Hi all, I’m trying to get Windows 10 clients connecting to our StrongSwan server with machine certificates (only), but I’m hitting a roadblock with the following error:
“Verifying username and password...IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.” Error in Windows Event Viewer is 13806, which appears to be pretty common, but despite looking at various sources, I cannot make it work. We’re using a PKI-as-a-service (SecureW2) for our certs and have placed intermediate and root CA certs into /etc/ipsec.d/cacerts, along with StrongSwan server’s cert in /etc/ipsec.d/certs and its private key in /etc/ipsec.d/private/. Server device cert has Server and Client authentication set for EKU and hostname.domain.com for CN and SAN. The Windows test device has its own cert in the machine store, along with CA intermediate and root certs in the appropriate cert stores. VPN connection is configured with PowerShell, and MachineCertificate set as authentication method and VPN address is hostname.domain.com which matches CN on StrongSwan device cert. Machine cert is hostname.domain.com for CN and SAN and has Client Authentication set for EKU. Events from /var/log/syslog: Nov 3 16:40:18 swan charon: 07[NET] received packet: from XXX.XXX.XXX.XXX[500] to XXX.XXX.XXX.XXX [500] (344 bytes) Nov 3 16:40:18 swan charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] Nov 3 16:40:18 swan charon: 07[CFG] looking for an ike config for XXX.XXX.XXX.XXX... XXX.XXX.XXX.XXX Nov 3 16:40:18 swan charon: 07[CFG] candidate: %any...%any, prio 28 Nov 3 16:40:18 swan charon: 07[CFG] found matching ike config: %any...%any with prio 28 Nov 3 16:40:18 swan charon: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID Nov 3 16:40:18 swan charon: 07[IKE] received MS-Negotiation Discovery Capable vendor ID Nov 3 16:40:18 swan charon: 07[IKE] received Vid-Initial-Contact vendor ID Nov 3 16:40:18 swan charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Nov 3 16:40:18 swan charon: 07[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA Nov 3 16:40:18 swan charon: 07[IKE] IKE_SA (unnamed)[7] state change: CREATED => CONNECTING Nov 3 16:40:18 swan charon: 07[CFG] selecting proposal: Nov 3 16:40:18 swan charon: 07[CFG] proposal matches Nov 3 16:40:18 swan charon: 07[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256 Nov 3 16:40:18 swan charon: 07[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256 Nov 3 16:40:18 swan charon: 07[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256 Nov 3 16:40:18 swan charon: 07[IKE] local host is behind NAT, sending keep alives Nov 3 16:40:18 swan charon: 07[IKE] remote host is behind NAT Nov 3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, CN=Org Device Root CA" Nov 3 16:40:18 swan charon: 07[IKE] sending cert request for "O=Org, CN=Org Device Intermediate CA" Nov 3 16:40:18 swan charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] Nov 3 16:40:18 swan charon: 07[NET] sending packet: from XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (293 bytes) Nov 3 16:40:18 swan charon: 09[NET] received packet: from XXX.XXX.XXX.XXX [500] to XXX.XXX.XXX.XXX [500] (344 bytes) Nov 3 16:40:18 swan charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] We have this setup working with macOS devices, so we know that the server is able to accept and establish connections. Many thanks in advance, Mike 3rd Floor, Vivo Building, 30 Stamford Street, London SE1 9LQ P: 020 3422 0000 • M: 07763 230443 • E: [email protected] www.techahoy.com
