[Openswan Users] Please, please help! WinXP Roadwarrior won't connect! (logs included)

Karim 'Kasi Mir' Senoucci kasi.mir at melzone.de
Fri Aug 13 19:46:00 CEST 2004

Hello all,
On Fri, 13 Aug 2004 trevor-os at thennion.demon.co.uk wrote:

>I'm afraid that you are missing the point. If you have done everything right
>it would be working!

I *know* that, I've written something like that myself in my first mail.
The problem is that I have no idea how to find out *what* I've done

>You haven't got it to work therefore you STILL have something wrong - eg this
>shows in your Oakley log:
> 8-13: 02:28:36:250:d20 IKE failed to find valid machine certificate

Exactly that *is* the problem. How can I find out *why* Windows posts
this, even though I seem to have included the certs in the right places.

>The certificates may be in the correct places. When you try to initiate the
>VPN, it looks for a certificate that matches details in the XP's ipsec.conf
>file. The rightca=" " should contain the Issuer details from your personal
>certificate. A simple typo in that line will cause it all to fail.

The problem is: as fas as I can tell, there *is* no typo. That acually
was the first thing I looked at. Furthermore, I've tried the ID now with
spaces after every comma, without spaces after commas, with and
without spaces before and/or after every '=' of the name.

Can Windows give me any clue what it expects for ID? I fail to see any
misspelling whatsoever.

>I have always put an email address in the certificate - you haven't shown that
>in your XP's ipsec.conf file. Could it be that XP is being fussy about the

I've tried with other certificates with e-mail adresses before, and the
error was the same. But I will create another cert with an e-mail
address and try that one again later tonight, when I'll be back at my XP

>>From you Linux ipsec.conf file:
> conn g2n
>     auto=add
>     # lokale Seite
>     left=kassandra.21st-hq.de
>     leftcert=GatewayCert.pem
>     # entfernte Seite
>     right=%any
>     rightsubnetwithin=

>However I would expect to see a rightid="C=DE, ...." that matches the subject
>line of your XP's certificate - except mine show ST=Berkshire on the Linux
>box, while the XP certificate only shows S=Berkshire.

When I use a rightid, that binds the connection description to just one
certificate, AFAIK. That's the reason there isn't any such line - the
connection has to work from a number of different Linux and XP machines,
all with distict certs.

Thanks for you help so far.

Kasi Mir

More information about the Users mailing list