RE: [Users] XP Pro & 1.98b x509

From: Noel Kelly (nkelly_at_citrusnetworks.net)
Date: Sun Sep 15 2002 - 11:16:59 CEST

Yes the CA cert is fine. Going along these lines I removed all the certs
from the XP machine and imported the same one that I have used with 2000.
Unfortuntely it is the same failure though.

I wonder if XP is picky about unused fields in the certificate - perhaps it
needs them to be listed even if they are blank?

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen_at_strongsec.net]
Sent: 15 September 2002 09:39
To: Noel Kelly
Cc: 'users_at_lists.freeswan.org'
Subject: Re: [Users] XP Pro & 1.98b x509

What about the validity interval of the CA certificate? Does it
form an outer bracket to the validity of the FreeS/WAN certificate
or does it expire earlier?

Andreas

Noel Kelly wrote:
> Good thinking Andreas - from the Oakley log: "IKE authentication
> credentials are unacceptable"
>
> Not sure why I am getting this though. Is "CertFindExtenstion failed with
> 0" as benign as it sounds? Or is it trying to report a genuine failure?
>
> Noel
>
>
> 9-15: 08:53:11:161:648 Receive: (get) SA = 0x00101ff8 from 192.168.3.2
> 9-15: 08:53:11:161:648 ISAKMP Header: (V1.0), len = 188
> 9-15: 08:53:11:161:648 I-COOKIE d1adff663977040a
> 9-15: 08:53:11:161:648 R-COOKIE 8a3d115cafad5284
> 9-15: 08:53:11:161:648 exchange: Oakley Main Mode
> 9-15: 08:53:11:161:648 flags: 0
> 9-15: 08:53:11:161:648 next payload: KE
> 9-15: 08:53:11:161:648 message ID: 00000000
> 9-15: 08:53:11:161:648 processing payload KE
> 9-15: 08:53:11:231:648 processing payload NONCE
> 9-15: 08:53:11:231:648 processing payload CRP
> 9-15: 08:53:11:281:648 constructing ISAKMP Header
> 9-15: 08:53:11:281:648 constructing ID
> 9-15: 08:53:11:321:648 Received no valid CRPs. Using all configured
> 9-15: 08:53:11:321:648 Looking for IPSec only cert
> 9-15: 08:53:11:391:648 Cert Trustes. 0 100
> 9-15: 08:53:11:391:648 CertFindExtenstion failed with 0
>
> 9-15: 08:53:11:572:648 Entered CRL check
> 9-15: 08:53:11:642:648 Left CRL check
> 9-15: 08:53:11:642:648 Cert SHA Thumbprint
b536769bd41a377b3c520ec01297fac5
> 9-15: 08:53:11:642:648 21e26afe
> 9-15: 08:53:11:642:648 SubjectName: C=GB, S=Surrey, L=Kenley, O=Citrus,
> OU=Research, CN=XP
> 9-15: 08:53:11:642:648 Cert Serialnumber 02
> 9-15: 08:53:11:642:648 Cert SHA Thumbprint
b536769bd41a377b3c520ec01297fac5
> 9-15: 08:53:11:642:648 21e26afe
> 9-15: 08:53:11:642:648 SubjectName: C=GB, S=Surrey, L=Kenley, O=Citrus,
> OU=Research, CN=vpnserver
> 9-15: 08:53:11:642:648 Cert Serialnumber 00
> 9-15: 08:53:11:642:648 Cert SHA Thumbprint
2eeb7cc3057fe68edc637ad79d6e139a
> 9-15: 08:53:11:642:648 00785f1a
> 9-15: 08:53:11:712:648 constructing CERT
> 9-15: 08:53:11:712:648 Construct SIG
> 9-15: 08:53:11:822:648 Constructing Cert Request
> 9-15: 08:53:11:822:648 C=GB, S=Surrey, L=Kenley, O=Citrus, OU=Research,
> CN=vpnserver
> 9-15: 08:53:11:832:648
> 9-15: 08:53:11:832:648 Sending: SA = 0x00101FF8 to 192.168.3.2:Type 2
> 9-15: 08:53:11:832:648 ISAKMP Header: (V1.0), len = 1588
> 9-15: 08:53:11:832:648 I-COOKIE d1adff663977040a
> 9-15: 08:53:11:832:648 R-COOKIE 8a3d115cafad5284
> 9-15: 08:53:11:832:648 exchange: Oakley Main Mode
> 9-15: 08:53:11:832:648 flags: 1 ( encrypted )
> 9-15: 08:53:11:832:648 next payload: ID
> 9-15: 08:53:11:832:648 message ID: 00000000
> 9-15: 08:53:12:333:648
> 9-15: 08:53:12:333:648 Receive: (get) SA = 0x00101ff8 from 192.168.3.2
> 9-15: 08:53:12:333:648 ISAKMP Header: (V1.0), len = 1492
