[strongSwan] user certificate could not be found via windows 7 vpn connect

Johannes jotpe.osm at gmail.com
Mon Aug 25 19:29:07 CEST 2014

Thanks for your reply. I could install a new generated pfx cert on the
win7 client, but the vpn connection manager doesn't accept my cert
again. Failure 798.

Now I recorded exactly what I did. Maybe the error is more fundamental.
#Linux server "hobbit" and the Win7 "klapperkiste" can ping each other

# gen key file for CA
ipsec pki --gen > /etc/ipsec.d/private/caKey.der

# create CA cert
ipsec pki --self --in /etc/ipsec.d/private/caKey.der --dn "D=DE, O=Heim,
CN=HCA" --ca > /etc/ipsec.d/cacerts/caCert.der

# Keyfile for Linux Server "hobbit"
ipsec pki --gen > /etc/ipsec.d/private/hobbitKey.der

# cert for Linux server "hobbit"
ipsec pki --pub --in /etc/ipsec.d/private/hobbitKey.der | ipsec pki
--issue --cacert /etc/ipsec.d/cacerts/caCert.der --cakey
/etc/ipsec.d/private/caKey.der --dn "C=DE, O=Heim, CN=hobbit" --san
"hobbit" --san "" --flag serverAuth --flag ikeIntermediate
> /etc/ipsec.d/certs/hobbitCert.der

# have a look, flag serverAuth ok, flag ikeIntermediate missing
ipsec pki --print --in /etc/ipsec.d/certs/hobbitCert.der
	cert:      X509
	subject:  "C=DE, O=Heim, CN=hobbit"
	issuer:   "C=DE, O=Heim, CN=HCA"
	validity:  not before Aug 25 12:16:18 2014, ok
	           not after  Aug 24 12:16:18 2017, ok (expires in 1094 days)
	serial:    00:e0:42:ee:03:d5:9f:ec:3c
	altNames:  hobbit,
	flags:     serverAuth
	authkeyId: 84:72:21:63:32:8e:08:cf:4f:23:6a:41:51:cb:c8:df:68:fd:34:74
	subjkeyId: 5d:9a:a9:b3:4a:93:26:7e:0d:9c:f1:d9:cf:70:a9:35:77:5d:f9:b7
	pubkey:    RSA 2048 bits
	keyid:     6f:10:c2:8b:1d:45:e5:a5:23:a8:a2:e9:9c:bf:16:60:78:d8:cf:f4
	subjkey:   5d:9a:a9:b3:4a:93:26:7e:0d:9c:f1:d9:cf:70:a9:35:77:5d:f9:b7

# gen key file for win7 "klapperkasten"
ipsec pki --gen --outform pem > /etc/ipsec.d/private/klapperkastenKey.pem

# create pubkey for win7 "klapperkasten"
ipsec pki --pub --in /etc/ipsec.d/private/klapperkastenKey.pem | ipsec
pki --issue --cacert /etc/ipsec.d/cacerts/caCert.der --cakey
/etc/ipsec.d/private/caKey.der --dn "C=DE, O=Heim, CN=klapperkasten"
--san klapperkasten --san "" --flag serverAuth --flag
ikeIntermediate --outform pem > /etc/ipsec.d/certs/klapperkastenCert.pem

#have a look, flag ikeIntermediate missing again
ipsec pki --print --in /etc/ipsec.d/certs/klapperkastenCert.pem
	cert:      X509
	subject:  "C=DE, O=Heim, CN=klapperkasten"
	issuer:   "C=DE, O=Heim, CN=HCA"
	validity:  not before Aug 25 13:50:17 2014, ok
	           not after  Aug 24 13:50:17 2017, ok (expires in 1094 days)
	serial:    3d:c6:a3:c9:3d:1c:27:19
	altNames:  klapperkasten,
	flags:     serverAuth
	authkeyId: 84:72:21:63:32:8e:08:cf:4f:23:6a:41:51:cb:c8:df:68:fd:34:74
	subjkeyId: c7:ed:ee:6c:ba:8e:27:7b:9d:d1:c6:ec:5a:5d:78:e6:42:a9:0b:27
	pubkey:    RSA 2048 bits
	keyid:     57:29:70:0f:5d:9b:e6:f8:44:80:98:28:d5:84:2d:ba:44:93:a8:ea
	subjkey:   c7:ed:ee:6c:ba:8e:27:7b:9d:d1:c6:ec:5a:5d:78:e6:42:a9:0b:27

#convert caCert.der in caCert.pem; preparing for next command
openssl x509 -inform der -in /etc/ipsec.d/cacerts/caCert.der -out

# don't know exactly if this is right, to make Win7 believe the
generated cert can be used as a X509 user certificate...
# merging them togehter to a pfx-certificate (with passphrase)
openssl pkcs12 -export -out klapperkasten.pfx -inkey
/etc/ipsec.d/private/klapperkastenKey.pem -in
/etc/ipsec.d/certs/klapperkastenCert.pem -certfile

cat /etc/ipsec.secrets
	: RSA hobbitKey.der

#ipsec.conf example from
cat /etc/ipsec.conf
	# ipsec.conf - strongSwan IPsec configuration file
	# basic configuration
	config setup
	conn win7

ipsec start
	Starting strongSwan 4.5.2 IPsec [starter]...

ipsec statusall
	Status of IKEv2 charon daemon (strongSwan 4.5.2):
	  uptime: 15 seconds, since Aug 25 13:57:14 2014
	  malloc: sbrk 270336, mmap 0, used 248128, free 22208
	  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
	  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp
agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve
socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
	Virtual IP pools (size/online/offline):
	  win7: 255/0/0
	Listening IP addresses:
	        win7:  %any...%any
	        win7:   local:  [C=DE, O=Heim, CN=hobbit] uses EAP_TLS
	        win7:    cert:  "C=DE, O=Heim, CN=hobbit"
	        win7:   remote: [%any] uses EAP_TLS authentication
	        win7:   child: === dynamic
	Security Associations:
I copied the caCert.der & klapperkasten.pfx to the Win7 client, please
look at the uploaded images at

Best regards

Am 22.08.2014 17:15, schrieb Michael O Holstein:
>> The import dialog sais, "imported correctly into own certs", but is
never shown in the cert manager.
> certmgmt.msc and attach to computer account .. this is where x509
certs for VPN connections need to be.
> also make sure you have SubjectAltName=FQDN of host.
> Regards,
> Michael Holstein
> Cleveland State University

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140825/756bdd07/attachment.pgp>

More information about the Users mailing list