tag:blogger.com,1999:blog-9797590.post5923179657029392371..comments2024-03-11T14:00:11.868-07:00Comments on Journey of Life: Windows 7 IKEv2 with StrongSwan Certificate Generation GuideUnknownnoreply@blogger.comBlogger17125tag:blogger.com,1999:blog-9797590.post-35139338603456394062018-03-20T00:59:43.273-07:002018-03-20T00:59:43.273-07:00I have been caught in this problem for a very long...I have been caught in this problem for a very long time, Thanks a lot for your splendid blog! Good article on this topic are rare, I followed your step by step guide, Finally my problem fixed!!! Thanks again.gVPN.apphttps://www.blogger.com/profile/00641995857632446883noreply@blogger.comtag:blogger.com,1999:blog-9797590.post-41350034410530426592016-08-01T03:05:42.343-07:002016-08-01T03:05:42.343-07:00Hello, do you mean your old configuration is alway...Hello, do you mean your old configuration is always working on win10 ? I'm stuck with a strange error (Invalid Token 0x80090308) but Google reports that this error can be displayed instead of the Error 13806. But the configuration given in this article worked well on win 7 and win8.1, and not on win10, so i would like to know if there is any change to make on the certificates for win10 or in the strongswan config file ? Thank you.Anonymoushttps://www.blogger.com/profile/16531808960306495798noreply@blogger.comtag:blogger.com,1999:blog-9797590.post-64850742129954557162016-08-01T03:02:39.118-07:002016-08-01T03:02:39.118-07:00Hello, do you mean your old configuration is alway...Hello, do you mean your old configuration is always working on win10 ? (I am stucking with this setup that has worked on win7 and win8.1, but Win10 is giving me a strange error 0x80090308 Invalid Token, but google reports that this message can be reported instead of the Error 13806..)Anonymoushttps://www.blogger.com/profile/16531808960306495798noreply@blogger.comtag:blogger.com,1999:blog-9797590.post-78093201348711855692016-07-20T07:48:10.298-07:002016-07-20T07:48:10.298-07:00Thank you for the quick response. It appears this ...Thank you for the quick response. It appears this was just a blunder on my part:<br />The existing setup was old enough to still be using 1024-bit rsa keys (which Microsoft apparently no longer accepts* ), and when I generated a new CA I managed to overlook the "basicConstraints=CA:FALSE" in openssl.conf and made <br />me a dud CA certificate. <br />* according to technet cc751157 which I saw cited in this context, it seems that<br />support for sha1 digest algorithm is being phased out in favor of sha2 as well, so this could become another pitfall in the near future.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9797590.post-64347866614128827562016-07-19T11:30:11.217-07:002016-07-19T11:30:11.217-07:00sorry I have not tried this on a Windows 10 comput...sorry I have not tried this on a Windows 10 computer.Tiebinghttps://www.blogger.com/profile/03801840283169959110noreply@blogger.comtag:blogger.com,1999:blog-9797590.post-86710947549522647302016-07-19T07:55:54.034-07:002016-07-19T07:55:54.034-07:00Sorry for commenting on such an old entry of your ...Sorry for commenting on such an old entry of your blog, but did you happen to have to update this config for a windows 10 system in the meantime ? I'm currently stuck with a strongswan setup that has worked for years with windows 7 clients, but win10 is giving me error 13806 (and all the discussion threads I could find either die out unresolved or link to your blog entry)..<br />Thanks <br />MartinAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9797590.post-7141562400719983372014-06-22T10:41:38.370-07:002014-06-22T10:41:38.370-07:00hi
am stuck in this:
ipsec pki --gen --type rsa -...hi<br /><br />am stuck in this:<br />ipsec pki --gen --type rsa --size $bits --outform pem > ca.key<br />no response is coming after it can you adviceUnknownhttps://www.blogger.com/profile/14928324109649216055noreply@blogger.comtag:blogger.com,1999:blog-9797590.post-76222441265625393462013-06-06T09:17:28.779-07:002013-06-06T09:17:28.779-07:00Hi, i try this and it works fine when i generate t...Hi, i try this and it works fine when i generate the certificates using ipsec pki,<br />but when i try with openssl, it fails..... <br /><br />On the client :<br />CN=passA.mycompany.local<br /><br />in the openssl.cnf file i with a session for extensions with :<br />SubjectAltName=DNS:passA.mycompany.local,<br />keyUsage = nonRepudiation, digitalSignature, keyEncipherment, <br />extendedKeyUsage = 1.3.6.1.5.5.8.2.2,serverAuth,clientAuth<br /><br />On the server :<br /><br />CN = passB.mycompany.local<br /><br />openssl.cnf :<br /><br />SubjectAltName = passB.mycompany.local<br />keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br />extendedKeyUsage = 1.3.6.1.5.5.8.2.2,serverAuth<br /><br /><br />So what i'm doing wrong?<br />Can you have a the command you with openssl? or the configurations you made in the openssl.cnf file?<br /><br />ThanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9797590.post-71470146198148442582013-06-06T02:46:41.825-07:002013-06-06T02:46:41.825-07:00Do you already have the code error 809 with the IK...Do you already have the code error 809 with the IKEv2 vpn on windows 7??<br />I'm not in the same situation like us because i want to establish an IPsec tunnel between two Windows 7 gateways.<br /><br />I've heard that i need to allow ports or NAT and i do that but i still have this error!<br /><br />Maybe someone knows how to fix that?<br /><br />ThanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9797590.post-79298611671987848442013-04-19T15:01:07.670-07:002013-04-19T15:01:07.670-07:00i figured it out...you created a der CA certificat...i figured it out...you created a der CA certificate. Once I converted it to PER, the process works. Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9797590.post-76305790093096078142013-04-19T13:41:19.532-07:002013-04-19T13:41:19.532-07:00This didn't work. openssl would not combine th...This didn't work. openssl would not combine the keys into a p12 format, it kept saying it couldn't load the certificates. Could you post the code without the scripts...thanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9797590.post-42200482261674462072013-03-05T15:34:40.520-08:002013-03-05T15:34:40.520-08:00Hi there, I also wrestled with this Error 13806 pr...Hi there, I also wrestled with this Error 13806 problem for several hours. Your notes were a big help in narrowing down my problem even though my problem turned out to be quite different.<br /><br />My problem was that the private key was not being imported properly, despite showing up as "You have a private key that corresponds to this certificate", it wasn't actually able to open the private key (Error 0x80090011) for use. This turned out to be because the code I was using to import the PKCS#12 file was missing the X509KeyStorageFlags.PersistKeySet flag.<br /><br />Along the way I also discovered that the relevant diagnostic information was hiding in the Windows Event Viewer, under Windows Logs\Security. I'm not used to working with Windows so finding the logs was half the battle for me, but it was much more helpful than the vague error 13806 dialog.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9797590.post-63597971897316775482012-12-19T08:26:49.893-08:002012-12-19T08:26:49.893-08:00Thanks for posting the findings.
