Project

General

Profile

Bug #4580

IKEv2 certificate lacks [mumble] attribute required by Windows 7 Agile VPN client

Added by Adam Thompson over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
Certificates
Target version:
Start date:
04/03/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

I ran into this problem: http://tiebing.blogspot.ca/2012/05/windows-7-ikev2-error-13806.html?m=1
Also documented here: http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801

Also here (canonical documentation): https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq

Basically, the certificate pfSense generates isn't "good enough" for Win7/Win8. The registry hack appears to work, but isn't an acceptable solution.
Using externally-generated certificates should work, too, but I haven't tested that.

History

#1 Updated by Jim Pingle over 4 years ago

  • Status changed from New to Feedback

Which specific attribute?

It does have the EKU bits listed on there. Pay attention to the requirements in our docs though you have to add a specific SAN:

https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS#Create_a_Server_Certificate

#2 Updated by Chris Buechler about 4 years ago

  • Assignee set to Chris Buechler
  • Target version set to 2.2.4

I probably fixed this by coincidence (didn't recall this ticket existed until now) earlier today. I think what Adam's referring to is what's fixed by:
https://github.com/pfsense/pfsense/commit/b27567ca401f489269147038bbaa450d440087c2

Now the server cert is accepted by Windows without disabling EKU.

#3 Updated by Chris Buechler about 4 years ago

  • Affected Version changed from 2.2.1 to All

#4 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF