[Users] Re: X509Patch0.9.7 error with cert_pkcs7_wrapped_x509 from WinXP

• Next message: Andreas Steffen: "Re: [Users] x509 certificate patch - error: no RSA public key found for <DN>"
• Previous message: Andrew Congdon: "[Users] new ISP blocks ICMP"
• In reply to: Markus Koellner: "[Users] X509Patch0.9.7 error with cert_pkcs7_wrapped_x509 from WinXP"
• Next in thread: Markus Koellner: "[Users] Re: X509Patch0.9.7 error with cert_pkcs7_wrapped_x509 from WinXP"
• Reply: Markus Koellner: "[Users] Re: X509Patch0.9.7 error with cert_pkcs7_wrapped_x509 from WinXP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Markus Koellner wrote:
>
> Hi Andreas,
>
> my setup in brief:
> Freeswan1.94 + X.509Patch0.9.7 as Gateway
> WinXP Professional + IPsec Tool V.2.0.1 by Marcus Mueller as Roadwarrior
>
> my problem:
> When I try to initiate a connection from winxp without storing the certificate
> in freeswan locally i get the following error message:
>
> Mar 21 16:31:51 vpngate02 Pluto[18932]: packet from 217.0.127.78:500:
> ignoring Vendor ID payload
> Mar 21 16:31:51 vpngate02 Pluto[18932]: "hismkg-1050" 217.0.127.78 #1:
> responding to Main Mode from unknown peer 217.0.127.78
> Mar 21 16:31:52 vpngate02 Pluto[18932]: "hismkg-1050" 217.0.127.78 #1: Peer
> ID is ID_DER_ASN1_DN: 'CN=1050-testclient'
> Mar 21 16:31:52 vpngate02 Pluto[18932]: "hismkg-1050" 217.0.127.78 #1:
> ignoring CERT_PKCS7_WRAPPED_X509 certificate payload
> Mar 21 16:31:52 vpngate02 Pluto[18932]: "hismkg-1050" 217.0.127.78 #1: no
> RSA public key known for 'CN=1050-testclient'
> Mar 21 16:31:53 vpngate02 Pluto[18932]: "hismkg-1050" 217.0.127.78 #1: Peer
> ID is ID_DER_ASN1_DN: 'CN=1050-testclient'
> Mar 21 16:31:53 vpngate02 Pluto[18932]: "hismkg-1050" 217.0.127.78 #1:
> ignoring CERT_PKCS7_WRAPPED_X509 certificate payload

Very strange that Windows XP sends its certificate in PKCS#7 wrapped format.
Since the X.509 patch supports CERT_X509_SIGNATURE format only, all other
formats are discarded. Try to find out why XP sends this format. Marcus
Müller's homepage says that XP works with the X.509 patch, therefore it
must normally send its cert in standard DER-Format.

> Mar 21 16:31:53 vpngate02 Pluto[18932]: "hismkg-1050" 217.0.127.78 #1: no
> RSA public key known for 'CN=1050-testclient'
>
> This looks like freeswan can't find the public key because it ignores winxp's
> certificate. Why doesn't freeswan like this certificate format of winxp ?
> I created all certificates with openssl. Are there special options in
> openssl, so
> i don't have any problems with that ?
>
> When i store winxp's certificate locally in /etc/ipsec.d i don't have any
> problems.
> I would really appreciate any other solution than storing them locally
> since this
> is very uncomfortable and reminds me of old times :-(

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Andreas Steffen: "Re: [Users] x509 certificate patch - error: no RSA public key found for <DN>"
• Previous message: Andrew Congdon: "[Users] new ISP blocks ICMP"
• In reply to: Markus Koellner: "[Users] X509Patch0.9.7 error with cert_pkcs7_wrapped_x509 from WinXP"
• Next in thread: Markus Koellner: "[Users] Re: X509Patch0.9.7 error with cert_pkcs7_wrapped_x509 from WinXP"
• Reply: Markus Koellner: "[Users] Re: X509Patch0.9.7 error with cert_pkcs7_wrapped_x509 from WinXP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:46 CEST