[Openswan Users] Please, please help! WinXP Roadwarrior won't connect! (logs included)

Karim 'Kasi Mir' Senoucci kasi.mir at melzone.de
Fri Aug 13 16:33:29 CEST 2004

Hallo allerseits,
On Fri, 13 Aug 2004, Gregor Bethlen wrote:

>OK, the important thing was: not doing a double-click on the files,
>instead importing via certificate-interface (I'm not sure if I got this
>right in the mail, since it was my third try I was frustrated because
>the previos mails were gone).

I got that, and I *never* included the p12 files any other way. I never
in my whole life double-clicked on such a file. :-)

>OK, assuming you have imported it via certificate-interface, where did
>you put it? Local Computer or Current User? I think the first one is
>right, but you may want to try the second one, too?

Local computer; as *every* instruction I've seen *emphasizes* on *not*
putting is under "Current User", I haven't tried that.

>Have you tried to establish the connection from windows-side or from
>linux-side? ping, etc.? You may have tried all this already, but maybe
>you didn't.

>From the Windows side, as that one is the roadwarrior, with ping and
other connection attempts (e.g. ssh, smtp).

>Next question: How does your PKI look like? Is it just one CA which
>signs all certificates or have you a root-ca and sub-cas? This is
>really ugly in windows, it took some time to get it to work with
>sub-cas. In this case you have to put the root ca to "trusted root ..."
>and the sub-cas to "intermediate ...". All other constellations failed
>(at least at my installation).

I have just one CA which signs everything.

>You may want to take a look to:
>(german). Especially Anhang/Appendix B might be interesting.

That's just another manual giving the same instructions I've followed
every time. I've seen all the screens they show myself and - apart from
the acual names of the certificates - everything looks *exactly* on
those pictures.

>Next question: Is one certificate in the chain revoked (I don't think
>so, since you re-issued them). Are they REALLY valid? Can the validity
>checked on windows-side? Open Certificate, tab "Certification path". I
>figured out that windows won't use a certificate as its own which it
>can't validate. Especially when you issue certificates and the CA has
>another time than the windows-machine, it may be the point, that it is
>not valid yet on windows-side.

There are revoked certs, of course, but none of the are in use anywhere
anymore. Windows says "This certificate is OK." to my roadwarrior
machine cert. The time difference between the WinXP and the Linux
machine is less than three minutes. The machine cert is, as I've shown
in my very first mail in this regard, valid since 14 hours ago and will
be valid until March 2008.

>When you have just one ca: try "automatically select storage" when you
>import the certificates via the management console. This may not work
>when you use sub-cas.

I have already done that every time I included the p12 file.

>By the way: Have you tested it on different windows-machines? Maybe
>yours is just broken.

I myself have but one WinXP machine, but colleagues have tested it on at
least two other machines, without my help, and got the *exact* *same*

>I had the exactly same problem as you (... incomplete ISAMKP SA.
>ARGGGG). Following the instructions _word by word_ in the
>abovementioned pdf worked.

I honestly don't know what I can do differently than before. The pdf
decribes what I did *to* *the* *letter*.

>Hint: try everything you tested before again, since you may have
>removed one problem but still have another one. The errormessage seems
>to be very general.

The error message is all I get, regardless of what I try. I have a 300k
log file here full of these error messages from some 40 tries since
midnight alone.

I just doesn't work, and nothing I tried or did made one *iota* of a

Isn't there any way to debug this properly, or is all that Windows can
say "it doesn't work"??!?!

Karim Senoucci

More information about the Users mailing list