> 9-15: 08:53:12:333:648 I-COOKIE d1adff663977040a
> 9-15: 08:53:12:333:648 R-COOKIE 8a3d115cafad5284
> 9-15: 08:53:12:333:648 exchange: Oakley Main Mode
> 9-15: 08:53:12:333:648 flags: 1 ( encrypted )
> 9-15: 08:53:12:333:648 next payload: ID
> 9-15: 08:53:12:333:648 message ID: 00000000
> 9-15: 08:53:12:333:648 processing payload ID
> 9-15: 08:53:12:333:648 processing payload CERT
> 9-15: 08:53:12:343:648 processing payload SIG
> 9-15: 08:53:12:343:648 Verifying CertStore
> 9-15: 08:53:12:343:648 SubjectName: C=GB, S=Surrey, L=Kenley, O=Citrus,
> OU=Research, CN=vpnserver
> 9-15: 08:53:12:343:648 Cert Serialnumber 01
> 9-15: 08:53:12:343:648 Cert SHA Thumbprint
f0323ce22a9c358f5a09b078686303f4
> 9-15: 08:53:12:343:648 9035a58b
> 9-15: 08:53:12:343:648 Trust failed. 28 0
> 9-15: 08:53:12:343:648 Cert Trustes. 28 0
> 9-15: 08:53:12:343:648 SubjectName: C=GB, S=Surrey, L=Kenley, O=Citrus,
> OU=Research, CN=vpnserver
> 9-15: 08:53:12:343:648 Cert Serialnumber 01
> 9-15: 08:53:12:343:648 Cert SHA Thumbprint
f0323ce22a9c358f5a09b078686303f4
> 9-15: 08:53:12:343:648 9035a58b
> 9-15: 08:53:12:343:648 Cert SHA Thumbprint
f0323ce22a9c358f5a09b078686303f4
> 9-15: 08:53:12:343:648 9035a58b
> 9-15: 08:53:12:343:648 Certificate based Identity. Peer Subject C=GB,
> S=Surrey, L=Kenley, O=Citrus, OU=Research, CN=vpnserver Peer SHA
Thumbprint
> f0323ce22a9c358f5a09b078686303f49035a58b Peer Issuing Certificate
Authority
> C=GB, S=Surrey, L=Kenley, O=Citrus, OU=Research, CN=vpnserver Root
> Certificate Authority C=GB, S=Surrey, L=Kenley, O=Citrus, OU=Research,
> CN=vpnserver My Subject C=GB, S=Surrey, L=Kenley, O=Citrus, OU=Research,
> CN=XP My SHA Thumbprint b536769bd41a377b3c520ec01297fac521e26afe Peer IP
> Address: 192.168.3.2
> 9-15: 08:53:12:343:648 Source IP Address 192.168.0.15 Source IP Address
> Mask 255.255.255.255 Destination IP Address 192.168.3.2 Destination IP
> Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0
IKE
> Local Addr IKE Peer Addr
> 9-15: 08:53:12:343:648 isadb_set_status sa:00101FF8 centry:00000000
status
> 35e9
> 9-15: 08:53:12:373:648 Key Exchange Mode (Main Mode)
> 9-15: 08:53:12:373:648 Source IP Address 192.168.0.15 Source IP Address
> Mask 255.255.255.255 Destination IP Address 192.168.3.2 Destination IP
> Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0
IKE
> Local Addr IKE Peer Addr
> 9-15: 08:53:12:373:648 Certificate based Identity. Peer Subject C=GB,
> S=Surrey, L=Kenley, O=Citrus, OU=Research, CN=vpnserver Peer SHA
Thumbprint
> f0323ce22a9c358f5a09b078686303f49035a58b Peer Issuing Certificate
Authority
> C=GB, S=Surrey, L=Kenley, O=Citrus, OU=Research, CN=vpnserver Root
> Certificate Authority C=GB, S=Surrey, L=Kenley, O=Citrus, OU=Research,
> CN=vpnserver My Subject C=GB, S=Surrey, L=Kenley, O=Citrus, OU=Research,
> CN=XP My SHA Thumbprint b536769bd41a377b3c520ec01297fac521e26afe Peer IP
> Address: 192.168.3.2
> 9-15: 08:53:12:373:648 Me
> 9-15: 08:53:12:373:648 IKE authentication credentials are unacceptable
> 9-15: 08:53:12:373:648 0x0 0x0
> 9-15: 08:53:12:373:648 ProcessFailure: sa:00101FF8 centry:00000000
> status:35e9
> 9-15: 08:53:12:373:648 Not creating notify.
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen_at_strongsec.net]
> Sent: 15 September 2002 08:49
> To: Noel Kelly
> Cc: 'users_at_lists.freeswan.org'
> Subject: Re: [Users] XP Pro & 1.98b x509
>
>
> What does the oakley.log say on the XP side? There must be some
> error messages.
>
> Regards
>
> Andreas
>
