Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows 10: Error 13801, IKE authentication credentials are unacceptable #126

Closed
b0d8mr4zu opened this issue Sep 7, 2021 · 7 comments
Closed

Comments

@b0d8mr4zu
Copy link

Hello, first of all thank You for the project, it saved me a lot of config testing. The IPsec/IKEv2 vpn tunel is extremely useful for Windows users that has unprivileged accounts only and still need to work from certain location/network, but the company can't provide them with a working solution remotely. Thanks again.

So Windows doesn't like the Let's Encrypt certs, that results in the Error 13801 (error number reported by rasphone.exe, the native graphical client provides only the text error).
This looks like a problem inside StrongSwan itself and the fact that Let's Encrypt changed the layout on their chain certs.

The solution in the next post.

@b0d8mr4zu
Copy link
Author

b0d8mr4zu commented Sep 7, 2021

Solution:
change the chain of two certs in the /etc/ipsec.d/cacerts/chain.pem (linked by certbot) to a single crossigned one from Let's Encrypt https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem and restart the ipsec service.

After this windows 10 (and android Strongswan) client connected without a problem.

Strongswan probably doesn't like the new format.. This can be workarounded in the setup.sh script for now.

source:
https://community.letsencrypt.org/t/strongswan-and-x3-to-r3-transition/153557/2

@sk-pub
Copy link

sk-pub commented Sep 10, 2021

Solution:
change the chain of two certs in the /etc/ipsec.d/cacerts/chain.pem (linked by certbot) to a single crossigned one from Let's Encrypt https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem and restart the ipsec service.

This helped, thanks! Just removed the 'chain.pem' link and did wget https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem.

Would be nice to have a proper fix in the setup script.

@jawj
Copy link
Owner

jawj commented Sep 13, 2021

Thanks for filing this issue, @b0d8mr4zu.

I don't think that particular Let's Encrypt forum thread draws the right conclusion here. The problem is not that strongSwan fails to send the intermediate cert chain (after all, it works just fine with the Mac client, for example).

Instead, the underlying problem seems to be a Windows 10 bug, where certificates are supposed to be lazy-loaded, but rasdial doesn't lazy load them. See this thread: https://community.letsencrypt.org/t/isrg-root-lazy-loading-problem-missing-from-random-updated-windows-10-versions/141550

The solution that's suggested does work for now, but may fail in future if and when Let's Encrypt change their signing setup again.

An alternative solution, at least for new installations, is that we just add the following line to the Windows PowerShell client setup script:

$Response = Invoke-WebRequest -UseBasicParsing -Uri https://valid-isrgrootx1.letsencrypt.org

We can ignore the contents of $Response, but this simple get request has the side effect of loading the ISRG Root X1 cert into the certificate store (you can see this in certmgr.exe under Third-Party Root Certificate Authorities > Certificates).

And once that's happened, the VPN will connect without issues once again.

The problem here, of course, is that existing Win 10 VPN client setups will need fixing (e.g. by simply visiting that URL in Edge). So I guess I might also add instructions for the alternative-cert fix to the README and/or setup script output.

@jawj jawj closed this as completed in f38dcde Sep 13, 2021
@jawj
Copy link
Owner

jawj commented Sep 13, 2021

OK — I've now added that PowerShell command to the Windows setup instructions, and also added a new script, win10fix.sh, for situations where the server-side fix is required instead.

@s0ftice
Copy link

s0ftice commented Oct 1, 2021

the server-side workaround probably stopped working as lets-encrypt-r3-cross-signed.pem expired a few days ago.

@ocind
Copy link

ocind commented Oct 21, 2021

@jawj sorry to bug you but i tried running $Response = Invoke-WebRequest -UseBasicParsing -Uri https://valid-isrgrootx1.letsencrypt.org on the Windows client but the same issue still occurs. I am not sure how to debug this. Can you give me some pointers on where to look for the logs?

This issue has started happening on 21st October only for us. It was working just fine previously...

@jawj
Copy link
Owner

jawj commented Oct 22, 2021

@ocind What I know about logs is described at https://github.com/jawj/IKEv2-setup#troubleshooting. I'm afraid I don't use Windows much, and the web request (or just visiting that address in Edge) does fix the issue on my Windows box.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants