1

I'm trying to get machine authentication working with Microsoft "always on vpn".. I'm running into error 13801 on attempting to connect with a client. This error implies there is some sort of certificate-related issue - though I've gone through and checked all of the obvious items.

Both the client and the RAS server have the CA as a trusted root authority and both have been issued certificates, kept in their local computer/personal stores. The client has client authentication EKU and the server has server authentication, IPSEC IKE intermediate and Client Auth EKUs. The subject name on the server cert matches the host name in the client's connection. I've also disabled IKE EKU and CRL checking on the client as part of the troubleshooting process.

I've generated RRAS trace logs and all I can see are that the vpnike module is kicking back with error 13801.. I don't see anything about the process it went through, which certs it actually attempted to use etc...

Here is config output on my client's VPN connection, which was created per Microsoft directions using the system context so the machine certificate could be used...

ServerAddress         : server.domain.com
AllUserConnection     : True
Guid                  : {87C51048-BC50-475F-8CEF-2C9C49687205}
TunnelType            : Ikev2
AuthenticationMethod  : {MachineCertificate}
EncryptionLevel       : Maximum
L2tpIPsecAuth         :
UseWinlogonCredential : False
EapConfigXmlStream    :
ConnectionStatus      : Disconnected
RememberCredential    : True
SplitTunneling        : True
DnsSuffix             :
IdleDisconnectSeconds : 0
Robert Meany
  • 51
  • 1
  • 6

2 Answers2

0

I was also having a similar problem with getting 13801 all the time for no apparent reason.

The solution for my case was, allow the RAS server in the DMZ access to the CA for CRL checking!

In the firewall I added this rule (NETWORK not Windows) then rebooted the RAS server.

Interface:DMZ Action:ALLOW SRC:AOVPN-SERVER DST:InternalCA SVC: http

I did an allow ALL for SVC initally put will look to cut this down.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Aaron
  • 1
-1

And here I was thinking I had a complex issue, looking at trace logs when all it was, was this checkbox

Robert Meany
  • 51
  • 1
  • 6
  • Can you explain what is that dialog and how to open it ? – Orabîg Nov 11 '21 at 08:12
  • On your RRAS server, open the RRAS console.. Right click on server name and select properties.. Goto security tab, authentication methods button and ensure 'allow machine certificate authentication for IKEv2' is selected. This is required for device tunnels as the machine accounts use their certificates for authentication and this is not checked by default. – Robert Meany Nov 12 '21 at 14:10