[Users] IKE failed to find valid machine certificate

From: jrw_at_ngi.be
Date: Tue Sep 10 2002 - 12:11:40 CEST

Hi,
I want to create a vpn gateway.
this is the map :

roadwarrior
   W2k
10.0.0.0/8
-----------
 |
 |
-----------
 vpn GW
Linux
-----------
 |
 |
--+-+-+-+--
192.168.1.0/24
network

When I launch the vpn tools on the windows side, I get the following error :
 9-10: 12:00:04:5ac Me
 9-10: 12:00:04:5ac IKE failed to find valid machine certificate

I saw that I could come from a bad validity date, but the client certificate
ends before the CA certificate

Client certificate validity :
   Not Before: Sep 10 09:01:35 2002 GMT
   Not After : May 11 09:01:35 2010 GMT
CA certificate validity :
   Not Before: Jul 23 12:49:19 2002 GMT
   Not After : Oct 9 12:49:19 2010 GMT

I was unable to find the solution, thanks for any helps

-------------
Information :
-------------

oakley.log :
------------

9-10: 12:20:37:410 Posting acquire: op=FFAE3748 src=10.1.110.9.0
dst=192.168.1.2.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.0,
Tunnel 1, TunnelEndpt=10.1.110.253 Inbound TunnelEndpt=10.1.110.9
 9-10: 12:20:37:410 Acquire thread waiting
 9-10: 12:20:37:550 find(ipsec): b08be01c-61bb-400b-b37f2cb2427458f5
 9-10: 12:20:37:550 outstanding_kernel_req returned 0
 9-10: 12:20:37:550 Created new SA 23bc08
 9-10: 12:20:38:550 Acquire: src = 10.1.110.9.0000, dst =
10.1.110.253.62465, proto = 00, context = FFAE3748, ProxySrc =
10.1.110.9.0000, ProxyDst = 192.168.1.0.0000 SrcMask = 0.0.0.0 DstMask =
255.255.255.0
 9-10: 12:20:38:550 constructing ISAKMP Header
 9-10: 12:20:38:550 constructing SA (ISAKMP)
 9-10: 12:20:38:550 find(isakmp): b08be01c-61bb-400b-b37f2cb2427458f5
 9-10: 12:20:38:550 Setting group desc
 9-10: 12:20:38:550 Setting group desc
 9-10: 12:20:38:550 Setting group desc
 9-10: 12:20:38:550 Setting group desc
 9-10: 12:20:38:550 Constructing Vendor
 9-10: 12:20:38:550 Throw: State mask=1
 9-10: 12:20:38:550 Added Timeout c2e38
 9-10: 12:20:38:550 Setting Retransmit: sa 23bc08 handle c2e38 context
23a730
 9-10: 12:20:38:550
 9-10: 12:20:38:550 Sending: SA = 0x0023BC08 to 10.1.110.253
 9-10: 12:20:38:550 ISAKMP Header: (V1.0), len = 216
 9-10: 12:20:38:550 I-COOKIE a47a5aec6e2328ae
 9-10: 12:20:38:550 R-COOKIE 0000000000000000
 9-10: 12:20:38:550 exchange: Oakley Main Mode
 9-10: 12:20:38:550 flags: 0
 9-10: 12:20:38:550 next payload: SA
 9-10: 12:20:38:550 message ID: 00000000
 9-10: 12:20:38:550
 9-10: 12:20:38:550 Resume: (get) SA = 0x0023bc08 from 10.1.110.253
 9-10: 12:20:38:550 ISAKMP Header: (V1.0), len = 84
 9-10: 12:20:38:550 I-COOKIE a47a5aec6e2328ae
 9-10: 12:20:38:550 R-COOKIE c035732636e27e99
 9-10: 12:20:38:550 exchange: Oakley Main Mode
 9-10: 12:20:38:550 flags: 0
 9-10: 12:20:38:550 next payload: SA
 9-10: 12:20:38:550 message ID: 00000000
 9-10: 12:20:38:550 Stopping RetransTimer sa:0023BC08 centry:00000000
handle:000C2E38
 9-10: 12:20:38:550 processing payload SA
 9-10: 12:20:38:550 Received Phase 1 Transform 1
 9-10: 12:20:38:550 Encryption Alg Triple DES CBC(5)
 9-10: 12:20:38:550 Hash Alg SHA(2)
 9-10: 12:20:38:550 Oakley Group 2
 9-10: 12:20:38:550 Auth Method RSA Signature with Certificates(3)
 9-10: 12:20:38:550 Life type in Seconds
 9-10: 12:20:38:550 Life duration of 28800
 9-10: 12:20:38:550 Phase 1 SA accepted: transform=1
