[Openswan Users] Going mad with "IKE failed to find valid machine certificate"

Karim 'Kasi Mir' Senoucci kasi.mir at melzone.de
Thu Aug 5 14:51:38 CEST 2004 

Hello all,
I'm currently banging my head against the wall because I'm unable to add
the first XP roadwarrior to a local VPN with a few active Linux
endpoint.

The problem is: I've followed every recommendation I could find to the
letter, yet I get the d*mn "IKE failed to find valid machine
certificate" message which suggests I didn't.

Here's what I've done:

- Created a cert for the XP machine (Cert.p12) on the VPN gateway.

- Tested the Cert with a Linux machine, which works fine.

- Added the Cert to the MMC, just as shown in e.g.
  <http://lists.freeswan.org/pipermail/users/2001-November/005450.html>

- Configured the XP VPN side:

conn Win-machine
        network=ras
        auto=start
        left=%any
        right=<vpn.gateway.name>
        rightca=<VPN Gateway Cert DN>
        pfs=yes

conn Win-net
        network=ras
        auto=start
        left=%any
        right=kassandra.21st-hq.de
        rightsubnet=192.168.168.0/24
        right=<vpn.gateway.name>
        rightca=<VPN Gateway Cert DN>
        pfs=yes


And then tried to start the whole thing up. What I get is

-- on the XP side:

[full log can be provided on request]
---------------------------------------------------------------------------
 8-05: 08:11:18:531:144 Receive: (get) SA = 0x000c98a8 from <vpn.gateway.ip>
 8-05: 08:11:18:531:144 ISAKMP Header: (V1.0), len = 188
 8-05: 08:11:18:531:144   I-COOKIE 65c611d4eb7abdea
 8-05: 08:11:18:531:144   R-COOKIE 450264529fa6023a
 8-05: 08:11:18:531:144   exchange: Oakley Main Mode
 8-05: 08:11:18:531:144   flags: 0
 8-05: 08:11:18:531:144   next payload: KE
 8-05: 08:11:18:531:144   message ID: 00000000
 8-05: 08:11:18:531:144 processing payload KE
 8-05: 08:11:18:531:144 processing payload NONCE
 8-05: 08:11:18:531:144 processing payload CRP
 8-05: 08:11:18:531:144 constructing ISAKMP Header
 8-05: 08:11:18:531:144 constructing ID
 8-05: 08:11:18:531:144 Received no valid CRPs.  Using all configured
 8-05: 08:11:18:531:144 Looking for IPSec only cert
 8-05: 08:11:18:562:144 failed to get chain 80092004
 8-05: 08:11:18:562:144 Received no valid CRPs.  Using all configured
 8-05: 08:11:18:562:144 Looking for any cert
 8-05: 08:11:18:562:144 failed to get chain 80092004
 8-05: 08:11:18:562:144 ProcessFailure: sa:000C98A8 centry:00000000
status:35ee
 8-05: 08:11:18:562:144 isadb_set_status sa:000C98A8 centry:00000000
status 35ee
 8-05: 08:11:18:578:144 Schlüsselaustauschmodus (Hauptmodus)

 8-05: 08:11:18:578:144 Quell-IP-Adresse <vpn.user.ip>
Quell-IP-Adressmaske 255.255.255.255
Ziel-IP-Adresse <vpn.gateway.ip>
Ziel-IP-Adressmaske 255.255.255.255
Protokoll 0
Quellport 0
Zielport 0

 8-05: 08:11:18:578:144 Zertifikat-basierte Identität.
Peer-IP-Adresse: <vpn.gateway.ip>

 8-05: 08:11:18:578:144 Benutzer

 8-05: 08:11:18:578:144 IKE konnte kein gültiges Computerzertifikat
finden.

 8-05: 08:11:18:578:144 0x80092004 0x0
 8-05: 08:11:18:578:144 ProcessFailure: sa:000C98A8 centry:00000000 status:35ee
 8-05: 08:11:18:578:144 constructing ISAKMP Header
 8-05: 08:11:18:578:144 constructing HASH (null)
 8-05: 08:11:18:578:144 constructing NOTIFY 28
 8-05: 08:11:18:578:144 constructing HASH (Notify/Delete)
---------------------------------------------------------------------------

-- and on the Linux side:

---------------------------------------------------------------------------
Aug  5 08:19:54 kassandra pluto[24275]: packet from <vpn.user.ip>:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Aug  5 08:19:54 kassandra pluto[24275]: "n2g"[5] <vpn.user.ip> #53: responding to Main Mode from unknown peer <vpn.user.ip>
Aug  5 08:19:54 kassandra pluto[24275]: "n2g"[5] <vpn.user.ip> #53: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA
---------------------------------------------------------------------------

Even the expiry dates of the host and CA are not problematic, as shown
by ipsec auto --listall:

000
000 List of Public Keys:
000
000 Aug 05 10:50:43 2004, 1024 RSA Key AwEAAberm, until Feb 25 15:40:50 2008 ok
000        ID_DER_ASN1_DN <VPN User DN>
000        Issuer <VPN Gateway Cert DN>
000 Aug 05 10:33:38 2004, 1024 RSA Key AwEAAdgwO, until Jul 17 13:21:21 2008 ok
000        ID_DER_ASN1_DN <VPN Other User DN>
000        Issuer <VPN Gateway Cert DN>
000 Aug 04 16:49:34 2004, 1024 RSA Key AwEAAa2s9, until Jul 16 13:36:59 2014 ok
000        ID_DER_ASN1_DN <VPN Gateway Cert DN>
000        Issuer <VPN Gateway Cert DN>
000
000 List of User/Host Certificates:
000
000 Aug 04 16:49:34 2004, count: 12
000        subject: <VPN Gateway Cert DN>
000        issuer:  <VPN Gateway Cert DN>
000        pubkey:   1024 RSA Key AwEAAa2s9, has private key
000        validity: not before Jul 18 13:36:59 2004 ok
000                  not after  Jul 16 13:36:59 2014 ok
000
000 List of CA Certificates:
000
000 Aug 04 16:49:34 2004, count: 1
000        subject: <VPN Gateway Cert DN>
000        issuer:  <VPN Gateway Cert DN>
000        pubkey:   2048 RSA Key AwEAAa7ZI
000        validity: not before Jul 18 13:21:21 2004 ok
000                  not after  Jul 17 13:21:21 2008 ok
000
000 List of CRLs:
000
000 Aug 04 16:49:34 2004, revoked certs: 13
000        issuer:  <VPN Gateway Cert DN>
000        updates:  this Jul 28 01:22:59 2004
000                  next May 24 01:22:59 2005 ok


(I have changed all IP adresses and DNs to tokens for privacy reasons.
 In the real logs, these are valid IPs and DNs, of course).

The <VPN Other User DN> only uses Linux and can fire up the VPN without
problems; the <VPN User DN> is the Windows XP one and can't connect.


Can anybody point me to anything that might still be wrong in this
setup? Any help would be greatly aprreciated, as I've already spent many
hours on getting the d*mn XP machine to connect.

Greetins
Kasi Mir

More information about the Users mailing list