[Openswan Users] Win98 l2tp INVALID_CERTIFICATE x509

Robert W. Burgholzer rburgholzer at maptech-inc.com
Tue Jul 13 11:59:47 CEST 2004 

Andreas,
Thanks for the info regarding the warnings about my crl being out of date. 
I updated that, and those errors dissapeared. However, my client still will 
not connect, with the problem appearing to be: "Microsoft IPsec 
VPN\L2TP/IPsec - Certificate verification failed: Invalid certificate 
signature". Of course, I signed this certificate just as I signed my 
others. And, the MS client is selecting the appropriate certificate. I 
guess I am wondering, is the MSL2TP saying that IT has the wrong cert, or 
the gateway? I am at a loss. Any help would be great.


The contents of the isakmp.log on the windows machine is as follows:

7-13: 09:42:30.620 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 1 (IP
ADDR=12.5.17.226)
  7-13: 09:42:30.620 Microsoft IPsec VPN\L2TP/IPsec - Generic entry match with
remote address w.x.y.z.
  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP 
OAK MM
(SA, VID, VID, VID)
  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP 
OAK MM
(SA)
  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP 
OAK MM
(KE, NON, VID, VID, VID, VID)
  7-13: 09:42:30.790 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP 
OAK MM
(KE, NON, CERT_REQ)
  7-13: 09:42:31.610 Microsoft IPsec VPN\L2TP/IPsec - Using auto-selected user
certificate "myhost.mycompany.com's My Company Network ID".
  7-13: 09:42:31.780 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP 
OAK MM
*(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT)
  7-13: 09:42:32.050 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP 
OAK MM
*(ID, CERT, SIG)
  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - Certificate verification
failed: Invalid certificate signature
  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
INFO *(HASH, NOTIFY:INVALID_CERT)
  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - Discarding IKE SA
negotiation
  7-13: 09:42:32.160    MY COOKIE ba 99 d4 ff e2 87 47 72
  7-13: 09:42:32.160    HIS COOKIE d8 58 b4 9 6a f4 2b 14





At 09:17 AM 7/13/2004 +0200, you wrote:
>Robert W. Burgholzer wrote:
>>Hello,
>>I am trying to use msl2tp.exe on a windows 98 machine to connect to a 
>>road-warrior linux freeswan 2.04. The linux server gateway is 
>>successfully serving a static subnet-to-subnet vpn with another linux 
>>server, and 2 road-warrior win XP clients (both behind NAT cable modems).
>>The x509 certificates were generated with the same procedure as before, 
>>and the l2tp set up was done according to the docs at: 
>>http://www.jacco2.dds.nl/networking/msl2tp.html .  The connection is 
>>initiated, but fails. The messages that look strange to me are "crl 
>>update is overdue since..." and of course, "INVALID_CERTIFICATE".  I 
>>should note that my other connections, that are still functioning also 
>>complain of an overdue crl, but they still function (and if anyone knows 
>>how to solve that, it would be welcome too) I get the following in my 
>>secure log when trying to establish (x.y.z.w is subbed for my clients IP):
>>Jul 12 18:30:55 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w#6: received 
>>Vendor ID Payload; ASCII hash: 
>>G;gI\023q|\0234fP[V\134he\001\002\001\001\002\001\001\003\0208.1.0 (Build 10)
>>Jul 12 18:30:55 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: 
>>received Vendor ID Payload; ASCII hash: 0%[R\020b9e=DAF*5)6
>>Jul 12 18:30:55 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: 
>>received Vendor ID Payload; ASCII hash: Z\016\023x
>>Jul 12 18:30:55 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: 
>>received Vendor ID Payload; ASCII hash: \011
>>Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: 
>>ignoring informational payload, type IPSEC_INITIAL_CONTACT
>>Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: Peer ID 
>>is ID_DER_ASN1_DN: 'C=US, ST=Virginia, L=Christiansburg, O=MapTech 
>>Incorporated, OU=Field Services, CN=annex, E=rburgholzer at maptech-inc.com'
>>Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: crl 
>>update is overdue since May 15 15:17:16 UTC 2004
>>Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: crl 
>>update is overdue since May 15 15:17:16 UTC 2004
>
>*swan's default setting in the config setup section of ipsec.conf is
>
>    strictcrlpolicy=no
>
>So even if the nextUpdate deadline of a CRL is overdue the negotiation
>is still allowed to complete. But if you set
>
>    strictcrlpolicy=yes
>
>then the X.509 certificate will be rejected by *swan.
>
>>Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: sent 
>>MR3, ISAKMP SA established
>>Jul 12 18:30:56 www2 pluto[32439]: "maptech-annex"[4] x.y.z.w #6: 
>>ignoring informational payload, type INVALID_CERTIFICATE
>
>This is an informational payload sent by the peer side which apparently
>enforces a strict CRL policy.
>
>>Thanks in advance,
>>r.b.
>>
>>Robert Burgholzer
>>Environmental Engineer
>>MapTech Inc.
>>http://www.maptech-inc.com/
>
>Regards
>
>Andreas
>
>=======================================================================
>Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
>strongSec GmbH                    home:   http://www.strongsec.com
>Alter Zürichweg 20                phone:  +41 1 730 80 64
>CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
>==========================================[strong internet security]===
>_______________________________________________
>Users mailing list
>Users at lists.openswan.org
>http://lists.openswan.org/mailman/listinfo/users

Robert Burgholzer
Environmental Engineer
MapTech Inc.
http://www.maptech-inc.com/

More information about the Users mailing list