1

I've installed strongswan vpn on my ubuntu server. Set up certificate authentication. I've set up my android-phone and it works fine. But connection didn't established on the windows machine. I copied ca-cert into root ca and client certificate into personal store. But I get an error 13806 (wrong certificate). What am i doing wrong?

/etc/ipsec.conf

config setup
        # strictcrlpolicy=yes
        uniqueids = no
        charondebug="ike 4"

include /var/lib/strongswan/ipsec.conf.inc

conn %default
        dpdaction=clear
        dpddelay=35s
        dpdtimeout=300s

        fragmentation=yes
        rekey=no

        ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024

        esp=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024
        # left - local (server) side
        left=%any
        leftauth=pubkey
        leftcert=server.crt
        leftsendcert=always
        leftsubnet=0.0.0.0/0,::/0

        # right - remote (client) side
        right=%any
        rightauth=pubkey
        rightsourceip=192.168.103.0/24,2002:25f7:7489:3::/112
        rightdns=8.8.8.8,2001:4860:4860::8888

conn ikev2-pubkey
        keyexchange=ikev2
        auto=add

conn ikev2-pubkey-osx
        also="ikev2-pubkey"
        leftid=ip_address_server

/etc/ipsec.secrets

: RSA server.key

server-cert

 subject:  "CN=domain_name"
  issuer:   "CN=IPsec CA"
  validity:  not before Apr 18 10:07:00 2022, ok
             not after  Apr 02 10:07:00 2025, ok (expires in 1079 days)
  serial:    a9:e3:a4:
  altNames:  ip_address_server
  flags:     serverAuth
  authkeyId: 13:f8:f0:
  subjkeyId: 5a:a8:11:
  pubkey:    RSA 2048 bits, has private key

client-cert

subject:  "CN=client"
  issuer:   "CN=IPsec CA"
  validity:  not before Apr 18 10:07:19 2022, ok
             not after  Apr 02 10:07:19 2025, ok (expires in 1079 days)
  serial:    4c:e2:46:09:81:87:14:60:96:79:cf:bb:d6:62:13:68
  altNames:  client
  flags:     clientAuth

and that's log

09[IKE] sending cert request for "CN=IPsec CA"
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
09[NET] sending packet: from server_ip[500] to client_ip[500] (353 bytes)
07[NET] received packet: from client_ip[500] to server_ip[500] (40 bytes)
07[ENC] payload type NOTIFY was not encrypted
07[ENC] could not decrypt payloads
07[IKE] integrity check failed
07[IKE] INFORMATIONAL request with message ID 0 processing failed

As you can see I set ip address as SAN in server certificate, because connect over ip address. Dut it's still doesn't work.

0

1 Answer 1

0

Sounds like you installed the certificates and key into the wrong keystore. For authentication via regular IKEv2 certificate authentication, you have to install them into the Local Machine store. The user-specific store is only used when authenticating via EAP-TLS (and only for the client certificate/key, the CA certificate still has to be installed in the Local Machine store).

1
  • No, I installed certificates into right store - Root CA into "trusted root certification authorities" of local computer, client certificate into personal store of local computer. I think, maybe I made mistake in additional parameters certificate, like SAN, It is described in more detail link here, but I do not understand what else I should specify besides SAN.. Commented Apr 21, 2022 at 10:42

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .