Windows 10: Error 13801, IKE authentication credentials are unacceptable #126
Comments
|
Solution: After this windows 10 (and android Strongswan) client connected without a problem. Strongswan probably doesn't like the new format.. This can be workarounded in the setup.sh script for now. source: |
This helped, thanks! Just removed the 'chain.pem' link and did Would be nice to have a proper fix in the setup script. |
|
Thanks for filing this issue, @b0d8mr4zu. I don't think that particular Let's Encrypt forum thread draws the right conclusion here. The problem is not that strongSwan fails to send the intermediate cert chain (after all, it works just fine with the Mac client, for example). Instead, the underlying problem seems to be a Windows 10 bug, where certificates are supposed to be lazy-loaded, but rasdial doesn't lazy load them. See this thread: https://community.letsencrypt.org/t/isrg-root-lazy-loading-problem-missing-from-random-updated-windows-10-versions/141550 The solution that's suggested does work for now, but may fail in future if and when Let's Encrypt change their signing setup again. An alternative solution, at least for new installations, is that we just add the following line to the Windows PowerShell client setup script: $Response = Invoke-WebRequest -UseBasicParsing -Uri https://valid-isrgrootx1.letsencrypt.orgWe can ignore the contents of And once that's happened, the VPN will connect without issues once again. The problem here, of course, is that existing Win 10 VPN client setups will need fixing (e.g. by simply visiting that URL in Edge). So I guess I might also add instructions for the alternative-cert fix to the README and/or setup script output. |
|
OK — I've now added that PowerShell command to the Windows setup instructions, and also added a new script, win10fix.sh, for situations where the server-side fix is required instead. |
|
the server-side workaround probably stopped working as lets-encrypt-r3-cross-signed.pem expired a few days ago. |
|
@jawj sorry to bug you but i tried running This issue has started happening on 21st October only for us. It was working just fine previously... |
|
@ocind What I know about logs is described at https://github.com/jawj/IKEv2-setup#troubleshooting. I'm afraid I don't use Windows much, and the web request (or just visiting that address in Edge) does fix the issue on my Windows box. |
Hello, first of all thank You for the project, it saved me a lot of config testing. The IPsec/IKEv2 vpn tunel is extremely useful for Windows users that has unprivileged accounts only and still need to work from certain location/network, but the company can't provide them with a working solution remotely. Thanks again.
So Windows doesn't like the Let's Encrypt certs, that results in the Error 13801 (error number reported by rasphone.exe, the native graphical client provides only the text error).
This looks like a problem inside StrongSwan itself and the fact that Let's Encrypt changed the layout on their chain certs.
The solution in the next post.
The text was updated successfully, but these errors were encountered: