IKEv2 from Win7 needs EKU in cert getting error 13801\. Windows 8.1 works v2.2.3



  • Hi

    I have an almost working tunnel.  I am having the traffic routing issue in many other posts. I am following this https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2. After some wrangling with the Windows Firewall and the NAT router, I have a successful tunnel from a Windows 8.1 laptop. However when I try to connect with Windows 7 I get error 13801 which means it needs some EKU "ServerAuthentication". How do I add this to the certificate from the gui? TIA


  • Rebel Alliance Developer Netgate

    The GUI certs already have that EKU set but Windows also wants another one "1.3.6.1.5.5.8.2.2"

    We put some fixes into 2.2.4 to add that into the server cert, so if you update to a snapshot and make a new IPsec server cert it'll be there.

    So make sure of the following when making a cert:

    • Be on 2.2.4 snapshot, -RELEASE or later
    • Cert is selected as a SERVER certificate
    • Common Name must be set to either the IP address -or- FQDN in DNS of the server, whatever the clients will use to connect, can't make both work.

Log in to reply