[Openswan Users] Please, please help! WinXP Roadwarrior won't
connect! (logs included)
Karim 'Kasi Mir' Senoucci
kasi.mir at melzone.de
Fri Aug 13 19:46:00 CEST 2004
On Fri, 13 Aug 2004 trevor-os at thennion.demon.co.uk wrote:
>I'm afraid that you are missing the point. If you have done everything right
>it would be working!
I *know* that, I've written something like that myself in my first mail.
The problem is that I have no idea how to find out *what* I've done
>You haven't got it to work therefore you STILL have something wrong - eg this
>shows in your Oakley log:
> 8-13: 02:28:36:250:d20 IKE failed to find valid machine certificate
Exactly that *is* the problem. How can I find out *why* Windows posts
this, even though I seem to have included the certs in the right places.
>The certificates may be in the correct places. When you try to initiate the
>VPN, it looks for a certificate that matches details in the XP's ipsec.conf
>file. The rightca=" " should contain the Issuer details from your personal
>certificate. A simple typo in that line will cause it all to fail.
The problem is: as fas as I can tell, there *is* no typo. That acually
was the first thing I looked at. Furthermore, I've tried the ID now with
spaces after every comma, without spaces after commas, with and
without spaces before and/or after every '=' of the name.
Can Windows give me any clue what it expects for ID? I fail to see any
>I have always put an email address in the certificate - you haven't shown that
>in your XP's ipsec.conf file. Could it be that XP is being fussy about the
I've tried with other certificates with e-mail adresses before, and the
error was the same. But I will create another cert with an e-mail
address and try that one again later tonight, when I'll be back at my XP
>>From you Linux ipsec.conf file:
> conn g2n
> # lokale Seite
> # entfernte Seite
>However I would expect to see a rightid="C=DE, ...." that matches the subject
>line of your XP's certificate - except mine show ST=Berkshire on the Linux
>box, while the XP certificate only shows S=Berkshire.
When I use a rightid, that binds the connection description to just one
certificate, AFAIK. That's the reason there isn't any such line - the
connection has to work from a number of different Linux and XP machines,
all with distict certs.
Thanks for you help so far.
More information about the Users