Troubleshooting StrongSwan IKEv2 VPN Error 13801 on Windows 7: Certificate Authentication Issues


5 views

The Error 13801 occurs during IKEv2 authentication when Windows 7's Agile VPN client encounters certificate validation issues with StrongSwan servers. This typically happens when:

  • Server certificates don't meet Windows' strict validation requirements
  • Certificate chain isn't properly installed in the Windows certificate store
  • Extended Key Usage (EKU) extensions are missing in certificates

Windows 7 has specific certificate requirements that differ from other systems:

Windows requires:
- Server certificate must contain Server Authentication EKU (1.3.6.1.5.5.7.3.1)
- Client certificate (if used) must contain Client Authentication EKU (1.3.6.1.5.5.7.3.2)
- Root CA must be installed in the Local Machine's Trusted Root Certification Authorities store

Here's how to generate proper certificates using OpenSSL:

# Create CA certificate
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout ca.key -out ca.crt -subj "/CN=My VPN CA"

# Create server certificate
openssl req -newkey rsa:4096 -sha256 -nodes \
  -keyout server.key -out server.csr -subj "/CN=vpn.example.com"

# Sign server certificate with proper extensions
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out server.crt -days 365 -sha256 \
  -extfile <(echo -e "extendedKeyUsage=serverAuth\nsubjectAltName=DNS:vpn.example.com")

Update your ipsec.conf with these critical parameters:

conn %default
    # Force Windows-compatible cipher suites
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    # Enable MOBIKE for better NAT traversal
    mobike=yes
    # Windows-specific settings
    keyexchange=ikev2
    rekey=no
    fragmentation=yes

For successful authentication:

  • Import the CA certificate to Local Computer -> Trusted Root Certification Authorities
  • Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\IKEv2\DisableCertReqPayload to 1
  • In VPN connection properties -> Security tab:
    • Type: IKEv2
    • Authentication: MS-CHAPv2
    • Remember credentials

Use these commands to verify your setup:

# On StrongSwan server:
ipsec statusall
ipsec listcerts
journalctl -u strongswan -f

# On Windows client:
netsh ras set tracing * enabled
eventvwr.msc (check Application and System logs)

If certificate issues persist, consider:

  1. Using self-signed certificates with specific OIDs that Windows accepts
  2. Implementing certificate mapping with rightcert=%subject
  3. Temporarily disabling certificate validation for testing (not recommended for production)

When setting up an IKEv2 VPN between Windows 7 clients and a strongSwan server on AWS, Error 13801 typically indicates certificate validation failures. The Windows 7 Agile VPN client has stringent certificate requirements that differ from standard IPsec implementations.

After analyzing the logs and configuration, several critical points emerge:

Sep  4 00:16:17 localhost charon: 15[ENC] unknown attribute type INTERNAL_IP4_SERVER
Sep  4 00:16:17 localhost charon: 15[IKE] received 316 cert requests for an unknown ca

These log entries suggest Windows is requesting specific certificate attributes that aren't being properly fulfilled by the current configuration.

Windows 7 requires certificates with these specific properties:

Key Usage: Digital Signature, Key Encipherment
Extended Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
Subject Alternative Name: Must include the server's DNS name
Certificate chain must be properly installed

Here's how to generate compliant certificates using OpenSSL:

# Create CA
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout ca.key -out ca.crt -subj "/CN=My VPN CA"

# Create server cert
openssl req -newkey rsa:4096 -sha256 -nodes \
-keyout server.key -out server.csr -subj "/CN=vpn.example.com"

# Create extensions file
echo "subjectAltName=DNS:vpn.example.com" > server.ext
echo "extendedKeyUsage=serverAuth" >> server.ext
echo "keyUsage=digitalSignature,keyEncipherment" >> server.ext

# Sign the cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out server.crt -days 365 -sha256 -extfile server.ext

After fixing certificates, update your ipsec.conf:

conn win7vpn
    left=%any
    leftsubnet=10.0.0.0/16
    leftcert=server.crt
    leftid=@vpn.example.com
    right=%any
    rightsourceip=10.0.0.0/24
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!

For testing purposes, you can disable strict certificate validation:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters]
"ProhibitIpSec"=dword:00000000

After implementation:

  1. Verify certificate chain installation in mmc.exe (certlm.msc)
  2. Check Windows event viewer for detailed VPN errors
  3. Monitor strongSwan logs with ipsec stroke loglevel 4