[strongSwan] Windows 10 authenticating with certificate fails

Yudi V yudi.tux at gmail.com
Tue Jan 17 14:10:00 CET 2017 

Hi,

Error 13806
Authentication from Windows 10 client fails when trying to use just
certificates but EAP-Mschapv2 it works fine.
Error 13806, "IKE failed to find valid machine certificate"

I followed the advise about certificate needs for windows.
All the keys are of type ecdsa:

server cert:
Ipsec   pki --pub --in  serverKey.der --type ecdsa |  ipsec pki --issue
--cacert caCert.der --cakey caKey.der --dn "O=xxx, CN=home1234.ddns.com"
--san="home1234.ddns.com"  --flag serverAuth --flag   ikeIntermediate   >
serverCert.der

client cert:
ipsec pki --pub --in clientKey.der   --type ecdsa | ipsec pki --issue
--cacert caCert.der --cakey caKey.der --dn "O=xxx, CN=client"  >
clientCert.der

converted der files to pem and packaged them into pkcs12 file

openssl pkcs12 -export -in clientCert.pem -name "client" -inkey
clientKey.pem -certfile caCert.pem -caname "xxx CA" -out clientCert.p12

the first time I imported caCert.pem and clientCert.p12 files into windwos
cert store I made a mistake and imported them into the current user account.
Deleted them and imported them into the "computer account".
and checked that it looks as in the last two sreencaps at
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
it says you have a private key that corresponds to this certificate.

the san and CN are same for the server.

ipsec.conf settings are:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn %default
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s

# Add connections here.


conn rw_pw                                       # this works
        left=%any
        leftsubnet=0.0.0.0/0,::0
        leftauth=pubkey
        leftcert=serverCert.der
        leftid=home1234.ddns.com
        leftfirewall=yes
        lefthostaccess=yes
        right=%any
        rightauth=eap-mschapv2
        rightsourceip=%dhcp
        rightdns=192.168.3.1
        eap_identity=%any
        auto=add

conn rw_cert                               # this fails
        left=%any
        leftsubnet=0.0.0.0/0,::0
        leftauth=pubkey
        leftcert=serverCert.der
        leftid=home1234.ddns.com
        leftfirewall=yes
        lefthostaccess=yes
        right=%any
        rightauth=pubkey
        rightcert=clientCert.pem
        rightsourceip=%dhcp
        rightdns=192.168.3.1
        auto=add


Any suggestion on how to fix this issue?

regards
Yudi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170118/3715109a/attachment.html>

More information about the Users mailing list