[Openswan Users] Please, please help! WinXP Roadwarrior won't connect! (logs included)

Paul Wouters paul at xelerance.com
Fri Aug 13 18:53:13 CEST 2004


On Fri, 13 Aug 2004, Karim 'Kasi Mir' Senoucci wrote:

> The VPN in question was running fine with two Linux roadwarriors when
> the need arose to connect a few WindowsXP machines. I've now
> completely rewritten ALL configs twice, re-issued ALL certs (even for
> the linux RW, which *were* working already) twice, once even re-building
> a new CA. I've tried numerous test keys for the WinXP machines.

One thing I noticed was that you are running superfreeswan 1.99.8. I would
recommend upgrading it to either opeswan-2 or openswan-1. There are a few
known fixes in the nat traversal code with XP machines. But it is not the
reason for:

> "IKE failed to find valid machine certificate"

How did you load the certificates onto the windows machine? Try re-adding
them with certimport.exe

ftp://ftp.openswan.org/openswan/windows/certimport/
 
> "encrypted Informational Exchange message is invalid because it is for
>   incomplete ISAKMP SA"
> 
> on the Linux side.

This is the windows machine failing and trying to tell the linux machine.
But the linux machine ignores it because it didn't get through phase 1
with the windows box.

This is a problem purely on the windows machine. Make sure you have installed
all windows updates. Delete the root CA and personal CA through the mmc, and
use certimport.

If the problem persists, then it is likely because of the certificate content.
I found for instance I had many problems when I added OU='s or when I left
out the state (I ended up putting "none" in the state).
Also, your CA should have a validity much longer then your host certificates.
If in doubt, use the validity times in either Andreas's X509 manual examples,
or in Nate Carleson's examples. Those have been used a lot by others and are
known to work.

You can also use the mmc to check the current certificates. Check the 
validity (it is a seperate tab) and check the "path" of the certificate.

You could also grab the examples from one of my X.509 talks. They are available
on www.xelerance.com.

Paul



More information about the Users mailing list