I'm trying to get machine authentication working with Microsoft "always on vpn".. I'm running into error 13801 on attempting to connect with a client. This error implies there is some sort of certificate-related issue - though I've gone through and checked all of the obvious items.
Both the client and the RAS server have the CA as a trusted root authority and both have been issued certificates, kept in their local computer/personal stores. The client has client authentication EKU and the server has server authentication, IPSEC IKE intermediate and Client Auth EKUs. The subject name on the server cert matches the host name in the client's connection. I've also disabled IKE EKU and CRL checking on the client as part of the troubleshooting process.
I've generated RRAS trace logs and all I can see are that the vpnike module is kicking back with error 13801.. I don't see anything about the process it went through, which certs it actually attempted to use etc...
Here is config output on my client's VPN connection, which was created per Microsoft directions using the system context so the machine certificate could be used...
ServerAddress : server.domain.com
AllUserConnection : True
Guid : {87C51048-BC50-475F-8CEF-2C9C49687205}
TunnelType : Ikev2
AuthenticationMethod : {MachineCertificate}
EncryptionLevel : Maximum
L2tpIPsecAuth :
UseWinlogonCredential : False
EapConfigXmlStream :
ConnectionStatus : Disconnected
RememberCredential : True
SplitTunneling : True
DnsSuffix :
IdleDisconnectSeconds : 0
I was also having a similar problem with getting 13801 all the time for no apparent reason.
The solution for my case was, allow the RAS server in the DMZ access to the CA for CRL checking!
In the firewall I added this rule (NETWORK not Windows) then rebooted the RAS server.
I did an allow ALL for SVC initally put will look to cut this down.
And here I was thinking I had a complex issue, looking at trace logs when all it was, was this checkbox