[Openswan Users] Win98 l2tp INVALID_CERTIFICATE x509

Robert W. Burgholzer rburgholzer at maptech-inc.com
Tue Jul 13 16:08:32 CEST 2004 

Andreas,
My pleasure. Here it is:

[root at www2 root]# ipsec auto --listall
000
000 List of Public Keys:
000
000 Jul 13 14:52:13 2004, 2048 RSA Key AwEAAbtrv, until Apr 15 10:47:50 2005 ok
000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Dayton, O=MapTech 
Incorporated, OU=Environmental, CN=rbodkin.maptech-inc.com, 
E=rbodkin at maptech-inc.com'
000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech Incorporated, 
OU=Network, CN=www2.maptech-inc.com, E=rburgholzer at maptech-inc.com'
000 Jul 13 14:49:42 2004, 2048 RSA Key AwEAAate8, until Apr 15 10:47:50 2005 ok
000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Christiansburg, O=MapTech 
Incorporated, OU=fieldservices, CN=annex.maptech-inc.com, 
E=efitchett at maptech-inc.com'
000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech Incorporated, 
OU=Network, CN=www2.maptech-inc.com, E=rburgholzer at maptech-inc.com'
000 Jul 13 14:27:26 2004, 2048 RSA Key AwEAAca/6, until Apr 15 10:47:50 2005 ok
000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Richmond, O=MapTech 
Incorporated, OU=Network, CN=soulswimmer.maptech-inc.com, 
E=rburgholzer at maptech-inc.com'
000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech Incorporated, 
OU=Network, CN=www2.maptech-inc.com, E=rburgholzer at maptech-inc.com'
000 Jul 13 14:27:23 2004, 2048 RSA Key AwEAAc4dT, until Apr 15 10:47:50 2005 ok
000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Richmond, O=MapTech 
Incorporated, OU=Engineering, CN=robertwb.maptech-inc.com, 
E=rburgholzer at maptech-inc.com'
000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech Incorporated, 
OU=Network, CN=www2.maptech-inc.com, E=rburgholzer at maptech-inc.com'
000 Jul 13 14:27:21 2004, 2048 RSA Key AwEAAdR5c, until Apr 13 10:52:47 2014 ok
000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
Incorporated, OU=Network, CN=www2.maptech-inc.com, 
E=rburgholzer at maptech-inc.com'
000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech Incorporated, 
OU=Network, CN=www2.maptech-inc.com, E=rburgholzer at maptech-inc.com'
000
000 List of X.509 End Certificates:
000
000 Jul 13 14:27:21 2004, count: 7
000        subject: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
Incorporated, OU=Network, CN=www2.maptech-inc.com, 
E=rburgholzer at maptech-inc.com'
000        issuer:  'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
Incorporated, OU=Network, CN=www2.maptech-inc.com, 
E=rburgholzer at maptech-inc.com'
000        serial:   01
000        pubkey:   2048 RSA Key AwEAAdR5c, has private key
000        validity: not before Apr 15 10:52:47 2004 ok
000                  not after  Apr 13 10:52:47 2014 ok
000        subjkey: 
ed:f9:71:ac:db:77:1b:a2:0c:f1:bb:95:f2:b9:79:fc:6c:9a:d4:53
000        authkey: 
c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
000        aserial:  00
000
000 List of X.509 CA Certificates:
000
000 Jul 13 14:27:20 2004, count: 1
000        subject: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
Incorporated, OU=Network, CN=www2.maptech-inc.com, 
E=rburgholzer at maptech-inc.com'
000        issuer:  'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
Incorporated, OU=Network, CN=www2.maptech-inc.com, 
E=rburgholzer at maptech-inc.com'
000        serial:   00
000        pubkey:   2048 RSA Key AwEAAZyX3
000        validity: not before Apr 15 10:47:50 2004 ok
000                  not after  Apr 15 10:47:50 2005 ok
000        subjkey: 
c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
000        authkey: 
c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
000        aserial:  00
000
000 List of X.509 CRLs:
000
000 Jul 13 14:27:20 2004, revoked certs: 0
000        issuer:  'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
Incorporated, OU=Network, CN=www2.maptech-inc.com, 
E=rburgholzer at maptech-inc.com'
000        distPts: 'file:///etc/ipsec.d/crls/crl.pem'
000        updates:  this Jul 13 09:40:07 2004
000                  next Aug 12 09:40:07 2004 ok



At 08:49 PM 7/13/2004 +0200, you wrote:
>Hi Robert,
>
>could you send my the output of the command
>
>   ipsec auto --listall
>
>which would give me an overview over the certificate and key situation
>on the Linux gateway?
>
>Regards
>
>Andreas
>
>Robert W. Burgholzer wrote:
>
>>Andreas,
>>Thanks for the info regarding the warnings about my crl being out of 
>>date. I updated that, and those errors dissapeared. However, my client 
>>still will not connect, with the problem appearing to be: "Microsoft 
>>IPsec VPN\L2TP/IPsec - Certificate verification failed: Invalid 
>>certificate signature". Of course, I signed this certificate just as I 
>>signed my others. And, the MS client is selecting the appropriate 
>>certificate. I guess I am wondering, is the MSL2TP saying that IT has the 
>>wrong cert, or the gateway? I am at a loss. Any help would be great.
>>
>>The contents of the isakmp.log on the windows machine is as follows:
>>7-13: 09:42:30.620 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 
>>1 (IP
>>ADDR=12.5.17.226)
>>  7-13: 09:42:30.620 Microsoft IPsec VPN\L2TP/IPsec - Generic entry match 
>> with
>>remote address w.x.y.z.
>>  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP 
>> OAK MM
>>(SA, VID, VID, VID)
>>  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP 
>> OAK MM
>>(SA)
>>  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP 
>> OAK MM
>>(KE, NON, VID, VID, VID, VID)
>>  7-13: 09:42:30.790 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP 
>> OAK MM
>>(KE, NON, CERT_REQ)
>>  7-13: 09:42:31.610 Microsoft IPsec VPN\L2TP/IPsec - Using auto-selected 
>> user
>>certificate "myhost.mycompany.com's My Company Network ID".
>>  7-13: 09:42:31.780 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP 
>> OAK MM
>>*(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT)
>>  7-13: 09:42:32.050 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP 
>> OAK MM
>>*(ID, CERT, SIG)
>>  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - Certificate 
>> verification
>>failed: Invalid certificate signature
>>  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
>>INFO *(HASH, NOTIFY:INVALID_CERT)
>>  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - Discarding IKE SA
>>negotiation
>>  7-13: 09:42:32.160    MY COOKIE ba 99 d4 ff e2 87 47 72
>>  7-13: 09:42:32.160    HIS COOKIE d8 58 b4 9 6a f4 2b 14
>
>=======================================================================
>Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
>strongSec GmbH                    home:   http://www.strongsec.com
>Alter Zürichweg 20                phone:  +41 1 730 80 64
>CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
>==========================================[strong internet security]===
>_______________________________________________
>Users mailing list
>Users at lists.openswan.org
>http://lists.openswan.org/mailman/listinfo/users

Robert Burgholzer
Environmental Engineer
MapTech Inc.
http://www.maptech-inc.com/

More information about the Users mailing list