Dear all, I'm currently trying to connect with a VPN some of my computers running windows 7 to a server-based LAN made to host some websites. Strongswan (installed on a Linux Debian machine) is used as an IKEv2 IPsec/L2TP server and I didn't manage so far to create good certificates which are compliant with the windows 7 validations rules.
In practice, the problem appear under the "Error 13806" label. Even if we can find many issues testimonials about this error, I can't encounter where mine is located which is emphasizing the misunderstanding feeling. I'll try to best describe my configuration and the path which conduce me to the actual situation : First of all, I've created a CA ROOT auto signed (private key + certificate) with openssl and I put the CA cert both in the directory /etc/ipsec.d/cacerts and on my windows client computer's certificates store (without any errors, both CA and cert is OK). I've builded a whole PKI including private RSA 4096 key, .pem certificate with those considerations and by using the previous CA ROOT to sign it: By adding these EKU, I thought i'll be compliant with W7 validation rules. Server Authentication (1.6.6.1.5.5.7.3.1) Intermediate IKE IP Security (1.3.6.1.5.5.8.2.2) End-chain IP security (1.3.6.1.5.5.7.3.5) IP Security user (1.3.6.1.5.5.7.3.7) According to a link I found on the strongswan's wiki, I've added those key usages : Digital Signature and Key Encipherment. The subjectAltName is set to DNS:my.fqdn.dns.name too. Despite this, my openssl certificate refuse to be selected in a relevant way by the W7 VPN client. A previous posted mail on the list indicates some ipsec ike commands to produce certificates in another way : https://lists.strongswan.org/pipermail/users/2011-May/006214.html But it is still without success. Here is my /etc/ipsec.conf file : # ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no charonstart=yes nat_traversal=yes conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=win7 conn %default keyexchange=ikev2 ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no conn win7 left=%any leftsubnet=10.100.100.0/24 leftauth=pubkey leftcert=/path/to/my/certificateAuthority/serverCert.der [email protected] leftfirewall=yes leftprotoport=17/1701 right=%any rightsourceip=10.100.200.0/24 rightauth=eap-mschapv2 rightsendcert=never rightprotoport=17/1701 eap_identity=%any auto=add pfs=no And my Charon's logs (startup + connection try) : Jan 24 00:35:07 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2) Jan 24 00:35:07 00[KNL] listening on interfaces: Jan 24 00:35:07 00[KNL] eth0 Jan 24 00:35:07 00[KNL] IP Jan 24 00:35:07 00[KNL] IP6 Jan 24 00:35:07 00[KNL] eth1 Jan 24 00:35:07 00[KNL] LAN_IP Jan 24 00:35:07 00[KNL] LAN_IP6 Jan 24 00:35:07 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jan 24 00:35:07 00[CFG] loaded ca certificate "C=FR, ST=IDF, L=Paris, O=STC Systems, OU=DSI, CN=STC Systems" from '/etc/ipsec.d/cacerts/CA.pem' Jan 24 00:35:07 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jan 24 00:35:07 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jan 24 00:35:07 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jan 24 00:35:07 00[CFG] loading crls from '/etc/ipsec.d/crls' Jan 24 00:35:07 00[CFG] loading secrets from '/etc/ipsec.secrets' Jan 24 00:35:07 00[CFG] loaded RSA private key from '/path/to/my/certificate/authority/serverKey.der' Jan 24 00:35:07 00[CFG] loaded EAP secret for user Jan 24 00:35:07 00[CFG] sql plugin: database URI not set Jan 24 00:35:07 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL Jan 24 00:35:07 00[CFG] loaded 0 RADIUS server configurations Jan 24 00:35:07 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory Jan 24 00:35:07 00[CFG] mediation client database URI not defined, skipped Jan 24 00:35:07 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL Jan 24 00:35:07 00[LIB] plugin 'nm' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory Jan 24 00:35:07 00[CFG] HA config misses local/remote address Jan 24 00:35:07 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL Jan 24 00:35:07 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw f arp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock Jan 24 00:35:07 00[JOB] spawning 16 worker threads Jan 24 00:35:07 04[CFG] received stroke: add connection 'L2TP-PSK-NAT' Jan 24 00:35:07 04[CFG] left nor right host is our side, assuming left=local Jan 24 00:35:07 04[CFG] loaded certificate "C=FR, O=STC Systems, CN=my.fqdn.dns.name" from '/home/lacombef/stcCA/SS/serverCert.der' Jan 24 00:35:07 04[CFG] added configuration 'L2TP-PSK-NAT' Jan 24 00:35:07 04[CFG] adding virtual IP address pool 'L2TP-PSK-NAT': 10.100.200.0/32 Jan 24 00:35:07 09[CFG] received stroke: add connection 'win7' Jan 24 00:35:07 09[CFG] left nor right host is our side, assuming left=local Jan 24 00:35:07 09[CFG] loaded certificate "C=FR, O=STC Systems, CN=my.fqdn.dns.name" from '/path/to/my/certificate/authority/serverCert.der' Jan 24 00:35:07 09[CFG] added configuration 'win7' Jan 24 00:35:07 09[CFG] adding virtual IP address pool 'win7': 10.100.200.0/24 Jan 24 00:40:15 12[NET] received packet: from client_IP[500] to IP[500] Jan 24 00:40:15 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jan 24 00:40:15 12[IKE] client_IP is initiating an IKE_SA Jan 24 00:40:15 12[IKE] remote host is behind NAT Jan 24 00:40:15 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Jan 24 00:40:15 12[NET] sending packet: from IP[500] to client_IP[500] Jan 24 00:40:45 13[JOB] deleting half open IKE_SA after timeout Can someone help to solve this issue and stop this 13806 error poping on my screen? Thanks a lot in advance. François _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
