[jggimi]

Hello, and welcome!

I run IKEv2 with certs, but only between OpenBSD systems; third party connections are not in use and I have no experience with them to share.

Quote:

OpenBSD 5.6 behind a router with port 500 and 4500 forwarded on.

Port 4500 is for NAT-Traversal, which you have disabled. (I don't use it in my configuration as my systems interconnect without NAT.)

I note you are using IP addresses in iked.conf. As I'm using certificates, I use FQDNs for srcid and destid, and my certificates match the FQDNs. As an example:

Code:

ikev2 active esp \
  from 10.0.3.2 to 10.0.3.1 \
  srcid netbook.jggimi.homeip.net \
  dstid fw2.jggimi.homeip.net

I decided to use FQDNs after having some early failures with short names/nicknames, and seeing a comment on misc@ that guided me in that direction. I can't find the comment right now. But when searching for it, I did find a recommendation to use two certificates on your Windows machine.

The error you're getting from Windows (13801) has these possible causes. If you're missing one of the two required certs, #3 might be why. If your cert and servers don't align exactly, #4 could be why, and you may want to switch to matching certificate names with FQDNs, as I do.

1. The machine certificate used for IKEv2 validation on RAS Server does not have 'Server Authentication' as the EKU (Enhanced Key Usage).
2. The machine certificate on RAS server has expired.
3. The root certificate to validate the RAS server certificate is not present on the client.
4. VPN Server Name as given on client doesn’t match with the subjectName of the server certificate.