[strongSwan] Can't get IKEv2 ECDSA client certs to work with Server2012/Windows10

Mark M mark076h at yahoo.com
Fri Oct 16 09:11:16 CEST 2015


I am trying to get my Server 2012 and Windows 10 clients to connect to my strongswan server but ran into some trouble. I keep getting the Windows Error 13806: IKE failed to find a valid machine certificate. The output of my certificate is shown below. Is there a field I am missing? I thought I followed all of the Windows client certificate requirements.
This strongswan server works fine with Linux and Android clients. Are there still problems with ECDSA certificates in Windows Server 2012/10? I know Windows 7/2008 did not support it, but I figured it was fixed by now.
Certificate:
    Data:        Version: 3 (0x2)        Serial Number: 10171425542929775975 (0x8d2829a409a9fd67)    Signature Algorithm: ecdsa-with-SHA384        Issuer: C=US, ST=MD, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7        Validity            Not Before: Oct 16 06:29:43 2015 GMT            Not After : Oct 15 06:29:43 2016 GMT        Subject: C=US, ST=MD, L=SELF, OU=SS, CN=SERVER2012.homelan.com        Subject Public Key Info:            Public Key Algorithm: id-ecPublicKey                Public-Key: (384 bit)                pub:                    04:72:ea:85:84:5e:5c:c6:3a:6c:23:ff:cd:47:97:                    7d:a7:d2:0a:4c:21:41:cf:5e:a3:1e:7c:2b:a3:7a:                    5f:91:62:bf:8f:01:cc:6b:13:1e:d6:60:58:d5:10:                    bd:60:f6:2a:00:c1:d2:46:5f:ea:75:b3:6e:24:6c:                    16:97:5f:51:df:8d:bf:77:ef:92:f9:66:40:4a:44:                    2c:25:4b:56:8b:48:93:86:d0:cb:0c:4f:e1:5a:95:                    67:f8:bc:73:53:88:b6                ASN1 OID: secp384r1        X509v3 extensions:            X509v3 Basic Constraints:                CA:FALSE            X509v3 Key Usage:                Digital Signature, Non Repudiation, Key Encipherment            X509v3 Extended Key Usage:                1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication            X509v3 Subject Alternative Name:                DNS:192.168.1.43, DNS:192.168.1.7    Signature Algorithm: ecdsa-with-SHA384         30:66:02:31:00:ca:96:73:a0:a0:b5:28:2e:48:1b:9f:49:3a:         bc:59:b0:de:ee:43:69:2a:dc:5f:3b:e4:62:64:54:9b:3d:97:         c8:55:ef:34:2f:9d:b0:14:5b:c9:b3:08:93:2d:96:f0:8d:02:         31:00:fb:ae:cd:c0:f5:48:16:4e:54:c8:53:55:ff:36:83:7e:         a5:1f:68:0a:97:c4:86:ef:1c:15:3a:08:e1:8e:7d:eb:98:53:         9d:88:b2:9d:02:f3:ea:ae:92:62:29:4d:bb:c4

Here is what I see in the strongswan logs;

12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_102412[LIB] size of DH secret exponent: 1023 bits12[IKE] sending cert request for "C=US, ST=MD, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"12[NET] sending packet: from 192.168.1.7[500] to 192.168.1.10[500] (333 bytes)04[NET] received packet: from 192.168.1.10[500] to 192.168.1.7[500] (40 bytes)04[IKE] integrity check failed04[IKE] INFORMATIONAL request with message ID 0 processing failed08[JOB] deleting half open IKE_SA after timeout09[JOB] deleting half open IKE_SA after timeout


Also to note is that this config does not work for Windows 2012/10 clients;

esp=aes256-sha384-ecp384!
ike=aes256-sha384-ecp384!
I have to allow the it to negotiate or I get the following
13[CFG]   no acceptable ENCRYPTION_ALGORITHM found13[CFG] selecting proposal:13[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found13[CFG] selecting proposal:13[CFG]   no acceptable ENCRYPTION_ALGORITHM found13[CFG] selecting proposal:13[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found13[CFG] selecting proposal:13[CFG]   no acceptable ENCRYPTION_ALGORITHM found13[CFG] selecting proposal:13[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found13[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_102413[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_38413[IKE] received proposals inacceptable



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151016/8ed69da3/attachment.html>


More information about the Users mailing list