Hi!
Harry Brueckner wrote:
>
> Hello,
>
> Andreas Haumer wrote:
>
[...]
>
> > Second: Windows is very picky about special characters in the DN.
> > In our case, it was the "+" in "xS+S" which Windows didn't like,
> > and the VPN configuration was ignored completely, resulting in the
> > same symptoms you describe.
>
> What exactly do you mean by that?
>
I had a DN like this: C=AT, L=Vienna, O=xS+S, CN=xS+S Certification
Authority
and found Windows behaving exactly like you describe: not a single
packet going to the FreeS/WAN gateway.
I the activated debugging and found error messages like:
[...]
error in CertStrToName = -2146885597
Failed to get issuer DN
[...]
That gave me the idea to change the certificates DN and remove
all the "+" characters. After that it worked immediately!
(FreeS/WAN didn't have this problem, though)
> > I don't see this problem in your example
> > configuration file, but it is something to be aware of. Maybe it
> > also doesn't like the "-" in your "O=" field?
>
> The "-" was in my test certificate already and working fine there. :-/
>
ok.
> > You can also activate some Windows debugging feature to get
> > more information out of this "operating system"
> >
> > You have to add the following key to your registry:
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
> >
> > and add a REG_DWORD named "EnableLogging" with a value of
> > "1" to this key.
> >
> > After a reboot windows writes some debugging information
> > to a file called "Oakley.log" in your %SystemRoot%\debug folder.
>
> I tried that too but the debug information there is kind of useless. It
> shows alot of debug stuff which might be useful if you could look at the
> source code but since I don't have this its kinda useless.
> The only error message I get there is "No response from peer" and that
> is not really astonishing since the peer never gets any data sent and
> hence does not answer.
>
> Maybe you have any other ideas?
> I guess it might be that the client does not find my certificate but it
> is in the right place and in my config I use the root ca data which I
> can also see when I look at properties of the imported certificate.
>
Are you able to talk to your FreeS/WAN VPN gateway directly
(e.g. "ping" it)? This is just to check if the basic TCP/IP config
is ok on the W2K computer (network drivers, IP addressrouting, etc.)
You said you have a working configuration on a W2K notebook.
I would try to check and compare every single piece of configuration
between the two W2K machines. There must be some difference
(after all, even Windows is a somewhat deterministic system,
even if this seems to be unbelievable sometimes :-)
HTH
- andreas
-- Andreas Haumer | mailto:andreas_at_xss.co.at *x Software + Systeme | http://www.xss.co.at/ Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0 A-1100 Vienna, Austria | Fax: +43-1-6060114-71 _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:53 CEST