[Openswan Users] Please, please help! WinXP Roadwarrior won't connect! (logs included)

trevor-os at thennion.demon.co.uk trevor-os at thennion.demon.co.uk
Fri Aug 13 15:46:46 CEST 2004 

On Friday 13 Aug 2004 13:14, Karim 'Kasi Mir' Senoucci wrote:
> Hello all,
>
> [...]
>
> >I tried to send you two mails before, but they don't get through.
>
> Strange - I get hundreds of mails every day. Can you tell me where what
> does wrong.
>
>
> [...]
>
> >Try deleting all certs from the storage on WinXP.
> >
> >Then go to the ipsec.msc (mmc)-Certificates-section. Goto personal,
> >right-click->all tasks->import. Select the .p12-file. Don't just
> >doubleclick the .p12-file, this won't work. It's strange, I know, but
> >it seems like it. I had the same problem, using this worked. Delete the
> >ca-cert, if it got to the personal-section, too (included in .p12-file).
>
> That is *not* the case here. I've done ecactly what you descibed above
> from the beginning. Every time. Plus, the certs are where they should
> be; the machine cert in the Personal section, the CA one under "Trusted
> Root Certification Authorities".
>
> I've deleted them twice yesterday, anyway, and re-included them
> painstakinkly making sure the go to the tights folders. I *still*
> doesn't work.
>
> Greetings
> Karim Senoucci
>

Karim,

I'm afraid that you are missing the point. If you have done everything right 
it would be working! 
You haven't got it to work therefore you STILL have something wrong - eg this 
shows in your Oakley log:
 8-13: 02:28:36:250:d20 IKE failed to find valid machine certificate

The certificates may be in the correct places. When you try to initiate the 
VPN, it looks for a certificate that matches details in the XP's ipsec.conf 
file. The rightca=" " should contain the Issuer details from your personal 
certificate. A simple typo in that line will cause it all to fail.

I have always put an email address in the certificate - you haven't shown that  
in your XP's ipsec.conf file. Could it be that XP is being fussy about the 
certificate?.

From you Linux ipsec.conf file:
 conn g2n
     auto=add
     # lokale Seite
     left=kassandra.21st-hq.de
     leftcert=GatewayCert.pem
     # entfernte Seite
     right=%any
     rightsubnetwithin=192.168.0.0/16

Yes the 192.168.0.0/16 should match the 192.168.13.13 address - I missed that 
in all the data.
However I would expect to see a rightid="C=DE, ...." that matches the subject 
line of your XP's certificate - except mine show ST=Berkshire on the Linux 
box, while the XP certificate only shows S=Berkshire.

So a number of differences.

Hope this helps

Regards

Trevor

More information about the Users mailing list