From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Sun Dec 01 2002 - 18:24:04 CET
Hello Reinhard,
it seems that the private key with which SSH Sentinel (or rather the
smartcard) signs the IKE message does not match the public key contained
in the certificate that was sent to FreeS/WAN. Try to find out with the
help of
ipsec auto --listall
if the public key with the key id AwEAAcQLJ belongs to the
user certificate issued by TC Trustcenter. If yes then SSH Sentinel
does not delegate the signing process to the smartcard but uses some
private key of its own.
Kind regards
Andreas
> Hello List,
>
> With SSH Sentinel 1.4 and Freeswan 1.98b with x509 Patch, I am using
> a normal Roadwarrior-Configuration.
> Certs had been issued by openssl by now.
> So far, everything works fine.
>
> Now I tried to use a Smartcard-Certificate with SSH Accession. This
> Certificate was issued by TC Trustcenter (trustcenter.de).
> I set up the TC CA as trusted in Sentinel and configured the VPN to use my TC
> certificate.
> I also gave the trustcenter CA cert to freeswan. It is listed with
> --listcacerts and Fingerprints matches the one shown in Sentinel.
>
> But FS refused to set up a connection. The error message is:
> -----
> Nov 29 15:06:27 wall pluto[18645]: "roadwarrior"[2] 149.225.134.23 #1: Peer ID
> is ID_DER_ASN1_DN: 'C=DE
> , CN=My Name, E=me_at_mydomain.de'
> Nov 29 15:06:27 wall pluto[18645]: "roadwarrior"[2] 149.225.134.23 #1:
> Signature check (on C=DE, CN=My Name, E=me_at_mydomain.de) failed (wrong key?);
> tried *AwEAAcqLJ
> Nov 29 15:06:27 wall pluto[18645]: | public key for C=DE, CN=My Name,
> E=me_at_mydomain.de failed: decrypted SIG payload into a malformed ECB (00
> separator not present)
> Nov 29 15:06:27 wall pluto[18645]: | state transition function for
> STATE_MAIN_R2 failed: INVALID_KEY_IN
> FORMATION
> -----
> I would be very grateful for any pointers to fix this problem.
> I was not able to subscribe today, so please mail to my address:
> rm_at_moosauer.de
>
> Thanks a lot,
>
> Reinhard
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Zürichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]== _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Tue Dec 03 2002 - 05:21:02 CET