Project

General

Profile

Actions

Bug #4580

closed

IKEv2 certificate lacks [mumble] attribute required by Windows 7 Agile VPN client

Added by Adam Thompson almost 9 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Category:
Certificates
Target version:
Start date:
04/03/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

I ran into this problem: http://tiebing.blogspot.ca/2012/05/windows-7-ikev2-error-13806.html?m=1
Also documented here: http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801

Also here (canonical documentation): https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq

Basically, the certificate pfSense generates isn't "good enough" for Win7/Win8. The registry hack appears to work, but isn't an acceptable solution.
Using externally-generated certificates should work, too, but I haven't tested that.

Actions #1

Updated by Jim Pingle almost 9 years ago

  • Status changed from New to Feedback

Which specific attribute?

It does have the EKU bits listed on there. Pay attention to the requirements in our docs though you have to add a specific SAN:

https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS#Create_a_Server_Certificate

Actions #2

Updated by Chris Buechler over 8 years ago

  • Assignee set to Chris Buechler
  • Target version set to 2.2.4

I probably fixed this by coincidence (didn't recall this ticket existed until now) earlier today. I think what Adam's referring to is what's fixed by:
https://github.com/pfsense/pfsense/commit/b27567ca401f489269147038bbaa450d440087c2

Now the server cert is accepted by Windows without disabling EKU.

Actions #3

Updated by Chris Buechler over 8 years ago

  • Affected Version changed from 2.2.1 to All
Actions #4

Updated by Chris Buechler over 8 years ago

  • Status changed from Feedback to Resolved

fixed

Actions

Also available in: Atom PDF