[strongSwan] Can not create tunnel on Windows 10: no certificate with extensible authentication protocol found

Oliver Söder osoeder at gmx.de
Wed Feb 8 09:46:54 CET 2017

Hello, I followed this manual to set up IKEv2 VPN on Ubuntu 16.04:

I successfully established a tunnel on an Android device with Strongswan
app and data can be transferred through the VPN server.

Now I am stuck at the Windows part (my client is Windows 10). When
following this manual ...
... something already looks different at this step:
"Double-clicking on the end entity certificate left in the Personal /
Certificates folder
shows that a corresponding private key is present in the registry:"

There is no remark about a matching private key in my case.
Furthermore there is no certificate trust path in the tab "Certification
Path". There is simply "strongSwan Root CA".

When I try to establish the tunnel on Windows 10, I get this message: "A
certificate could not be found that can be used with this Extensible
Authentication Protocol."

I signed the public key like that:

ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue
--lifetime 730 --cacert cacerts/strongswanCert.der --cakey
private/strongswanKey.der --dn "C=DE, O=Massivhaus, CN=<hostname>.com"
--san <hostname>.com --flag serverAuth --flag ikeIntermediate --outform der
> certs/vpnHostCert.der
I created the client certificate on the VPN server with this command:

ipsec pki --pub --in private/JohnKey.der --type rsa | ipsec pki --issue
--lifetime 730 --cacert cacerts/strongswanCert.der --cakey
private/strongswanKey.der --dn "C=DE, O=Massivhaus, CN=john@<hostname>.com"
--san "john@<hostname>.com" --outform der > certs/JohnCert.der
<hostname> is a place holder for the real domain name, which I used.

My mind starts to go in circles, I have no idea what I did wrong. I know
Windows needs "--flag serverAuth", but it is there (checked with "ipsec pki
--print --in certs/vpnHostCert.der)!

Any help would be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170208/dd5d2e28/attachment.html>

More information about the Users mailing list