[strongSwan] Can't get IKEv2 ECDSA client certs to work with Server2012/Windows10
Mark M
mark076h at yahoo.com
Fri Oct 16 09:11:16 CEST 2015
I am trying to get my Server 2012 and Windows 10 clients to connect to my strongswan server but ran into some trouble. I keep getting the Windows Error 13806: IKE failed to find a valid machine certificate. The output of my certificate is shown below. Is there a field I am missing? I thought I followed all of the Windows client certificate requirements.
This strongswan server works fine with Linux and Android clients. Are there still problems with ECDSA certificates in Windows Server 2012/10? I know Windows 7/2008 did not support it, but I figured it was fixed by now.
Certificate:
Data: Version: 3 (0x2) Serial Number: 10171425542929775975 (0x8d2829a409a9fd67) Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, ST=MD, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7 Validity Not Before: Oct 16 06:29:43 2015 GMT Not After : Oct 15 06:29:43 2016 GMT Subject: C=US, ST=MD, L=SELF, OU=SS, CN=SERVER2012.homelan.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:72:ea:85:84:5e:5c:c6:3a:6c:23:ff:cd:47:97: 7d:a7:d2:0a:4c:21:41:cf:5e:a3:1e:7c:2b:a3:7a: 5f:91:62:bf:8f:01:cc:6b:13:1e:d6:60:58:d5:10: bd:60:f6:2a:00:c1:d2:46:5f:ea:75:b3:6e:24:6c: 16:97:5f:51:df:8d:bf:77:ef:92:f9:66:40:4a:44: 2c:25:4b:56:8b:48:93:86:d0:cb:0c:4f:e1:5a:95: 67:f8:bc:73:53:88:b6 ASN1 OID: secp384r1 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: 1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:192.168.1.43, DNS:192.168.1.7 Signature Algorithm: ecdsa-with-SHA384 30:66:02:31:00:ca:96:73:a0:a0:b5:28:2e:48:1b:9f:49:3a: bc:59:b0:de:ee:43:69:2a:dc:5f:3b:e4:62:64:54:9b:3d:97: c8:55:ef:34:2f:9d:b0:14:5b:c9:b3:08:93:2d:96:f0:8d:02: 31:00:fb:ae:cd:c0:f5:48:16:4e:54:c8:53:55:ff:36:83:7e: a5:1f:68:0a:97:c4:86:ef:1c:15:3a:08:e1:8e:7d:eb:98:53: 9d:88:b2:9d:02:f3:ea:ae:92:62:29:4d:bb:c4
Here is what I see in the strongswan logs;
12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_102412[LIB] size of DH secret exponent: 1023 bits12[IKE] sending cert request for "C=US, ST=MD, L=SELF, O=SSCA, OU=SS, CN=192.168.1.7"12[NET] sending packet: from 192.168.1.7[500] to 192.168.1.10[500] (333 bytes)04[NET] received packet: from 192.168.1.10[500] to 192.168.1.7[500] (40 bytes)04[IKE] integrity check failed04[IKE] INFORMATIONAL request with message ID 0 processing failed08[JOB] deleting half open IKE_SA after timeout09[JOB] deleting half open IKE_SA after timeout
Also to note is that this config does not work for Windows 2012/10 clients;
esp=aes256-sha384-ecp384!
ike=aes256-sha384-ecp384!
I have to allow the it to negotiate or I get the following
13[CFG] no acceptable ENCRYPTION_ALGORITHM found13[CFG] selecting proposal:13[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found13[CFG] selecting proposal:13[CFG] no acceptable ENCRYPTION_ALGORITHM found13[CFG] selecting proposal:13[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found13[CFG] selecting proposal:13[CFG] no acceptable ENCRYPTION_ALGORITHM found13[CFG] selecting proposal:13[CFG] no acceptable DIFFIE_HELLMAN_GROUP found13[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_102413[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_38413[IKE] received proposals inacceptable
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151016/8ed69da3/attachment.html>
More information about the Users
mailing list