IKE failed to find valid machine certificate



  • I have setup a Mobile Clients IPSec VPN (kinda following the "IPsec Road Warrior/Mobile Client How-To") but using:

    • IKEv2 rather than IKEv1

    • Mutual RSA rather than PSK

    • 256-bit AES rather than 128-bit

    • SHA256 Rather than SHA1

    • Phase 2s for 0.0.0.0/0 and ::/0

    I have a CA on my pfSense box from which I have issued:

    • A Server Certificate for the IPSec Server

    • A Machine Certificate per clients device

    I have then linked the Client Device certificates to an unprivileged user account, only has "User - VPN - IPsec xauth Dialin", in User Manager.

    2 Android devices, using StrongSwan, connect fine:

    • Gateway: [external IPv4 address]

    • Type: IKEv2 Certificate

    • User Certificate: [The devices Machine Certificate]

    • CA Certificate Auto Select: No

    • CA Certificate: [The pfSense CA Certificate]

    • Block IPv4 traffic not destined for the VPN: Yes

    • Block IPv6 traffic not destined for the VPN: Yes

    Windows 10 will not connect, it just keeps saying "IKE failed to find valid machine certificate…"

    • Host name or IP address: [external IPv4 address]

    • Type of VPN: IKEv2

    • Data Encryption: Require Encryption

    • Authentication: Use Machine Certificates

    I have checked and the Machine Certificate is in the "Personal" store and the Root CA is in the "Trusted Root Certification Authorities" store of the MACHINE Certificate Store, not my user store.

    Both Machine and IPSec Server certificates have:

    Key Usage
    Digital Signature, Key Encipherment (a0)

    Extended Key Usage

    • Server Authentication (1.3.6.1.5.5.7.3.1)

    • IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

    opening the Machine Certificate shows "This certificate is OK."

    The IPSec Server certificates has subject

    • CN=[external hostname]

    Alternate names

    • DNS Name=[external hostname]

    • DNS Name=[internal hostname]

    • DNS Name=[external IP]

    • IP Address=[external IP]

    • DNS Name=[internal IP]

    • IP Address=[internal IP]

    As far as I can tell the certificates meet https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq as "Only usable as machine certificates", which is what I'm using them as.

    I have also tried Disabling extended certificate checks and rebooting.

    The only thing I need to do which I have not worked out how to yet is removing the two Public CA Certs, that make up the chain to my web admin certificate, from the IPSec configuration so it does not advertise this as potential CAs. I have tried deleting the two files they are loaded from but on service restart they just get recreated. If these are removed from Cert Manager then so is the certificate for web admin and if just the certificate is readded then browsers complain as the server does not present the required intermediate certificate.

    Has anyone come across this issue before? Any suggestions on how to resolve it? Happy to provide further info if needed.

    Many thanks in advance for your help.