locked
How to debug IPSec failure when using certificate? RRS feed

  • Question

  • I try to setup end-to-end IPsec transport mode between two Windows Server 2012 R2 VM. I use certificate for authentication. It works fine if I use preshared key.

    The error I am getting (from event log) is IKE failed to find valid machine certificate. Error code is 13806, from netevent.xml.

    I am not able to find the log showing what IKEEXT doesn't like. I capture some WFP traces but they are in XML format and I can't get too much out of it. There also wfpdiag.etl file that I cannot translate into text. It may need wfp.tmf file but I cannot find such file for Windows Server 2012 R2.

    <type>FWPM_NET_EVENT_TYPE_IKEEXT_MM_FAILURE</type>
      <ikeMmFailure>
       <failureErrorCode>13806 (ERROR_IPSEC_IKE_NO_CERT)</failureErrorCode>
       <failurePoint>IPSEC_FAILURE_ME</failurePoint>
       <flags/>
       <keyingModuleType>IKEEXT_KEY_MODULE_IKEV2</keyingModuleType>
       <mmState>IKEEXT_MM_SA_STATE_NONE</mmState>
       <saRole>IKEEXT_SA_ROLE_INITIATOR</saRole>
       <mmAuthMethod>IKEEXT_CERTIFICATE</mmAuthMethod>
       <endCertHash>0000000000000000000000000000000000000000</endCertHash>
       <mmId>42</mmId>
       <mmFilterId>91122</mmFilterId>
       <localPrincipalNameForAuth/>
       <remotePrincipalNameForAuth/>
       <localPrincipalGroupSids/>
       <remotePrincipalGroupSids/>
      </ikeMmFailure>

    Wednesday, May 4, 2016 5:57 PM

All replies

  • What certificate store have you stored the certificate in? I believe it needs to be in the Local Computers Personal store, not the Current Users Personal store. Is the certification path of the certificate valid? (double click -> certification path).

    If not, you may need to put the root certificates in the Local Computers Trusted Root Certification Authorities store.

    J

    • Proposed as answer by JST86 Thursday, May 12, 2016 8:48 AM
    • Unproposed as answer by JST86 Monday, May 16, 2016 8:54 AM
    Thursday, May 12, 2016 8:48 AM
  • I have tried that. The certificate chain is ok, per "certutil". I suspect something in the certificate that IKEEXT doesn't like.

    Does anyone know how to get more details of logging from Windows IKE? So far, I can only get error code 13806, etc. 

    Friday, May 13, 2016 6:56 PM