at motorolasolutions.com
Fri Sep 27 21:05:45 CEST 2013 


Weber, Stefan (IT <s.weber at ...> writes:







> 



> Hello Andreas,



> 



> Yes that is the case. Here is the debug log i got: Maybe it would help if 

i knew how i could debug the Windows 7



> side of the process. Unfortunarly i couldnt find any information where 

Windows 7 is logging or how i could



> enable logging there 



> 



> 00[JOB] spawning 16 worker threads



> charon (1923) started after 100 ms



> 07[CFG] received stroke: add connection 'win7'



> 07[CFG] left nor right host is our side, assuming left=local



> 07[CFG]   loaded certificate "C=DE, O=MyOrg, OU=Test, 

CN=strongswan.vpntest.local" from 'vpnserver.crt.pem'



> 07[CFG] added configuration 'win7'



> 07[CFG] adding virtual IP address pool 'win7': 10.10.3.0/24



> loading ca certificates from '/etc/ipsec.d/cacerts'



>   loaded ca certificate from '/etc/ipsec.d/cacerts/vpntestrootca.crt.pem'



> loading aa certificates from '/etc/ipsec.d/aacerts'



> loading ocsp certificates from '/etc/ipsec.d/ocspcerts'



> Changing to directory '/etc/ipsec.d/crls'



> loading attribute certificates from '/etc/ipsec.d/acerts'



> spawning 4 worker threads



> listening for IKE messages



> adding interface eth0/eth0 192.168.150.55:500



> adding interface lo/lo 127.0.0.1:500



> adding interface lo/lo ::1:500



> loading secrets from "/etc/ipsec.secrets"



>   loaded private key from 'vpnserver.key.pem'



> no secrets filename matched "/var/lib/strongswan/ipsec.secrets.inc"



> connection must specify host IP address for our side



> 12[NET] received packet: from 192.168.150.52[500] to 192.168.150.55[500]



> 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N

(NATD_D_IP) ]



> 12[IKE] 192.168.150.52 is initiating an IKE_SA



> 12[IKE] sending cert request for "C=DE, O=MyOrg, OU=RootCA, CN=VPNTest 

ROOT CA, E=ca at ..."



> 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N

(NATD_D_IP) CERTREQ N(MULT_AUTH) ]



> 12[NET] sending packet: from 192.168.150.55[500] to 192.168.150.52[500]



> 13[JOB] deleting half open IKE_SA after timeout 



> 



> -----Original Message-----



> From: Andreas Steffen [mailto:andreas.steffen at ...] 



> Sent: Montag, 23. Mai 2011 16:43



> To: Weber, Stefan (IT)



> Cc: users at ...



> Subject: Re: [strongSwan] Struggling with Windows 7 IkeV2 - Error 13806



> 



> Hello Stefan,



> 



> I assume that both the Win 7 client and strongSwan host certificates are 

signed by the same CA and that you put



> the Root CA certificate into the /etc/ipsec.d/cacerts directory. 

Otherwise strongSwan will not



> include the Root CA in its cert request list and thus the Windows 7 

client will not be able to find a matching



> machine certificate.



> 



> Regards



> 



> Andreas



> 



> BTW - A strongSwan log file would help in debugging the problem



>       since all outgoing cert requests are logged.



> 



> On 23.05.2011 15:59, Weber, Stefan (IT) wrote:



> > Dear all,



> > 



> > I would like to connect to strongSwan with Windows 7 using IKEV2 and 

Machine Certificate. I followed the



> instructions in the strongSwan Wiki but couldnt get it to work. When 

tryining to connect i receive an error



> 13806 telling me that Windows is not able to find a valid machine 

certificate. 



> > 



> > What i did so far:



> > 



> > Imported my Root Certificate to the Computer Trusted Root Authorities.



> > 



> > Create a certificate for my Windows 7 machine with KeyUsage 



> > digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth, 



> > serverAuth SubjectAlternateName set to the 



> > DNS:win7client.vpntest.local



> > 



> > Exported the cert+private key as pkcs12 and imported to the Computers 



> > - Personal Cerificate Store. Windows 7 tells me that the certificate 



> > is valid and trusted by my Root Certificate



> > 



> > Create a certificate for my strongSWan Host with KeyUsage 



> > digitalSignature and KeyEncipherment, extendedKeyusage clientAuth, 



> > serverAuth SubjetAlterName set to the DNS:strongswan.vpntest.local



> > 



> > Set this certificate as leftcert in ipsec.conf Configured ist private 



> > Key in ipsec.secrets.



> > 



> > DNS name resolution is working of course 



> > 



> > I also tried with certificates including IKEIntermediate in 

extendedKeyUsage.



> > 



> > When starting strongSwan with --debug-all i see IKE sending cert 

request immediatly followed by error



> 13806 on the Windows Box.



> > 



> > I hope anybody can help me out or lead me in the right direction.



> > 



> > Thank you in advance,



> > 



> > Stefan



> > 



> 



> ======================================================================



> Andreas Steffen                         andreas.steffen at ...



> strongSwan - the Linux VPN Solution!                www.strongswan.org



> Institute for Internet Technologies and Applications University of 

Applied Sciences Rapperswil



> CH-8640 Rapperswil (Switzerland) 

===========================================================[ITA-HSR]==



> 



> 





Hi Stefan,



   Did you solve this? I have the same problem and have been poring over 

strongswan logs, sniffer packets, etc. My strongswan gateway cert has the 

required extensions and there does not seem to be any errors as seen from 

the gateway logs. It is the win 7 client that is causing problems. And of 

course other than error 13806 "IKE authentication credentials are 

unacceptable"  windows does not give any further useful info. 







Any info would be appreciated.







thanks,



Shanthi

More information about the Users mailing list