Hi Andreas,
Yes I did, as far as I can tell. After importing the certificate file,
two certificates showed up in the "Certificates(Local
Computer)->personal->certificates" store. One is the "win71" certificate
and one is the "CA" certificate. I moved the "CA" certificate to the
"Trusted Root Certificate Authorities" by dragging and dropping the
certificate. When I double click the "win71" certificate, it shows
something like this:
Allows secure communication on the Internet
Ensures the identity of a remote computer
Proves your identity to a remote computer
Issued to :win71
valid from 5/15/2012 to 5/15/2013
*You have a private key that corresponds to this certificate.
When I click on the "certificate path", it shows the path to the "CA"
certificate on the top of the dialog box and on the bottom it says "
this certificate is OK".
I compared the CA certificate on the Win7 and the one on the StrongSwan.
They are the same CA certificate.
Just one note: I use ECDSA P_384 in the certificate. I don't think this
is a problem but just wanted to mention that to you.
Looking at the log file of the Strongswan, it seems like that Strongswan
hasn't got a chance to send the actual strongswan certificate to Win7.
It only sent the "CA" certificate to Win7, and somehow Win7 couldn't
validate that CA cert?
Another note: The Win7 is without the Service Pack 1.
Thank you for your gracious help.
Best regards,
Todd
On 5/17/2012 1:45 AM, Andreas Steffen wrote:
Hello Todd,
did you pack the Windows 7 private key and matching X.509 certificate
together with the Root CA certificate into a PCKS#12 file (*.p12) and
imported this file into the Local Computer part of the Windows registry
via the mmc? Does clicking on the imported Windows 7 certificate tell
you that it has a matching private key?
Regards
Andreas
On 05/17/2012 01:16 AM, Tiebing Zhang wrote:
Dear all,
I would like to connect to strongSwan with Windows 7 using IKEV2 and
Machine Certificate.
I followed the instructions in the strongSwan Wiki but couldn't get
it to work.
When trying to connect i receive an error 13806 telling me that
Windows is not able to find a valid machine certificate.
What i did so far:
- Created Root certificate, StrongSwan Certificate/private key, and
Windows 7 certificate/private key using Openssl.
- Imported the Windows 7 certificate and root Certificate to personal
store and Computer Trusted Root Authorities (Local computer)
respectively.
Windows 7 indicates the certificate is valid and can be traced to
the installed root certificate
- Strongswan certificates:
Subject: C=US, ST=CA, O=mycompany, CN=192.168.5.63
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication,
TLS Web Client Authentication
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
URI:http://192.168.5.204/ca.crl
- Windows 7 certificate:
Subject: C=US, ST=CA, O=mycompany, CN=win71
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication,
TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:rras1.mycompany.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
URI:http://192.168.5.204/ca.crl
Strongswan is running okay. "ipsec listcerts" indicates that the
private key and the certificate are both loaded correctly.
Strongswan log:
May 17 15:10:19 14[NET] received packet: from 192.168.5.204[52720] to
192.168.5.63[500]
May 17 15:10:19 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
May 17 15:10:19 14[IKE] 192.168.5.204 is initiating an IKE_SA
May 17 15:10:19 14[IKE] remote host is behind NAT
May 17 15:10:19 14[IKE] sending cert request for "C=US, ST=CA, L=LA,
O=mycompany, CN=mycompanyCA"
May 17 15:10:19 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May 17 15:10:19 14[NET] sending packet: from 192.168.5.63[500] to
192.168.5.204[52720]
Windows 7 is giving the Error 13806 message.
I even disabled the EKU checks according
tohttp://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
and reboot the Windows 7 machine, still the 13806 error message.
I would really appreciate some help.
Thank you and best regards,
Todd
======================================================================
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
