From: Mikael Lönnroth (gml_at_advancevpn.com)
Date: Tue Sep 17 2002 - 13:24:19 CEST
A follow-up to myself:
1) The error that SSH Sentinel reported (IKE Log) was: Can not insert
certificate into local database (error=16)
2) The error actually "went away" when I stopped and restarted Policy
Manager. (But I do expect it to return :) )
Regards,
Mikael
----- Original Message -----
From: "Mikael Lönnroth" <mikael.lonnroth_at_advancevpn.com>
To: <users_at_freeswan.org>
Sent: Wednesday, September 11, 2002 8:07 PM
Subject: [Users] SSH Sentinel + X.509 + weird certificate problem
> Hello,
>
> I still assume this is a configuration error on my part, but my problem is
a
> working configuration that suddenly (have not been able to replicate
> behaviour) stops
> working. Here is the configuration + behaviour:
>
> CONFIGURATION:
>
> Gateway: FreeS/WAN 1.97 (X.509 + NAT-T + Delete SA)
> Client: Windows XP + SSH Sentinel 1.3.2 (build 2)
>
> The certificates are generated (all using openssl) in the following
manner:
>
> Root CA 1 = (signs) => Client certificate
> Root CA 2 = (signs) => Gateway host certificate
>
> The client certificate + Root CA 1 are bundled into a PKCS#12 and imported
> into Sentinel (asks twice about accepting new certificates). Clicking on
the
> client certificate reveals that the trust relationship is OK.
Additionally,
> the Root CA 2 is imported into the Trusted Certificates >> Certificate
> Authorities section for correct authentication of the gateway certificate.
>
> Here is what I have then:
>
> SSH Certification Authorities: Root CA 1, Root CA 2 and the original
> Sentinel generated CA
> My keys >> host key: The client certificate
> My keys >> host key (2): The Sentinel client certificate
>
> Gateway cacerts: Root CA 1, Root CA 2
> Gateway x509cert.der: Gateway host certificate signed by Root CA 2
>
> BEHAVIOUR:
>
> Diagnostics goes through without problem and actually connecting to the
host
> works OK. The only thing that sort of jumps to my eye is the IKE LOG: SPD:
> Can not determine per-rule trusted CA root set for remote identity, but
the
> connection still is still established (is this a problem when using two
> CAs?).
>
> Then, suddenly the connection that worked for a while, does not anymore.
>
> Diagnostics goes through OK, but it does not seem to be able to find the
> Root CA 2 for the gateway host certificate and thus asks me to accept and
> trust this new host certificate for each time I run the diagnostics. On
the
> IKE LOG side of things there is one line just before the "Can not
determine
> per-rule" rule, which I unfortunately did not copy and paste, but it went
> something like "Cannot store certificate (error 12)".
>
> Help? :-)
>
> Cheers,
> Mikael Lönnroth
> AdvanceVPN Oy
> www.advancevpn.com
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Wed Sep 18 2002 - 05:20:10 CEST