Azure P2S VPN connection ECP certificate authentication issue: Error (13801) IKE Authentication credentials are unacceptable

Question

I'm setting up a P2S configuration on an Azure VPN Gateway. I'm attempting to use machine certificate authentication and IKEv2. I'm using the built in Windows 10 (1909) client and self generated certificates using powershell.

I can make the connection work using DH Group 2, however my connection fails once I switch DH Group to ECP256. I receive the error 'Error (13801) IKE Authentication credentials are unacceptable.'

Initial analysis suggested the certificate needed to be of type ECP so I generate the certificate as follows:

New-SelfSignedCertificate -Type Custom `
  -Subject "***" `
  -CertStoreLocation "Cert:\LocalMachine\My" `
  -Signer $cert `
  -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") `
  -KeyExportPolicy Exportable `
  -KeyAlgorithm ECDSA_nistP256 `
  -CurveExport CurveName `
  -HashAlgorithm sha256

Can anyone suggest a possible resolution?

score 0 · Answer 1 · answered Sep 18 '20 at 14:02

0

Try setting the Enhanced Key Usage to Server Authentication. See parameter -TextExtension of New-SelfSignedCertificate. Might be a bit tricky to get it right.

Using OpenSSL instead might be an option too.

answered Sep 18 '20 at 14:02

Matthias Güntert

2,438
12
39
59

haymansfield · Accepted Answer · 2020-10-07T13:06:48.643

0

Turns out, at the time of writing, ECP256 P2S connections are not supported for machine certificate authentication.

I've had this confirmed by Microsoft.

edited Oct 07 '20 at 13:06

answered Oct 02 '20 at 12:36

haymansfield

121
5

Azure P2S VPN connection ECP certificate authentication issue: Error (13801) IKE Authentication credentials are unacceptable

2 Answers2