Hi Todd, your problem is that although the Microsoft Crypto API and the old IKEv1-based IPsec client support Elliptic Curve Cryptography, the Windows 7 IKEv2-based Agile VPN client doesn't. It just doesn't find ECDSA certificates. It seems that Windows 8 is going to offer ECC support, at least via the powershell command line.
Regards Andreas On 05/17/2012 02:55 PM, Tiebing Zhang wrote: > Hi Andreas, > > Yes I did, as far as I can tell. After importing the certificate file, > two certificates showed up in the "Certificates(Local > Computer)->personal->certificates" store. One is the "win71" certificate > and one is the "CA" certificate. I moved the "CA" certificate to the > "Trusted Root Certificate Authorities" by dragging and dropping the > certificate. When I double click the "win71" certificate, it shows > something like this: > > Allows secure communication on the Internet > Ensures the identity of a remote computer > Proves your identity to a remote computer > > Issued to :win71 > valid from 5/15/2012 to 5/15/2013 > > *You have a private key that corresponds to this certificate. > > When I click on the "certificate path", it shows the path to the "CA" > certificate on the top of the dialog box and on the bottom it says " > this certificate is OK". > > I compared the CA certificate on the Win7 and the one on the StrongSwan. > They are the same CA certificate. > > Just one note: I use ECDSA P_384 in the certificate. I don't think this > is a problem but just wanted to mention that to you. > > Looking at the log file of the Strongswan, it seems like that Strongswan > hasn't got a chance to send the actual strongswan certificate to Win7. > It only sent the "CA" certificate to Win7, and somehow Win7 couldn't > validate that CA cert? > > Another note: The Win7 is without the Service Pack 1. > > Thank you for your gracious help. > > Best regards, > > Todd > > On 5/17/2012 1:45 AM, Andreas Steffen wrote: >> Hello Todd, >> >> did you pack the Windows 7 private key and matching X.509 certificate >> together with the Root CA certificate into a PCKS#12 file (*.p12) and >> imported this file into the Local Computer part of the Windows registry >> via the mmc? Does clicking on the imported Windows 7 certificate tell >> you that it has a matching private key? >> >> Regards >> >> Andreas >> >> On 05/17/2012 01:16 AM, Tiebing Zhang wrote: >>> Dear all, >>> >>> I would like to connect to strongSwan with Windows 7 using IKEV2 and >>> Machine Certificate. >>> I followed the instructions in the strongSwan Wiki but couldn't get >>> it to work. >>> When trying to connect i receive an error 13806 telling me that >>> Windows is not able to find a valid machine certificate. >>> >>> What i did so far: >>> >>> - Created Root certificate, StrongSwan Certificate/private key, and >>> Windows 7 certificate/private key using Openssl. >>> - Imported the Windows 7 certificate and root Certificate to personal >>> store and Computer Trusted Root Authorities (Local computer) >>> respectively. >>> Windows 7 indicates the certificate is valid and can be traced to the >>> installed root certificate >>> - Strongswan certificates: >>> Subject: C=US, ST=CA, O=mycompany, CN=192.168.5.63 >>> X509v3 extensions: >>> X509v3 Key Usage: >>> Digital Signature, Key Encipherment >>> X509v3 Extended Key Usage: >>> 1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client >>> Authentication >>> X509v3 Basic Constraints: >>> CA:FALSE >>> X509v3 CRL Distribution Points: >>> URI:http://192.168.5.204/ca.crl >>> >>> - Windows 7 certificate: >>> Subject: C=US, ST=CA, O=mycompany, CN=win71 >>> X509v3 extensions: >>> X509v3 Key Usage: >>> Digital Signature, Key Encipherment >>> X509v3 Extended Key Usage: >>> 1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client >>> Authentication >>> X509v3 Subject Alternative Name: >>> DNS:rras1.mycompany.com >>> X509v3 Basic Constraints: >>> CA:FALSE >>> X509v3 CRL Distribution Points: >>> URI:http://192.168.5.204/ca.crl >>> >>> Strongswan is running okay. "ipsec listcerts" indicates that the >>> private key and the certificate are both loaded correctly. >>> >>> Strongswan log: >>> May 17 15:10:19 14[NET] received packet: from 192.168.5.204[52720] to >>> 192.168.5.63[500] >>> May 17 15:10:19 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No >>> N(NATD_S_IP) N(NATD_D_IP) ] >>> May 17 15:10:19 14[IKE] 192.168.5.204 is initiating an IKE_SA >>> May 17 15:10:19 14[IKE] remote host is behind NAT >>> May 17 15:10:19 14[IKE] sending cert request for "C=US, ST=CA, L=LA, >>> O=mycompany, CN=mycompanyCA" >>> May 17 15:10:19 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No >>> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] >>> May 17 15:10:19 14[NET] sending packet: from 192.168.5.63[500] to >>> 192.168.5.204[52720] >>> >>> Windows 7 is giving the Error 13806 message. >>> >>> I even disabled the EKU checks according >>> tohttp://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq and >>> reboot the Windows 7 machine, still the 13806 error message. >>> >>> I would really appreciate some help. >>> >>> Thank you and best regards, >>> >>> Todd >> ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
