Hello Todd, did you pack the Windows 7 private key and matching X.509 certificate together with the Root CA certificate into a PCKS#12 file (*.p12) and imported this file into the Local Computer part of the Windows registry via the mmc? Does clicking on the imported Windows 7 certificate tell you that it has a matching private key?
Regards Andreas On 05/17/2012 01:16 AM, Tiebing Zhang wrote: > Dear all, > > I would like to connect to strongSwan with Windows 7 using IKEV2 and Machine > Certificate. > I followed the instructions in the strongSwan Wiki but couldn't get it to > work. > When trying to connect i receive an error 13806 telling me that Windows is > not able to find a valid machine certificate. > > What i did so far: > > - Created Root certificate, StrongSwan Certificate/private key, and Windows 7 > certificate/private key using Openssl. > - Imported the Windows 7 certificate and root Certificate to personal store > and Computer Trusted Root Authorities (Local computer) respectively. > Windows 7 indicates the certificate is valid and can be traced to the > installed root certificate > - Strongswan certificates: > Subject: C=US, ST=CA, O=mycompany, CN=192.168.5.63 > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: > 1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web > Client Authentication > X509v3 Basic Constraints: > CA:FALSE > X509v3 CRL Distribution Points: > URI:http://192.168.5.204/ca.crl > > - Windows 7 certificate: > Subject: C=US, ST=CA, O=mycompany, CN=win71 > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Key Encipherment > X509v3 Extended Key Usage: > 1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web > Client Authentication > X509v3 Subject Alternative Name: > DNS:rras1.mycompany.com > X509v3 Basic Constraints: > CA:FALSE > X509v3 CRL Distribution Points: > URI:http://192.168.5.204/ca.crl > > Strongswan is running okay. "ipsec listcerts" indicates that the private key > and the certificate are both loaded correctly. > > Strongswan log: > May 17 15:10:19 14[NET] received packet: from 192.168.5.204[52720] to > 192.168.5.63[500] > May 17 15:10:19 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) ] > May 17 15:10:19 14[IKE] 192.168.5.204 is initiating an IKE_SA > May 17 15:10:19 14[IKE] remote host is behind NAT > May 17 15:10:19 14[IKE] sending cert request for "C=US, ST=CA, L=LA, > O=mycompany, CN=mycompanyCA" > May 17 15:10:19 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] > May 17 15:10:19 14[NET] sending packet: from 192.168.5.63[500] to > 192.168.5.204[52720] > > Windows 7 is giving the Error 13806 message. > > I even disabled the EKU checks according > tohttp://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq and reboot > the Windows 7 machine, still the 13806 error message. > > I would really appreciate some help. > > Thank you and best regards, > > Todd ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
