Hello, and welcome!
I run IKEv2 with certs, but only between OpenBSD systems; third party connections are not in use and I have no experience with them to share.
Quote:
OpenBSD 5.6 behind a router with port 500 and 4500 forwarded on.
|
Port 4500 is for NAT-Traversal, which you have disabled. (I don't use it in my configuration as my systems interconnect without NAT.)
I note you are using IP addresses in iked.conf. As I'm using certificates, I use FQDNs for srcid and destid, and my certificates match the FQDNs. As an example:
Code:
ikev2 active esp \
from 10.0.3.2 to 10.0.3.1 \
srcid netbook.jggimi.homeip.net \
dstid fw2.jggimi.homeip.net
I decided to use FQDNs after having some early failures with short names/nicknames, and seeing a comment on misc@ that guided me in that direction. I can't find the comment right now. But when searching for it, I did find a recommendation to use
two certificates on your Windows machine.
The error you're getting from Windows (13801) has these possible causes. If you're missing one of the two required certs, #3 might be why. If your cert and servers don't align exactly, #4 could be why, and you may want to switch to matching certificate names with FQDNs, as I do.
- The machine certificate used for IKEv2 validation on RAS Server does not have 'Server Authentication' as the EKU (Enhanced Key Usage).
- The machine certificate on RAS server has expired.
- The root certificate to validate the RAS server certificate is not present on the client.
- VPN Server Name as given on client doesn’t match with the subjectName of the server certificate.