[Openswan Users] Win98 l2tp INVALID_CERTIFICATE x509

Andreas Steffen andreas.steffen at strongsec.net
Tue Jul 13 10:17:14 CEST 2004 

Robert W. Burgholzer wrote:
> Hello,
> I am trying to use msl2tp.exe on a windows 98 machine to connect to a 
> road-warrior linux freeswan 2.04. The linux server gateway is 
> successfully serving a static subnet-to-subnet vpn with another linux 
> server, and 2 road-warrior win XP clients (both behind NAT cable modems).
> 
> The x509 certificates were generated with the same procedure as before, 
> and the l2tp set up was done according to the docs at: 
> http://www.jacco2.dds.nl/networking/msl2tp.html .  The connection is 
> initiated, but fails. The messages that look strange to me are "crl 
> update is overdue since..." and of course, "INVALID_CERTIFICATE".  I 
> should note that my other connections, that are still functioning also 
> complain of an overdue crl, but they still function (and if anyone knows 
> how to solve that, it would be welcome too) I get the following in my 
> secure log when trying to establish (x.y.z.w is subbed for my clients IP):
> 
> Jul 12 18:30:55 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w#6: 
> received Vendor ID Payload; ASCII hash: 
> G;gI\023q|\0234fP[V\134he\001\002\001\001\002\001\001\003\0208.1.0 
> (Build 10)
> Jul 12 18:30:55 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: 
> received Vendor ID Payload; ASCII hash: 0%[R\020b9e=DAF*5)6
> Jul 12 18:30:55 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: 
> received Vendor ID Payload; ASCII hash: Z\016\023x
> Jul 12 18:30:55 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: 
> received Vendor ID Payload; ASCII hash: \011
> Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: 
> ignoring informational payload, type IPSEC_INITIAL_CONTACT
> Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: Peer 
> ID is ID_DER_ASN1_DN: 'C=US, ST=Virginia, L=Christiansburg, O=MapTech 
> Incorporated, OU=Field Services, CN=annex, E=rburgholzer at maptech-inc.com'
> Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: crl 
> update is overdue since May 15 15:17:16 UTC 2004
> Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: crl 
> update is overdue since May 15 15:17:16 UTC 2004

*swan's default setting in the config setup section of ipsec.conf is

    strictcrlpolicy=no

So even if the nextUpdate deadline of a CRL is overdue the negotiation
is still allowed to complete. But if you set

    strictcrlpolicy=yes

then the X.509 certificate will be rejected by *swan.

> Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: sent 
> MR3, ISAKMP SA established
> Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: 
> ignoring informational payload, type INVALID_CERTIFICATE

This is an informational payload sent by the peer side which apparently
enforces a strict CRL policy.

> Thanks in advance,
> r.b.
> 
> 
> 
> Robert Burgholzer
> Environmental Engineer
> MapTech Inc.
> http://www.maptech-inc.com/

Regards

Andreas

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list