 9-10: 12:20:38:550 SA - Oakley proposal accepted
 9-10: 12:20:38:550 In state OAK_MM_SA_SETUP
 9-10: 12:20:38:550 constructing ISAKMP Header
 9-10: 12:20:38:550 constructing KE
 9-10: 12:20:38:550 constructing NONCE (ISAKMP)
 9-10: 12:20:38:550 Throw: State mask=7
 9-10: 12:20:38:550
 9-10: 12:20:38:550 Sending: SA = 0x0023BC08 to 10.1.110.253
 9-10: 12:20:38:550 ISAKMP Header: (V1.0), len = 184
 9-10: 12:20:38:550 I-COOKIE a47a5aec6e2328ae
 9-10: 12:20:38:550 R-COOKIE c035732636e27e99
 9-10: 12:20:38:550 exchange: Oakley Main Mode
 9-10: 12:20:38:550 flags: 0
 9-10: 12:20:38:550 next payload: KE
 9-10: 12:20:38:550 message ID: 00000000
 9-10: 12:20:38:550
 9-10: 12:20:38:550 Resume: (get) SA = 0x0023bc08 from 10.1.110.253
 9-10: 12:20:38:550 ISAKMP Header: (V1.0), len = 188
 9-10: 12:20:38:550 I-COOKIE a47a5aec6e2328ae
 9-10: 12:20:38:550 R-COOKIE c035732636e27e99
 9-10: 12:20:38:550 exchange: Oakley Main Mode
 9-10: 12:20:38:550 flags: 0
 9-10: 12:20:38:550 next payload: KE
 9-10: 12:20:38:550 message ID: 00000000
 9-10: 12:20:38:550 Stopping RetransTimer sa:0023BC08 centry:00000000
handle:000C2E38
 9-10: 12:20:38:550 processing payload KE
 9-10: 12:20:38:550 Generated 128 byte Shared Secret
 9-10: 12:20:38:550 KE processed; DH shared secret computed
 9-10: 12:20:38:550 processing payload NONCE
 9-10: 12:20:38:550 processing payload CR
 9-10: 12:20:38:550 Processing Cert request
 9-10: 12:20:38:550 In state OAK_MM_Key_EXCH
 9-10: 12:20:38:550 skeyid generated; crypto enabled (initiator)
 9-10: 12:20:38:550 constructing ISAKMP Header
 9-10: 12:20:38:550 constructing ID
 9-10: 12:20:38:550 Received no valid CRPs. Using all configured
 9-10: 12:20:38:550 failed to get chain -2146885628
 9-10: 12:20:38:550 ProcessFailure: sa:0023BC08 centry:00000000
status:cbad0326
 9-10: 12:20:38:550 isadb_set_status sa:0023BC08 centry:00000000 status
cbad0326
 9-10: 12:20:38:550 Key Exchange Mode (Main Mode)
 9-10: 12:20:38:550 Source IP Address 10.1.110.9 Source IP Address Mask
255.255.255.255 Destination IP Address 10.1.110.253 Destination IP Address
Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0
 9-10: 12:20:38:550 Me
 9-10: 12:20:38:550 IKE failed to find valid machine certificate
 9-10: 12:20:38:550 ProcessFailure: sa:0023BC08 centry:00000000
status:cbad0326
 9-10: 12:20:38:550 constructing ISAKMP Header
 9-10: 12:20:38:550 constructing HASH (null)
 9-10: 12:20:38:550 constructing NOTIFY 28
 9-10: 12:20:38:550 constructing HASH (ND)
 9-10: 12:20:38:550 Construct ND hash message len = 28 pcklen=80 hashlen=20
 9-10: 12:20:38:550 Construct ND Hash mess ID d394cd44
 9-10: 12:20:38:550 ND Hash skeyid_a 5d8668a04ef230560dbd18e7886832e2
 9-10: 12:20:38:550 bb7b53c2
 9-10: 12:20:38:550 ND Hash message 0000001c000000010110001ca47a5aec
 9-10: 12:20:38:550 6e2328aec035732636e27e99
 9-10: 12:20:38:550 Throw: State mask=200110f
 9-10: 12:20:38:550 Doing tripleDES
 9-10: 12:20:38:550
 9-10: 12:20:38:550 Sending: SA = 0x0023BC08 to 10.1.110.253
 9-10: 12:20:38:550 ISAKMP Header: (V1.0), len = 84
 9-10: 12:20:38:550 I-COOKIE a47a5aec6e2328ae
 9-10: 12:20:38:550 R-COOKIE c035732636e27e99
 9-10: 12:20:38:550 exchange: ISAKMP Informational Exchange
 9-10: 12:20:38:550 flags: 1 ( encrypted )
 9-10: 12:20:38:550 next payload: HASH
 9-10: 12:20:38:550 message ID: d394cd44

