Re: IPSEC IKEv2 with EAP-MSCHAPv2 - Windows error 13801 [SOLVED]



  • Hi, I can't figure out why my setup is not working and it's days that I am experimenting whit it…
    Never worked in pfSense 2.2.2, upgraded to 2.2.6 and still nothing.

    Followed the https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 guide, stuck at the Windows 13801 error.

    I created the CA in pfSense and created a Server Certificate. Also recreated the CA and many Server certificate test, my best bet is

    For my cert:  CN = vpn.domain.com
    SAN: DNS Name = vpn.domain.com
            IP Address = x.x.x.x (WAN ip address)

    Imported the cert into the local computer Trusted Root CA

    As soon as I try the Windows connection i get  error 13801. The dword on the registry for bypassing the checks does not work (client rebooted)
    The error log on pfSense is always the same:

    
    Jan 19 17:55:51 	charon: 13[NET] <19> received packet: from 192.168.21.150[500] to 92.223.1.1[500] (616 bytes)
    Jan 19 17:55:51 	charon: 13[ENC] <19> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Jan 19 17:55:51 	charon: 13[IKE] <19> received MS NT5 ISAKMPOAKLEY v9 vendor ID
    Jan 19 17:55:51 	charon: 13[IKE] <19> received MS-Negotiation Discovery Capable vendor ID
    Jan 19 17:55:51 	charon: 13[IKE] <19> received Vid-Initial-Contact vendor ID
    Jan 19 17:55:51 	charon: 13[ENC] <19> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Jan 19 17:55:51 	charon: 13[IKE] <19> 192.168.21.150 is initiating an IKE_SA
    Jan 19 17:55:51 	charon: 13[IKE] <19> sending cert request for "C=IT, ST=Italy, L=Milano, O=MyOrg, E=abuse@myorg.it, CN=myorg-ca"
    Jan 19 17:55:51 	charon: 13[ENC] <19> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Jan 19 17:55:51 	charon: 13[NET] <19> sending packet: from 92.223.1.1[500] to 192.168.21.150[500] (333 bytes)
    Jan 19 17:55:51 	charon: 13[NET] <19> received packet: from 192.168.21.150[4500] to 92.223.1.1[4500] (964 bytes)
    Jan 19 17:55:51 	charon: 13[ENC] <19> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Jan 19 17:55:51 	charon: 13[IKE] <19> received cert request for "C=IT, ST=Italy, L=Milano, O=MyOrg, E=abuse@myorg.it, CN=myorg-ca"
    Jan 19 17:55:51 	charon: 13[IKE] <19> received 31 cert requests for an unknown ca
    Jan 19 17:55:51 	charon: 13[CFG] <19> looking for peer configs matching 92.223.1.1[%any]...192.168.21.150[192.168.21.150]
    Jan 19 17:55:51 	charon: 13[CFG] <bypasslan|19>selected peer config 'bypasslan'
    Jan 19 17:55:51 	charon: 13[IKE] <bypasslan|19>peer requested EAP, config inacceptable
    Jan 19 17:55:51 	charon: 13[CFG] <bypasslan|19>no alternative config found
    Jan 19 17:55:51 	charon: 13[IKE] <bypasslan|19>peer supports MOBIKE
    Jan 19 17:55:51 	charon: 13[ENC] <bypasslan|19>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Jan 19 17:55:51 	charon: 13[NET] <bypasslan|19>sending packet: from 92.223.1.1[4500] to 192.168.21.150[4500] (68 bytes)</bypasslan|19></bypasslan|19></bypasslan|19></bypasslan|19></bypasslan|19></bypasslan|19> 
    

    I think that the core error is "cert requests for an unknown ca" but I can't figure out what I am missing.
    Thanks for your help
    Federco


  • Rebel Alliance Developer Netgate

    https://technet.microsoft.com/en-us/library/dd941612(v=ws.10).aspx

    Error 13801 occurs on the client when:

    The certificate is expired.

    The trusted root for the certificate is not present on the client.

    The subject name of the certificate does not match the remote computer.

    The certificate does not have the required Enhanced Key Usage (EKU) values assigned.

    So:

    1. Make sure the server cert is actually a "Server Cert" (check the attributes listed in the cert list, it should show "Server: Yes")
    2. Make sure the CA cert (not the server cert!) is imported to the client
    3. Make sure that whatever "vpn.domain.com" really is exists in DNS
    4. Use "vpn.domain.com" in the VPN client config as the remote host/server



  • Thank you,

    As Server Cert I have "Server Certificate CA: No, Server: Yes " , and I have imported the CA cert (not the server cert) under the Computer trusted root certs (required admin rights).

    My Server Cert has emailAddress=abuse@MyOrg.it, ST=Italy, O=MyOrg, L=Milano, CN=vpn.domain.com, C=IT  (where vpn.domain.com is my public hostname) and I have added Type DNS vpn.domain.com and Type IP the IP obtained pinging my vpn.domain.com

    I am not totally sure about this
    3. Make sure that whatever "vpn.domain.com" really is exists in DNS
    It exists on the Internet, is this enough? I don't think to have it mapped anywere in pfSense. but  pfSense can ping it

    Ah, and vpn.domain.com points to the public ip of my pfSense HA cluster.

    I am using vpn.domain.com in my windows config.

    There must be something that I am missing…



  • Hello,
    Do you connect ipsec between two pfsense machine?I have test it.

    Client PC –-> Pfsense 2.2.6 ---IPsec IKEv2---> Pfsense 2.2.6  (It's will show server not respond in windows and can't connect it.)

    Client PC ---> IP Sharing ---IPSEC IKEv2---> Pfsense 2.2.6 (It's can connect ipsec and no any error.)

    I don't know what I missing settings.



  • @akong : no, it's between a pfSense and a Windows Client (Win 8.1) that I am using for testing.



  • Still no luck.

    Inspecting my server certificate I have

    Data:
            Version: 3 (0x2)
            Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=IT, ST=Italy, L=Milano, O=MyOrg/emailAddress=abuse@MyOrg.it, CN=myorg-ca
            Validity
                Not Before: Jan 21 15:21:38 2016 GMT
                Not After : Jan 18 15:21:38 2026 GMT
            Subject: C=IT, ST=Italy, L=Milano, O=MyOrg/emailAddress=abuse@MyOrg.it, CN=vpn.domain.com
            Subject Public Key Info:

    X509v3 Subject Alternative Name:
                    DNS:vpn.domain.com, IP Address:WANipAddress, IP Address:LANipAddress (added today for test)

    And myorg-ca is added under the trusted root certificate in "Computer" section on Windows (how do I check that Windows is using it when contacting the vpn?)



  • Reading again the whole documentation, experimenting almost everything, SOLVED by changing under

    Phase1
    General information
    Interface

    From WAN to 1.2.3.4 (Carp WAN IP)

    Can't understand why, but I started to try everithing…

    now it does not go online (internet) but it pings remote ips.. and I have to understand if it's possibile, and how, to resolve some address using the remote local dns... but it's another story.

    F


Log in to reply