Bug #4580
closed
IKEv2 certificate lacks [mumble] attribute required by Windows 7 Agile VPN client
0%
Description
I ran into this problem: http://tiebing.blogspot.ca/2012/05/windows-7-ikev2-error-13806.html?m=1
Also documented here: http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801
Also here (canonical documentation): https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
Basically, the certificate pfSense generates isn't "good enough" for Win7/Win8. The registry hack appears to work, but isn't an acceptable solution.
Using externally-generated certificates should work, too, but I haven't tested that.
Updated by Jim Pingle over 9 years ago
- Status changed from New to Feedback
Which specific attribute?
It does have the EKU bits listed on there. Pay attention to the requirements in our docs though you have to add a specific SAN:
https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS#Create_a_Server_Certificate
Updated by Chris Buechler over 9 years ago
- Assignee set to Chris Buechler
- Target version set to 2.2.4
I probably fixed this by coincidence (didn't recall this ticket existed until now) earlier today. I think what Adam's referring to is what's fixed by:
https://github.com/pfsense/pfsense/commit/b27567ca401f489269147038bbaa450d440087c2
Now the server cert is accepted by Windows without disabling EKU.
Updated by Chris Buechler over 9 years ago
- Affected Version changed from 2.2.1 to All