> I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine > Certificate. I followed the instructions in the strongSwan Wiki but couldnt > get it to work. When tryining to connect i receive an error 13806 telling me > that Windows is not able to find a valid machine certificate. > > What i did so far: > > Imported my Root Certificate to the Computer Trusted Root Authorities. > > Create a certificate for my Windows 7 machine with > KeyUsage digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth, > serverAuth > SubjectAlternateName set to the DNS:win7client.vpntest.local > > Exported the cert+private key as pkcs12 and imported to the Computers - > Personal Cerificate Store. Windows 7 tells me that the certificate is valid > and trusted by my Root Certificate > > Create a certificate for my strongSWan Host with > KeyUsage digitalSignature and KeyEncipherment, extendedKeyusage clientAuth, > serverAuth > SubjetAlterName set to the DNS:strongswan.vpntest.local > > Set this certificate as leftcert in ipsec.conf > Configured ist private Key in ipsec.secrets. >
Your description seems correct, but it appears that the Win7 client is not accepting the server certificate for some reason. A simple server certificate that works fine for me with Win7 clients can be created with the strongSwan PKI tool as follows: ipsec pki --gen --outform der > serverKey.der ipsec pki --pub --in serverKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --dn "C=US, O=MyOrganization, CN=server" --san "myvpn.myDynamicDNS.com" --flag serverAuth --outform der > serverCert.der where caCert.der and caKey.der are your CA certificate file and CA key file respectively. You might also try the above with CN=1.2.3.4 where 1.2.3.4 is the IP address of the server and then omit the subjectAlternateName entirely (--san). The CN can be set as the IP address or the DNS instead of setting a subjectAlternateName. -Lars _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
