Re: IPSEC IKEv2 with EAP-MSCHAPv2 - Windows error 13801 [SOLVED]

blackfede · Jan 22, 2016, 11:27 AM

Hi, I can't figure out why my setup is not working and it's days that I am experimenting whit it…
Never worked in pfSense 2.2.2, upgraded to 2.2.6 and still nothing.

Followed the https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 guide, stuck at the Windows 13801 error.

I created the CA in pfSense and created a Server Certificate. Also recreated the CA and many Server certificate test, my best bet is

For my cert: CN = vpn.domain.com
SAN: DNS Name = vpn.domain.com
IP Address = x.x.x.x (WAN ip address)

Imported the cert into the local computer Trusted Root CA

As soon as I try the Windows connection i get error 13801. The dword on the registry for bypassing the checks does not work (client rebooted)
The error log on pfSense is always the same:


Jan 19 17:55:51 	charon: 13[NET] <19> received packet: from 192.168.21.150[500] to 92.223.1.1[500] (616 bytes)
Jan 19 17:55:51 	charon: 13[ENC] <19> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jan 19 17:55:51 	charon: 13[IKE] <19> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jan 19 17:55:51 	charon: 13[IKE] <19> received MS-Negotiation Discovery Capable vendor ID
Jan 19 17:55:51 	charon: 13[IKE] <19> received Vid-Initial-Contact vendor ID
Jan 19 17:55:51 	charon: 13[ENC] <19> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jan 19 17:55:51 	charon: 13[IKE] <19> 192.168.21.150 is initiating an IKE_SA
Jan 19 17:55:51 	charon: 13[IKE] <19> sending cert request for "C=IT, ST=Italy, L=Milano, O=MyOrg, E=abuse@myorg.it, CN=myorg-ca"
Jan 19 17:55:51 	charon: 13[ENC] <19> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan 19 17:55:51 	charon: 13[NET] <19> sending packet: from 92.223.1.1[500] to 192.168.21.150[500] (333 bytes)
Jan 19 17:55:51 	charon: 13[NET] <19> received packet: from 192.168.21.150[4500] to 92.223.1.1[4500] (964 bytes)
Jan 19 17:55:51 	charon: 13[ENC] <19> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jan 19 17:55:51 	charon: 13[IKE] <19> received cert request for "C=IT, ST=Italy, L=Milano, O=MyOrg, E=abuse@myorg.it, CN=myorg-ca"
Jan 19 17:55:51 	charon: 13[IKE] <19> received 31 cert requests for an unknown ca
Jan 19 17:55:51 	charon: 13[CFG] <19> looking for peer configs matching 92.223.1.1[%any]...192.168.21.150[192.168.21.150]
Jan 19 17:55:51 	charon: 13[CFG] <bypasslan|19>selected peer config 'bypasslan'
Jan 19 17:55:51 	charon: 13[IKE] <bypasslan|19>peer requested EAP, config inacceptable
Jan 19 17:55:51 	charon: 13[CFG] <bypasslan|19>no alternative config found
Jan 19 17:55:51 	charon: 13[IKE] <bypasslan|19>peer supports MOBIKE
Jan 19 17:55:51 	charon: 13[ENC] <bypasslan|19>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 19 17:55:51 	charon: 13[NET] <bypasslan|19>sending packet: from 92.223.1.1[4500] to 192.168.21.150[4500] (68 bytes)</bypasslan|19></bypasslan|19></bypasslan|19></bypasslan|19></bypasslan|19></bypasslan|19>

I think that the core error is "cert requests for an unknown ca" but I can't figure out what I am missing.
Thanks for your help
Federco

jimp · Jan 20, 2016, 3:06 PM

https://technet.microsoft.com/en-us/library/dd941612%28v=ws.10%29.aspx

Error 13801 occurs on the client when:

The certificate is expired.

The trusted root for the certificate is not present on the client.

The subject name of the certificate does not match the remote computer.

The certificate does not have the required Enhanced Key Usage (EKU) values assigned.

So:

1. Make sure the server cert is actually a "Server Cert" (check the attributes listed in the cert list, it should show "Server: Yes")
2. Make sure the CA cert (not the server cert!) is imported to the client
3. Make sure that whatever "vpn.domain.com" really is exists in DNS
4. Use "vpn.domain.com" in the VPN client config as the remote host/server

blackfede · Jan 20, 2016, 3:57 PM

Thank you,

As Server Cert I have "Server Certificate CA: No, Server: Yes " , and I have imported the CA cert (not the server cert) under the Computer trusted root certs (required admin rights).

My Server Cert has emailAddress=abuse@MyOrg.it, ST=Italy, O=MyOrg, L=Milano, CN=vpn.domain.com, C=IT (where vpn.domain.com is my public hostname) and I have added Type DNS vpn.domain.com and Type IP the IP obtained pinging my vpn.domain.com

I am not totally sure about this
3. Make sure that whatever "vpn.domain.com" really is exists in DNS
It exists on the Internet, is this enough? I don't think to have it mapped anywere in pfSense. but pfSense can ping it

Ah, and vpn.domain.com points to the public ip of my pfSense HA cluster.

I am using vpn.domain.com in my windows config.

There must be something that I am missing…

akong · Jan 21, 2016, 12:53 AM

Hello,
Do you connect ipsec between two pfsense machine?I have test it.

Client PC –-> Pfsense 2.2.6 ---IPsec IKEv2---> Pfsense 2.2.6 (It's will show server not respond in windows and can't connect it.)

Client PC ---> IP Sharing ---IPSEC IKEv2---> Pfsense 2.2.6 (It's can connect ipsec and no any error.)

I don't know what I missing settings.

blackfede · Jan 21, 2016, 12:06 PM

@akong : no, it's between a pfSense and a Windows Client (Win 8.1) that I am using for testing.

blackfede · Jan 21, 2016, 5:06 PM

Still no luck.

Inspecting my server certificate I have

Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IT, ST=Italy, L=Milano, O=MyOrg/emailAddress=abuse@MyOrg.it, CN=myorg-ca
Validity
Not Before: Jan 21 15:21:38 2016 GMT
Not After : Jan 18 15:21:38 2026 GMT
Subject: C=IT, ST=Italy, L=Milano, O=MyOrg/emailAddress=abuse@MyOrg.it, CN=vpn.domain.com
Subject Public Key Info:

X509v3 Subject Alternative Name:
DNS:vpn.domain.com, IP Address:WANipAddress, IP Address:LANipAddress (added today for test)

And myorg-ca is added under the trusted root certificate in "Computer" section on Windows (how do I check that Windows is using it when contacting the vpn?)

blackfede · Jan 22, 2016, 11:43 AM

Reading again the whole documentation, experimenting almost everything, SOLVED by changing under

Phase1
General information
Interface

From WAN to 1.2.3.4 (Carp WAN IP)

Can't understand why, but I started to try everithing…

now it does not go online (internet) but it pings remote ips.. and I have to understand if it's possibile, and how, to resolve some address using the remote local dns... but it's another story.

F