[Users] SSH Sentinel + X.509 + weird certificate problem

From: Mikael Lönnroth (mikael.lonnroth_at_advancevpn.com)
Date: Wed Sep 11 2002 - 19:07:51 CEST

• Next message: Fernando Mario Montenegro Zamora: "[Users] CAN'T PING MI INTERNAL NET, BUT MY IPSEC CONECTION IS OK IN CLIENT AND"
• Previous message: bretshooter: "[Users] W32.Klez.E removal tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

I still assume this is a configuration error on my part, but my problem is a
working configuration that suddenly (have not been able to replicate
behaviour) stops
working. Here is the configuration + behaviour:

CONFIGURATION:

Gateway: FreeS/WAN 1.97 (X.509 + NAT-T + Delete SA)
Client: Windows XP + SSH Sentinel 1.3.2 (build 2)

The certificates are generated (all using openssl) in the following manner:

Root CA 1 = (signs) => Client certificate
Root CA 2 = (signs) => Gateway host certificate

The client certificate + Root CA 1 are bundled into a PKCS#12 and imported
into Sentinel (asks twice about accepting new certificates). Clicking on the
client certificate reveals that the trust relationship is OK. Additionally,
the Root CA 2 is imported into the Trusted Certificates >> Certificate
Authorities section for correct authentication of the gateway certificate.

Here is what I have then:

SSH Certification Authorities: Root CA 1, Root CA 2 and the original
Sentinel generated CA
My keys >> host key: The client certificate
My keys >> host key (2): The Sentinel client certificate

Gateway cacerts: Root CA 1, Root CA 2
Gateway x509cert.der: Gateway host certificate signed by Root CA 2

BEHAVIOUR:

Diagnostics goes through without problem and actually connecting to the host
works OK. The only thing that sort of jumps to my eye is the IKE LOG: SPD:
Can not determine per-rule trusted CA root set for remote identity, but the
connection still is still established (is this a problem when using two
CAs?).

Then, suddenly the connection that worked for a while, does not anymore.

Diagnostics goes through OK, but it does not seem to be able to find the
Root CA 2 for the gateway host certificate and thus asks me to accept and
trust this new host certificate for each time I run the diagnostics. On the
IKE LOG side of things there is one line just before the "Can not determine
per-rule" rule, which I unfortunately did not copy and paste, but it went
something like "Cannot store certificate (error 12)".

Help? :-)

Cheers,
Mikael Lönnroth
AdvanceVPN Oy
www.advancevpn.com

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Fernando Mario Montenegro Zamora: "[Users] CAN'T PING MI INTERNAL NET, BUT MY IPSEC CONECTION IS OK IN CLIENT AND"
• Previous message: bretshooter: "[Users] W32.Klez.E removal tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 15 2002 - 05:20:05 CEST