[Openswan Users] Win98 l2tp INVALID_CERTIFICATE x509

Andreas Steffen andreas.steffen at strongsec.net
Tue Jul 13 21:49:35 CEST 2004 

Hi Robert,

could you send my the output of the command

   ipsec auto --listall

which would give me an overview over the certificate and key situation
on the Linux gateway?

Regards

Andreas

Robert W. Burgholzer wrote:

> Andreas,
> Thanks for the info regarding the warnings about my crl being out of 
> date. I updated that, and those errors dissapeared. However, my client 
> still will not connect, with the problem appearing to be: "Microsoft 
> IPsec VPN\L2TP/IPsec - Certificate verification failed: Invalid 
> certificate signature". Of course, I signed this certificate just as I 
> signed my others. And, the MS client is selecting the appropriate 
> certificate. I guess I am wondering, is the MSL2TP saying that IT has 
> the wrong cert, or the gateway? I am at a loss. Any help would be great.
> 
> 
> The contents of the isakmp.log on the windows machine is as follows:
> 
> 7-13: 09:42:30.620 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 
> 1 (IP
> ADDR=12.5.17.226)
>  7-13: 09:42:30.620 Microsoft IPsec VPN\L2TP/IPsec - Generic entry match 
> with
> remote address w.x.y.z.
>  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP 
> OAK MM
> (SA, VID, VID, VID)
>  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP 
> OAK MM
> (SA)
>  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP 
> OAK MM
> (KE, NON, VID, VID, VID, VID)
>  7-13: 09:42:30.790 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP 
> OAK MM
> (KE, NON, CERT_REQ)
>  7-13: 09:42:31.610 Microsoft IPsec VPN\L2TP/IPsec - Using auto-selected 
> user
> certificate "myhost.mycompany.com's My Company Network ID".
>  7-13: 09:42:31.780 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP 
> OAK MM
> *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT)
>  7-13: 09:42:32.050 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP 
> OAK MM
> *(ID, CERT, SIG)
>  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - Certificate 
> verification
> failed: Invalid certificate signature
>  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
> INFO *(HASH, NOTIFY:INVALID_CERT)
>  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - Discarding IKE SA
> negotiation
>  7-13: 09:42:32.160    MY COOKIE ba 99 d4 ff e2 87 47 72
>  7-13: 09:42:32.160    HIS COOKIE d8 58 b4 9 6a f4 2b 14
> 

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list