Hello Andreas, Yes that is the case. Here is the debug log i got: Maybe it would help if i knew how i could debug the Windows 7 side of the process. Unfortunarly i couldnt find any information where Windows 7 is logging or how i could enable logging there :-(
00[JOB] spawning 16 worker threads charon (1923) started after 100 ms 07[CFG] received stroke: add connection 'win7' 07[CFG] left nor right host is our side, assuming left=local 07[CFG] loaded certificate "C=DE, O=MyOrg, OU=Test, CN=strongswan.vpntest.local" from 'vpnserver.crt.pem' 07[CFG] added configuration 'win7' 07[CFG] adding virtual IP address pool 'win7': 10.10.3.0/24 loading ca certificates from '/etc/ipsec.d/cacerts' loaded ca certificate from '/etc/ipsec.d/cacerts/vpntestrootca.crt.pem' loading aa certificates from '/etc/ipsec.d/aacerts' loading ocsp certificates from '/etc/ipsec.d/ocspcerts' Changing to directory '/etc/ipsec.d/crls' loading attribute certificates from '/etc/ipsec.d/acerts' spawning 4 worker threads listening for IKE messages adding interface eth0/eth0 192.168.150.55:500 adding interface lo/lo 127.0.0.1:500 adding interface lo/lo ::1:500 loading secrets from "/etc/ipsec.secrets" loaded private key from 'vpnserver.key.pem' no secrets filename matched "/var/lib/strongswan/ipsec.secrets.inc" connection must specify host IP address for our side 12[NET] received packet: from 192.168.150.52[500] to 192.168.150.55[500] 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 12[IKE] 192.168.150.52 is initiating an IKE_SA 12[IKE] sending cert request for "C=DE, O=MyOrg, OU=RootCA, CN=VPNTest ROOT CA, [email protected]" 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 12[NET] sending packet: from 192.168.150.55[500] to 192.168.150.52[500] 13[JOB] deleting half open IKE_SA after timeout -----Original Message----- From: Andreas Steffen [mailto:[email protected]] Sent: Montag, 23. Mai 2011 16:43 To: Weber, Stefan (IT) Cc: [email protected] Subject: Re: [strongSwan] Struggling with Windows 7 IkeV2 - Error 13806 Hello Stefan, I assume that both the Win 7 client and strongSwan host certificates are signed by the same CA and that you put the Root CA certificate into the /etc/ipsec.d/cacerts directory. Otherwise strongSwan will not include the Root CA in its cert request list and thus the Windows 7 client will not be able to find a matching machine certificate. Regards Andreas BTW - A strongSwan log file would help in debugging the problem since all outgoing cert requests are logged. On 23.05.2011 15:59, Weber, Stefan (IT) wrote: > Dear all, > > I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine > Certificate. I followed the instructions in the strongSwan Wiki but couldnt > get it to work. When tryining to connect i receive an error 13806 telling me > that Windows is not able to find a valid machine certificate. > > What i did so far: > > Imported my Root Certificate to the Computer Trusted Root Authorities. > > Create a certificate for my Windows 7 machine with KeyUsage > digitalSignature and KeyEncipherment, ExtendedKeyUsage clientAuth, > serverAuth SubjectAlternateName set to the > DNS:win7client.vpntest.local > > Exported the cert+private key as pkcs12 and imported to the Computers > - Personal Cerificate Store. Windows 7 tells me that the certificate > is valid and trusted by my Root Certificate > > Create a certificate for my strongSWan Host with KeyUsage > digitalSignature and KeyEncipherment, extendedKeyusage clientAuth, > serverAuth SubjetAlterName set to the DNS:strongswan.vpntest.local > > Set this certificate as leftcert in ipsec.conf Configured ist private > Key in ipsec.secrets. > > DNS name resolution is working of course ;-) > > I also tried with certificates including IKEIntermediate in extendedKeyUsage. > > When starting strongSwan with --debug-all i see IKE sending cert request > immediatly followed by error 13806 on the Windows Box. > > I hope anybody can help me out or lead me in the right direction. > > Thank you in advance, > > Stefan > ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
