[Openswan Users] Please, please help! WinXP Roadwarrior won't connect! (logs included)

trevor-os at thennion.demon.co.uk trevor-os at thennion.demon.co.uk
Fri Aug 13 15:46:46 CEST 2004

On Friday 13 Aug 2004 13:14, Karim 'Kasi Mir' Senoucci wrote:
> Hello all,
> [...]
> >I tried to send you two mails before, but they don't get through.
> Strange - I get hundreds of mails every day. Can you tell me where what
> does wrong.
> [...]
> >Try deleting all certs from the storage on WinXP.
> >
> >Then go to the ipsec.msc (mmc)-Certificates-section. Goto personal,
> >right-click->all tasks->import. Select the .p12-file. Don't just
> >doubleclick the .p12-file, this won't work. It's strange, I know, but
> >it seems like it. I had the same problem, using this worked. Delete the
> >ca-cert, if it got to the personal-section, too (included in .p12-file).
> That is *not* the case here. I've done ecactly what you descibed above
> from the beginning. Every time. Plus, the certs are where they should
> be; the machine cert in the Personal section, the CA one under "Trusted
> Root Certification Authorities".
> I've deleted them twice yesterday, anyway, and re-included them
> painstakinkly making sure the go to the tights folders. I *still*
> doesn't work.
> Greetings
> Karim Senoucci


I'm afraid that you are missing the point. If you have done everything right 
it would be working! 
You haven't got it to work therefore you STILL have something wrong - eg this 
shows in your Oakley log:
 8-13: 02:28:36:250:d20 IKE failed to find valid machine certificate

The certificates may be in the correct places. When you try to initiate the 
VPN, it looks for a certificate that matches details in the XP's ipsec.conf 
file. The rightca=" " should contain the Issuer details from your personal 
certificate. A simple typo in that line will cause it all to fail.

I have always put an email address in the certificate - you haven't shown that  
in your XP's ipsec.conf file. Could it be that XP is being fussy about the 

From you Linux ipsec.conf file:
 conn g2n
     # lokale Seite
     # entfernte Seite

Yes the should match the address - I missed that 
in all the data.
However I would expect to see a rightid="C=DE, ...." that matches the subject 
line of your XP's certificate - except mine show ST=Berkshire on the Linux 
box, while the XP certificate only shows S=Berkshire.

So a number of differences.

Hope this helps



More information about the Users mailing list