I have question ...Thanks for posting the findings. <br />I have question about commercial CA which will be able to provide or sign the cert with "extendedKeyUsage = 1.3.6.1.5.5.8.2.2,serverAuth". Contacted Entrust support apparently they don't do the "extendedKeyUsage = 1.3.6.1.5.5.8.2.2". Do you have experience with commercial CA which will provide this EKU property or use private CA?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9797590.post-58326227591814256712012-05-25T01:08:53.529-07:002012-05-25T01:08:53.529-07:00I exactly runned your commands and the following f...I exactly runned your commands and the following files were made :<br /><br />caCert.der<br />ca.key<br />server.cert<br />server.key<br />win7.cert<br />win7.key<br />win7.p12<br /><br />Then set the leftcert=server.cert in ipsec.conf file and ": RSA server.key" in ipsec.secrets file and restart the ipsec.<br />Also I've installed caCert.der and win7.p12 using the guide of strongswan windows 7 certificate import...<br /><br />But I still receive the 13086 error. Please help .Mostafa Ghadamyarihttps://www.blogger.com/profile/09894946086944022370noreply@blogger.comtag:blogger.com,1999:blog-9797590.post-68359534823307704872012-05-22T11:48:02.896-07:002012-05-22T11:48:02.896-07:00You need the "serverAuth" flag for certi...You need the "serverAuth" flag for certificates used by the StrongSwan in server mode.Tiebinghttps://www.blogger.com/profile/03801840283169959110noreply@blogger.comtag:blogger.com,1999:blog-9797590.post-72186763360600548242012-05-22T11:46:37.212-07:002012-05-22T11:46:37.212-07:00I am using Debian Stable, and the ipsec pki versio...I am using Debian Stable, and the ipsec pki version is 4.4.1 PKI tool. And it seems to work fine. <br /><br /><br />strongSwan 4.4.1 PKI tool<br />usage:<br /> pki --self [--in file] [--type rsa|ecdsa]<br /> --dn distinguished-name [--san subjectAltName]+<br /> [--lifetime days] [--serial hex] [--ca] [--ocsp uri]+<br /> [--flag serverAuth|clientAuth|ocspSigning]+<br /> [--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]<br /> --help (-h) show usage information<br /> --in (-i) private key input file, default: stdin<br /> --type (-t) type of input key, default: rsa<br /> --dn (-d) subject and issuer distinguished name<br /> --san (-a) subjectAltName to include in certificate<br /> --lifetime (-l) days the certificate is valid, default: 1095<br /> --serial (-s) serial number in hex, default: random<br /> --ca (-b) include CA basicConstraint, default: no<br /> --pathlen (-p) set path length constraint<br /> --flag (-e) include extendedKeyUsage flag<br /> --ocsp (-o) OCSP AuthorityInfoAccess URI to include<br /> --digest (-g) digest for signature creation, default: sha1<br /> --outform (-f) encoding of generated cert, default: der<br /> --debug (-v) set debug level, default: 1<br /> --options (-+) read command line options from fileTiebinghttps://www.blogger.com/profile/03801840283169959110noreply@blogger.comtag:blogger.com,1999:blog-9797590.post-9125346249698434932012-05-22T10:46:16.092-07:002012-05-22T10:46:16.092-07:00When running the first script:
bits=2048
ipsec pki...When running the first script:<br />bits=2048<br />ipsec pki --gen --type rsa --size $bits --outform pem > ca.key<br />ipsec pki --self --flag serverAuth --in ca.key --type rsa --digest sha1 --dn "C=CH, O=strongSwan, CN=pkiCA" --ca > caCert.der<br /><br />I get:<br />unrecognized option '--flag'<br />Error: invalid --self option<br />strongSwan 4.4.0 PKI tool<br /><br />However, 2 certs do get created but maybe created without the --flag optionUnknownhttps://www.blogger.com/profile/04120323431915429444noreply@blogger.com