Issue #2613
Error 13801 with Windows 10 1709
Affected version:
5.6.2
Resolution:
No change required
Description
Hi, I'm trying to connect with Windows 10 1709 (16299.334) to a router with openwrt and strongswan 5.6.2 without success, error 13801.
I have read many tutorial and the first thing I have do was this: https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048
To create certificates I used these commands:
ipsec pki --gen --type rsa --size 4096 --outform pem > caKey.pem ipsec pki --self --ca --lifetime 3650 --in caKey.pem --type rsa --dn "C=IT, O=VPN Server, CN=VPN Server Root CA" --outform pem > caCert.pem ipsec pki --gen --type rsa --size 4096 --outform pem > serverKey.pem ipsec pki --pub --in serverKey.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert caCert.pem --cakey caKey.pem --dn "C=IT, O=VPN Server, CN=myddnsserver.com" --san="myddnsserver.com" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem ipsec pki --gen --outform pem > clientKey.pem ipsec pki --pub --in clientKey.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert caCert.pem --cakey caKey.pem --dn "C=IT, O=VPN Server, CN=myddnsserver.com" --san="myddnsserver.com" --outform pem > clientCert.pem openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "Server VPN Root CA" -out clientCert.p12
ipsecret.conf
: RSA serverKey.pem username : EAP "password"
ipsec.conf
config setup conn %default keyexchange=ikev2 dpdaction=hold dpddelay=30s dpdtimeout=120s rekey=no conn roadwarrior left=%any leftid=myddnsserver.com leftsubnet=192.168.11.0/24 leftcert=serverCert.pem leftauth=pubkey leftfirewall=yes right=%any rightsourceip=1.2.3.4/24 rightauth2=eap-mschapv2 auto=add eap_identity=%any
With android client I can connect and all is fine but with Windows 10 I have this error also with windows EKU disabled
Wed Apr 4 16:16:53 2018 daemon.info : 08[NET] received packet: from 151.47.11.129[16032] to 94.35.162.245[500] (624 bytes) Wed Apr 4 16:16:53 2018 daemon.info : 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Wed Apr 4 16:16:53 2018 daemon.info : 08[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID Wed Apr 4 16:16:53 2018 daemon.info : 08[IKE] received MS-Negotiation Discovery Capable vendor ID Wed Apr 4 16:16:53 2018 daemon.info : 08[IKE] received Vid-Initial-Contact vendor ID Wed Apr 4 16:16:53 2018 daemon.info : 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Wed Apr 4 16:16:53 2018 daemon.info : 08[IKE] 151.47.11.129 is initiating an IKE_SA Wed Apr 4 16:16:53 2018 authpriv.info : 08[IKE] 151.47.11.129 is initiating an IKE_SA Wed Apr 4 16:16:54 2018 daemon.info : 08[IKE] remote host is behind NAT Wed Apr 4 16:16:54 2018 daemon.info : 08[IKE] sending cert request for "C=IT, O=VPN Server, CN=VPN Server Root CA" Wed Apr 4 16:16:54 2018 daemon.info : 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Wed Apr 4 16:16:54 2018 daemon.info : 08[NET] sending packet: from 94.35.162.245[500] to 151.47.11.129[16032] (465 bytes) Wed Apr 4 16:16:54 2018 daemon.info : 03[NET] received packet: from 151.47.11.129[16039] to 94.35.162.245[4500] (2860 bytes) Wed Apr 4 16:16:54 2018 daemon.info : 03[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Wed Apr 4 16:16:54 2018 daemon.info : 03[IKE] received cert request for "C=IT, O=VPN Server, CN=VPN Server Root CA" Wed Apr 4 16:16:54 2018 daemon.info : 03[IKE] received 48 cert requests for an unknown ca Wed Apr 4 16:16:54 2018 daemon.info : 03[IKE] received end entity cert "C=IT, O=VPN Server, CN=myddnsserver.com" Wed Apr 4 16:16:54 2018 daemon.info : 03[CFG] looking for peer configs matching 94.35.162.245[%any]...151.47.11.129[C=IT, O=VPN Server, CN=myddnsserver.com] Wed Apr 4 16:16:54 2018 daemon.info : 03[CFG] selected peer config 'roadwarrior' Wed Apr 4 16:16:54 2018 daemon.info : 03[CFG] using certificate "C=IT, O=VPN Server, CN=myddnsserver.com" Wed Apr 4 16:16:54 2018 daemon.info : 03[CFG] using trusted ca certificate "C=IT, O=VPN Server, CN=VPN Server Root CA" Wed Apr 4 16:16:54 2018 daemon.info : 03[CFG] checking certificate status of "C=IT, O=VPN Server, CN=myddnsserver.com" Wed Apr 4 16:16:54 2018 daemon.info : 03[CFG] certificate status is not available Wed Apr 4 16:16:54 2018 daemon.info : 03[CFG] reached self-signed root ca with a path length of 0 Wed Apr 4 16:16:54 2018 daemon.info : 03[IKE] authentication of 'C=IT, O=VPN Server, CN=myddnsserver.comt' with RSA signature successful Wed Apr 4 16:16:54 2018 daemon.info : 03[CFG] selected peer config 'roadwarrior' inacceptable: insufficient authentication rounds Wed Apr 4 16:16:54 2018 daemon.info : 03[CFG] no alternative config found Wed Apr 4 16:16:54 2018 daemon.info : 03[IKE] peer supports MOBIKE Wed Apr 4 16:16:54 2018 daemon.info : 03[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
What I'm wrong?
Many thanks
History
#1 Updated by Tobias Brunner over 7 years ago
- Status changed from New to Feedback
Windows does not support multiple authentication rounds (i.e. pubkey first then EAP, as configured with rightauth2). So you have to decide which authentication you want to do (cert or username/password) and then configure server and clients accordingly.
#2 Updated by Massimo T over 7 years ago
Tobias Brunner wrote:
Windows does not support multiple authentication rounds (i.e. pubkey first then EAP, as configured with rightauth2). So you have to decide which authentication you want to do (cert or username/password) and then configure server and clients accordingly.
Thanks Tobias, rightaut=eap-mschapv2 fix the problem.
You saved me from a nervous breakdown :D
#3 Updated by Tobias Brunner over 7 years ago
- Category set to configuration
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required