[Openswan Users] Please, please help! WinXP Roadwarrior won't
connect! (logs included)
saphira at bethlen.de
Fri Aug 13 16:12:54 CEST 2004
Karim 'Kasi Mir' Senoucci <kasi.mir at melzone.de> schrieb am 13.08.04 14:15:00:
> Hello all,
> >I tried to send you two mails before, but they don't get through.
> Strange - I get hundreds of mails every day. Can you tell me where what
> does wrong.
No, I figured out it was a problem with my webmail-interface. Sending mails worked, replying didn't (don't ask me why) ...
> >Try deleting all certs from the storage on WinXP.
> >Then go to the ipsec.msc (mmc)-Certificates-section. Goto personal,
> >right-click->all tasks->import. Select the .p12-file. Don't just
> >doubleclick the .p12-file, this won't work. It's strange, I know, but
> >it seems like it. I had the same problem, using this worked. Delete the
> >ca-cert, if it got to the personal-section, too (included in .p12-file).
> That is *not* the case here. I've done ecactly what you descibed above
> from the beginning. Every time. Plus, the certs are where they should
> be; the machine cert in the Personal section, the CA one under "Trusted
> Root Certification Authorities".
OK, the important thing was: not doing a double-click on the files, instead importing via certificate-interface (I'm not sure if I got this right in the mail, since it was my third try I was frustrated because the previos mails were gone).
OK, assuming you have imported it via certificate-interface, where did you put it? Local Computer or Current User? I think the first one is right, but you may want to try the second one, too?
Have you tried to establish the connection from windows-side or from linux-side? ping, etc.? You may have tried all this already, but maybe you didn't.
Next question: How does your PKI look like? Is it just one CA which signs all certificates or have you a root-ca and sub-cas? This is really ugly in windows, it took some time to get it to work with sub-cas. In this case you have to put the root ca to "trusted root ..." and the sub-cas to "intermediate ...". All other constellations failed (at least at my installation).
You may want to take a look to: http://linux.swobspace.net/books/fw/vpn-with-windows/vpn-with-windows.pdf
(german). Especially Anhang/Appendix B might be interesting.
Next question: Is one certificate in the chain revoked (I don't think so, since you re-issued them). Are they REALLY valid? Can the validity checked on windows-side? Open Certificate, tab "Certification path". I figured out that windows won't use a certificate as its own which it can't validate. Especially when you issue certificates and the CA has another time than the windows-machine, it may be the point, that it is not valid yet on windows-side.
When you have just one ca: try "automatically select storage" when you import the certificates via the management console. This may not work when you use sub-cas.
By the way: Have you tested it on different windows-machines? Maybe yours is just broken.
I had the exactly same problem as you (... incomplete ISAMKP SA. ARGGGG). Following the instructions _word by word_ in the abovementioned pdf worked.
Hint: try everything you tested before again, since you may have removed one problem but still have another one. The errormessage seems to be very general.
I wish you good luck. I know this is frustrating.
> I've deleted them twice yesterday, anyway, and re-included them
> painstakinkly making sure the go to the tights folders. I *still*
> doesn't work.
> Karim Senoucci
WEB.DE Video-Mail - Sagen Sie mehr mit bewegten Bildern
Informationen unter: http://freemail.web.de/?mc=021199
More information about the Users