[Users] Problems with certificate trust while conneting to XP

From: listuser (listuser_at_myrealbox.com)
Date: Fri Nov 22 2002 - 13:22:02 CET

• Next message: web: "*****SPAM***** [Users] ÓòÃû×¢²á£¬Ö÷»ú×âÓÃ"
• Previous message: Cressatti, Dominique: "[Users] IPSec + L2TP VPN to MS firewall (ISA) working !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

hello,

I have configured a X.509 based roadwarrior setup as documented in http://www.natecarlson.com/linux/ipsec-x509.php
After going through all the steps when I finally ping the linux box from the windows system, It forever says Negotiating IP SEcurity and in the windows security logs 2 messages appear telling that The certificate trust could not be established. I will be much greatfull if some one can help me figureout what went wrong. Please tell me if you need any more info

TIA,
raj
----------------------------
The Windows Security Audit message
1.

IKE security association establishment failed because peer could not authenticate. The certificate trust could not be established.

 Peer Identity:
Certificate based Identity.
Peer Subject C=IN, S=Kerala, L=Trivandrum, O=MyOrg, OU=ADL, CN=vpn,
E=raj_at_linuxense.comPeer SHA Thumbprint c2aadbabaad9b7c8b77befbb4b5c56ed42c85fb4
Peer Issuing Certificate Authority C=IN, S=Kerala, L=Trivandrum,
O=MyOrg, OU=ADL, CN=vpn, E=raj_at_linuxense.comRoot Certificate Authority C=IN,
S=Kerala, L=Trivandrum, O=MyOrg,
OU=ADL, CN=vpn, E=raj_at_linuxense.comMy Subject C=IN, S=Kerala, L=Trivandrum,
O=MyOrg, OU=ADL, CN=Client,
E=raj_at_linuxense.comMy SHA Thumbprint f30babe2f9fe8c3e921a5f374b33f82c4655df37
Peer IP Address: 202.88.238.xx

 Filter:
Source IP Address 202.88.232.xx
Source IP Address Mask 255.255.255.255
Destination IP Address 202.88.238.xx
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr
IKE Peer Addr

2.

IKE security association negotiation failed.
 Mode:
Key Exchange Mode (Main Mode)

 Filter:
Source IP Address 202.88.232.xx
Source IP Address Mask 255.255.255.255
Destination IP Address 202.88.238.58
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr
IKE Peer Addr

 Peer Identity:
Certificate based Identity.
Peer Subject C=IN, S=Kerala, L=Trivandrum, O=MyOrg, OU=ADL, CN=vpn, E=raj_at_linuxense.com

Peer SHA Thumbprint 2aadbabaad9b7c8b77befbb4b5c56ed42c85fb4
Peer Issuing Certificate Authority C=IN, S=Kerala, L=Trivandrum, O=MyOrg, OU=ADL, CN=vpn, E=raj_at_linuxense.comRoot Certificate Authority C=IN,
S=Kerala, L=Trivandrum, O=Asianet,
OU=ADL, CN=vpn, E=raj_at_linuxense.comMy Subject C=IN, S=Kerala, L=Trivandrum,
O=MyOrg, OU=ADL, CN=Client,
E=raj_at_linuxense.comMy SHA Thumbprint f30babe2f9fe8c3e921a5f374b33f82c4655df37
Peer IP Address: 202.88.238.xx

  Failure Point:
Me

 Failure Reason:
IKE authentication credentials are unacceptable

 Extra Status:
0x0 0x0

---------------------------------
Linux logs

Nov 21 13:58:42 monitor pluto[3620]: packet from 202.88.232.xx:500: ignoring Vendor ID payload

Nov 21 13:58:42 monitor pluto[3620]: "roadwarrior"[2] 202.88.232.xx #6: responding to Main Mode from unknown peer 202.88.232.xx

Nov 21 13:58:42 monitor pluto[3620]: "roadwarrior"[2] 202.88.232.xx #6: Peer ID is ID_DER_ASN1_DN: 'C=IN, ST=Kerala, L=Trivandrum, O=MyOrg, OU=ADL, CN=Client, E=raj_at_linuxense.com'

Nov 21 13:58:42 monitor pluto[3620]: roadwarrior-net"[2] 202.88.232.xx #6: deleting connection "roadwarrior" instance with peer 202.88.232.xx

Nov 21 13:58:42 monitor pluto[3620]: "roadwarrior-net"[2] 202.88.232.xx #6: sent MR3, ISAKMP SA established

Nov 21 14:00:14 monitor pluto[3620]: roadwarrior-net"[2] 202.88.232.xx #6: ignoring Delete SA payload

Nov 21 14:00:14 monitor pluto[3620]: "roadwarrior-net"[2] 202.88.232.xx #6: received and ignored informational message

3a58:42 monitor pluto[3620]: "roadwarrior"[2] 202.88.232.xx #6: responding to Main Mode from unknown peer 202.88.232.xx

Nov 21 13:58:42 monitor pluto[3620]: "roadwarrior"[2] 202.88.232.xx #6: Peer ID is ID_DER_ASN1_DN: 'C=IN, ST=Kerala, L=Trivandrum, O=MyOrg, OU=ADL, CN=Client, E=raj_at_linuxense.com'

Nov 21 13:58:42 monitor pluto[3620]: roadwarrior-net"[2] 202.88.232.xx #6: deleting connection "roadwarrior" instance with peer 202.88.232.xx

Nov 21 13:58:42 monitor pluto[3620]: "roadwarrior-net"[2] 202.88.232.xx #6: sent MR3, ISAKMP SA established

Nov 21 14

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: web: "*****SPAM***** [Users] ÓòÃû×¢²á£¬Ö÷»ú×âÓÃ"
• Previous message: Cressatti, Dominique: "[Users] IPSec + L2TP VPN to MS firewall (ISA) working !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sat Nov 23 2002 - 05:20:42 CET