[Openswan Users] Win98 l2tp INVALID_CERTIFICATE x509
Andreas Steffen
andreas.steffen at strongsec.net
Tue Jul 13 22:19:44 CEST 2004
Why is the Linux gateway's certificate self-signed but has the
same distinguished name but a different public than your CA certificate?
Your Windows peer will not be able to put trust into this certificate.
With a correct setup all end certificate should be signed by the private
key of your CA.
Regards
Andreas
Robert W. Burgholzer wrote:
> Andreas,
> My pleasure. Here it is:
>
> [root at www2 root]# ipsec auto --listall
> 000
> 000 List of Public Keys:
> 000
> 000 Jul 13 14:52:13 2004, 2048 RSA Key AwEAAbtrv, until Apr 15 10:47:50
> 2005 ok
> 000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Dayton, O=MapTech
> Incorporated, OU=Environmental, CN=rbodkin.maptech-inc.com,
> E=rbodkin at maptech-inc.com'
> 000 Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
> Incorporated, OU=Network, CN=www2.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 Jul 13 14:49:42 2004, 2048 RSA Key AwEAAate8, until Apr 15 10:47:50
> 2005 ok
> 000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Christiansburg,
> O=MapTech Incorporated, OU=fieldservices, CN=annex.maptech-inc.com,
> E=efitchett at maptech-inc.com'
> 000 Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
> Incorporated, OU=Network, CN=www2.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 Jul 13 14:27:26 2004, 2048 RSA Key AwEAAca/6, until Apr 15 10:47:50
> 2005 ok
> 000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Richmond, O=MapTech
> Incorporated, OU=Network, CN=soulswimmer.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
> Incorporated, OU=Network, CN=www2.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 Jul 13 14:27:23 2004, 2048 RSA Key AwEAAc4dT, until Apr 15 10:47:50
> 2005 ok
> 000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Richmond, O=MapTech
> Incorporated, OU=Engineering, CN=robertwb.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
> Incorporated, OU=Network, CN=www2.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 Jul 13 14:27:21 2004, 2048 RSA Key AwEAAdR5c, until Apr 13 10:52:47
> 2014 ok
> 000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
> Incorporated, OU=Network, CN=www2.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
> Incorporated, OU=Network, CN=www2.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000
> 000 List of X.509 End Certificates:
> 000
> 000 Jul 13 14:27:21 2004, count: 7
> 000 subject: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
> Incorporated, OU=Network, CN=www2.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 issuer: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
> Incorporated, OU=Network, CN=www2.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 serial: 01
> 000 pubkey: 2048 RSA Key AwEAAdR5c, has private key
> 000 validity: not before Apr 15 10:52:47 2004 ok
> 000 not after Apr 13 10:52:47 2014 ok
> 000 subjkey:
> ed:f9:71:ac:db:77:1b:a2:0c:f1:bb:95:f2:b9:79:fc:6c:9a:d4:53
> 000 authkey:
> c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
> 000 aserial: 00
> 000
> 000 List of X.509 CA Certificates:
> 000
> 000 Jul 13 14:27:20 2004, count: 1
> 000 subject: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
> Incorporated, OU=Network, CN=www2.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 issuer: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
> Incorporated, OU=Network, CN=www2.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 serial: 00
> 000 pubkey: 2048 RSA Key AwEAAZyX3
> 000 validity: not before Apr 15 10:47:50 2004 ok
> 000 not after Apr 15 10:47:50 2005 ok
> 000 subjkey:
> c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
> 000 authkey:
> c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
> 000 aserial: 00
> 000
> 000 List of X.509 CRLs:
> 000
> 000 Jul 13 14:27:20 2004, revoked certs: 0
> 000 issuer: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech
> Incorporated, OU=Network, CN=www2.maptech-inc.com,
> E=rburgholzer at maptech-inc.com'
> 000 distPts: 'file:///etc/ipsec.d/crls/crl.pem'
> 000 updates: this Jul 13 09:40:07 2004
> 000 next Aug 12 09:40:07 2004 ok
>
>
>
> At 08:49 PM 7/13/2004 +0200, you wrote:
>
>> Hi Robert,
>>
>> could you send my the output of the command
>>
>> ipsec auto --listall
>>
>> which would give me an overview over the certificate and key situation
>> on the Linux gateway?
>>
>> Regards
>>
>> Andreas
>>
>> Robert W. Burgholzer wrote:
>>
>>> Andreas,
>>> Thanks for the info regarding the warnings about my crl being out of
>>> date. I updated that, and those errors dissapeared. However, my
>>> client still will not connect, with the problem appearing to be:
>>> "Microsoft IPsec VPN\L2TP/IPsec - Certificate verification failed:
>>> Invalid certificate signature". Of course, I signed this certificate
>>> just as I signed my others. And, the MS client is selecting the
>>> appropriate certificate. I guess I am wondering, is the MSL2TP saying
>>> that IT has the wrong cert, or the gateway? I am at a loss. Any help
>>> would be great.
>>>
>>> The contents of the isakmp.log on the windows machine is as follows:
>>> 7-13: 09:42:30.620 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE
>>> Phase 1 (IP
>>> ADDR=12.5.17.226)
>>> 7-13: 09:42:30.620 Microsoft IPsec VPN\L2TP/IPsec - Generic entry
>>> match with
>>> remote address w.x.y.z.
>>> 7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>>
>>> ISAKMP OAK MM
>>> (SA, VID, VID, VID)
>>> 7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
>>> ISAKMP OAK MM
>>> (SA)
>>> 7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>>
>>> ISAKMP OAK MM
>>> (KE, NON, VID, VID, VID, VID)
>>> 7-13: 09:42:30.790 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
>>> ISAKMP OAK MM
>>> (KE, NON, CERT_REQ)
>>> 7-13: 09:42:31.610 Microsoft IPsec VPN\L2TP/IPsec - Using
>>> auto-selected user
>>> certificate "myhost.mycompany.com's My Company Network ID".
>>> 7-13: 09:42:31.780 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>>
>>> ISAKMP OAK MM
>>> *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT)
>>> 7-13: 09:42:32.050 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<<
>>> ISAKMP OAK MM
>>> *(ID, CERT, SIG)
>>> 7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - Certificate
>>> verification
>>> failed: Invalid certificate signature
>>> 7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>>
>>> ISAKMP OAK
>>> INFO *(HASH, NOTIFY:INVALID_CERT)
>>> 7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - Discarding IKE SA
>>> negotiation
>>> 7-13: 09:42:32.160 MY COOKIE ba 99 d4 ff e2 87 47 72
>>> 7-13: 09:42:32.160 HIS COOKIE d8 58 b4 9 6a f4 2b 14
>>
>>
>> =======================================================================
>> Andreas Steffen e-mail: andreas.steffen at strongsec.com
>> strongSec GmbH home: http://www.strongsec.com
>> Alter Zürichweg 20 phone: +41 1 730 80 64
>> CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
>> ==========================================[strong internet security]===
>> _______________________________________________
>> Users mailing list
>> Users at lists.openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>
>
> Robert Burgholzer
> Environmental Engineer
> MapTech Inc.
> http://www.maptech-inc.com/
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
--
=======================================================================
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users
mailing list