Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not established)

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Tue Nov 26 2002 - 09:56:04 CET

• Next message: Andrei Boros: "[Users] mailman bug trying to subscribe"
• Previous message: hugh: "[Users] LANGUAGE"
• In reply to: Mark van Proctor: "Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not established)"
• Next in thread: Mark van Proctor: "[Users] Thanks Andreas + NAT problem"
• Reply: Mark van Proctor: "[Users] Thanks Andreas + NAT problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mark van Proctor wrote:
> Thanks Andreas,
> I actually found the problem in the end - After upgrading the server I had
> remade its Authentication certificate differently and the "subject" was
> different for my windows ipsec.conf.
> This upgrade to redhat 8 and freeswan 1.99 also rectified my winXP problems.
>
> I do, however, have a quick openSSL query which I understand if you cant (or
> dont have time to) answer but thought I would ask anyway while I am emailing
> you - how do you revoke a certificate and add it to the CRL?
>

   Revocation: openssl ca -revoke badCert.pem

   Update CRL: openssl ca -gencrl -out crl.pem

   PEM to binary: openssl crl -in crl.pem -outform der -out cert.crl

Regards

Andreas

> Thanks!!
>
> Mark
>
> ----- Original Message -----
> From: "Andreas Steffen" <andreas.steffen_at_strongsec.net>
> To: "Mark van Proctor" <mark_at_metech.com.au>
> Cc: <users_at_lists.freeswan.org>
> Sent: Monday, November 25, 2002 11:25 PM
> Subject: Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not
> established)
>
>
>
>>Mark van Proctor wrote:
>>
>>>Hi people.
>>>I have seen a number of people emailing requests for help with ISAKMP SA
>>
> not
>
>>>establishing correctly
>>>The actual error being: "encrypted Informational Exchange message is
>>
> invalid
>
>>>because it is for incomplete ISAKMP SA"
>>>I have, however, seen absolutely no responses or instructions on how to
>>>resolve this.
>>
>>This notification message is always a sure sign that a problem occurred on
>>the peer side (in your case Wk2). Usually this a certificate or private
>
> key
>
>>problem. Please activate the oakley.log via the Windows registry and look
>>for errors.
>>
>>
>>>Please could someone help?
>>>I am using Win2K with the ipsec tool created by Marcus. I am using
>>
> RedHat
>
>>>8.0 with FreeSWAN 1.99 installed via pre-patched RPM from
>>
> www.freeswan.ca
>
>>>I used to use 1.97 on RedHat 7.3 and the connection worked. After
>>
> upgrading,
>
>>>I had to create new x509 certificates and now nothing works. I dont know
>>
> if
>
>>>it is the x509 certificates or what, because nothing has changed on the
>>>Win2k side (it used to work...).
>>>Please help,
>>>thanks.
>>>
>>>Mark
>>>
>>>Mark van Proctor
>>>Systems Administrator
>>>Metech Pty Ltd
>>>24 Moreau Mews
>>>Applecross WA 6153
>>>Ph: 9316 6600
>>>Fax: 9316 6699
>>>Mobile: 0411 749 282
>>>mark_at_metech.com.au

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Andrei Boros: "[Users] mailman bug trying to subscribe"
• Previous message: hugh: "[Users] LANGUAGE"
• In reply to: Mark van Proctor: "Re: [Users] Win2K <-> FreSWAN repeating problem (ISAKMP SA not established)"
• Next in thread: Mark van Proctor: "[Users] Thanks Andreas + NAT problem"
• Reply: Mark van Proctor: "[Users] Thanks Andreas + NAT problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Nov 27 2002 - 05:20:51 CET