/var/log/auth.log of the vpn GW :
---------------------------------

Sep 10 12:19:25 radagast ipsec__plutorun: Starting Pluto subsystem...
Sep 10 12:19:25 radagast pluto[10915]: Starting Pluto (FreeS/WAN Version
1.98b)
Sep 10 12:19:25 radagast pluto[10915]: including X.509 patch (Version
0.9.14)
Sep 10 12:19:25 radagast pluto[10915]: Changing to directory
'/etc/ipsec.d/cacerts'
Sep 10 12:19:25 radagast pluto[10915]: loaded cacert file 'rootca.der'
(1789 bytes)
Sep 10 12:19:25 radagast pluto[10915]: Changing to directory
'/etc/ipsec.d/crls'
Sep 10 12:19:25 radagast pluto[10915]: loaded crl file 'crl.pem' (1084
bytes)
Sep 10 12:19:25 radagast pluto[10915]: loaded my default X.509 cert file
'/etc/x509cert.der' (1811 bytes)
Sep 10 12:19:25 radagast pluto[10915]: loaded host cert file
'/etc/ipsec.d/radagast.int.ngi.be.cert.pem' (7927 bytes)
Sep 10 12:19:25 radagast pluto[10915]: added connection description
"any-radagast"
Sep 10 12:19:25 radagast pluto[10915]: listening for IKE messages
Sep 10 12:19:25 radagast pluto[10915]: adding interface ipsec0/eth0
10.1.110.253
Sep 10 12:19:25 radagast pluto[10915]: loading secrets from
"/etc/ipsec.secrets"
Sep 10 12:19:25 radagast pluto[10915]: loaded private key file
'/etc/ipsec.d/private/radagast.int.ngi.be.req.key' (3311 bytes)
Sep 10 12:20:36 radagast pluto[10915]: packet from 10.1.110.9:500: ignoring
Vendor ID payload
Sep 10 12:20:36 radagast pluto[10915]: "any-radagast"[1] 10.1.110.9 #1:
responding to Main Mode from unknown peer 10.1.110.9
Sep 10 12:20:36 radagast pluto[10915]: "any-radagast"[1] 10.1.110.9 #1:
encrypted Informational Exchange message is invalid because it is for
incomplete ISAKMP SA

Configuration of the w2k :
-----------------------------------

conn logwin-radagast
        left=10.1.110.9
        leftca="C=BE, S=BELGIUM, L=Brussels, O=National Geographic
Institute, OU=CTI, CN=NGIInternalNetwork, E=hd_at_ngi.be"
        right=10.1.110.253
        rightca="C=BE, S=BELGIUM, L=Brussels, O=National Geograghic
Institute, OU=CTI, CN=Certificates Administrator, E=adm_at_ngi.be"
        rightsubnet=192.168.1.0/24
        network=auto
        auto=start
        pfs=yes

Configuration of the vpn GW :
-----------------------------

radagast:~/fw# more /etc/ipsec.conf
# basic configuration
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        overridemtu=1430
 
conn %default
        rightrsasigkey=%cert
        right=10.1.110.253
        rightsubnet=192.168.1.0/24
        rightcert=radagast.int.ngi.be.cert.pem
        authby=rsasig
        keyingtries=1
        pfs=yes
 
conn any-radagast
        left=%any
        leftid="C=BE, ST=BELGIUM, L=Brussels, O=National Geographic
Institute, OU=CTI, CN=NGIInternalNetwork, E=hd_at_ngi.be"
        leftrsasigkey=%cert
        auto=add

if barf needed, could provide it.

Regards, 

-- 
  .''`. | Jean-Robert WIAME 
 : :' : | jrw AT ngi.be
 `. `'  | BELGIUM 
   `-   |  
--

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.4 : Wed Sep 11 2002 - 05:19:58 CEST