> P.S. Why do you define a rightsubnet in conn roadwarrior?
>
> Noel Kelly wrote:
>
>>Thanks for the answer Steffan but no I don't have any at all. Here is the
>>ipsec.conf I am using on both 2000 and XP which I tried to keep as just
>>plain text to make it simple.
>>
>>Noel
>>
>>conn %default
>># dial=MSN Internet
>>
>>conn roadwarrior
>> left=%any
>> right=192.168.3.2
>> rightsubnet=10.0.0.0/24
>> rightca="C=GB,S=Surrey,L=Kenley,O=Citrus,OU=Research,CN=vpnserver"
>> network=auto
>> auto=start
>> pfs=yes
>>
>>conn roadwarrior-net
>> left=%any
>> right=192.168.3.2
>> rightsubnet=10.0.0.0/24
>> rightca="C=GB,S=Surrey,L=Kenley,O=Citrus,OU=Research,CN=vpnserver"
>> network=auto
>> auto=start
>> pfs=yes
>>
>>
>>
>>-----Original Message-----
>>From: Andreas Steffen [mailto:andreas.steffen_at_strongsec.net]
>>Sent: 15 September 2002 08:20
>>To: Noel Kelly
>>Cc: 'users_at_lists.freeswan.org'
>>Subject: Re: [Users] XP Pro & 1.98b x509
>>
>>
>>Do you have an e-mail address field in the distinguished subject name
>>of the CA certificate? The ipseccmd.exe tool does not seem able to
>>handle special characters like '@' correctly.
>>
>>Regards
>>
>>Andreas
>>
>>Noel Kelly wrote:
>>
>>
>>>Hi,
>>>
>>>I have been following Nate Carlson's excellent guide to setting up
Windows
>>>2000/XP with Freeswan x509 but have hit a bit of a brickwall for the last
>>>three days with my XP Pro machine. Windows 2000 SP2 works fine but XP
>>
>>does
>>
>>
>>>not complete the connection (Ipeseccmd.exe from install CD).
>>>
>>>Everything goes very well and most of the tunnel gets established - I
just
>>>don't get to 'IPsec SA established'- it stops at 'sent MR3, ISAKMP SA
>>>established':
>>>
>>>Ping on remote XP to remote subnet begins:
>>>Sep 13 16:00:33 X509 pluto[9851]: "roadwarrior-net"[1] 192.168.0.15 #3:
>>>ignoring Delete SA payload
>>>Sep 13 16:00:33 X509 pluto[9851]: "roadwarrior-net"[1] 192.168.0.15 #3:
>>>received and ignored informational message
>>>Sep 13 16:00:50 X509 pluto[9851]: packet from 192.168.0.15:500: ignoring
>>>Vendor ID payload
>>>Sep 13 16:00:50 X509 pluto[9851]: "roadwarrior-net"[1] 192.168.0.15 #4:
>>>responding to Main Mode from unknown peer 192.168.0.15
>>>Sep 13 16:00:51 X509 pluto[9851]: "roadwarrior-net"[1] 192.168.0.15 #4:
>>
>>Peer
>>
>>
>>>ID is ID_DER_ASN1_DN: 'C=GB, ST=Surrey, L=Kenley, O=Citrus, OU=Research,
>>>CN=XP'
>>>Sep 13 16:00:51 X509 pluto[9851]: "roadwarrior-net"[1] 192.168.0.15 #4:
>>
>>sent
>>
>>
>>>MR3, ISAKMP SA established
>>>
>>>This has me flumoxed. When I try and ping the remote subnet I get the
>>>'Negotiating IP Security' ad infinitum on the XP machine.
>>>
>>>My set up is identical to the one Nate describes in his howto and
>>
>>everything
>>
>>
>>>seems to be rosy. Any ideas how I can get Pluto/XP to complete the last
>>>step?
>>>
>>>Many Thanks,
>>>Noel
>>>
>>>---
>>>Outgoing mail is certified Virus Free.
>>>Checked by AVG anti-virus system (http://www.grisoft.com).
>>>Version: 6.0.384 / Virus Database: 216 - Release Date: 21/08/2002
>>>
>>>_______________________________________________
>>>Users mailing list
>>>Users_at_lists.freeswan.org
>>>http://lists.freeswan.org/mailman/listinfo/users
>>
>>
> 

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.384 / Virus Database: 216 - Release Date: 21/08/2002
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.385 / Virus Database: 217 - Release Date: 04/09/2002
 
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.4 : Mon Sep 16 2002 - 05:20:06 CEST