[Openswan Users] Win98 l2tp INVALID_CERTIFICATE x509

Robert W. Burgholzer rburgholzer at maptech-inc.com
Tue Jul 13 16:50:21 CEST 2004 

Andreas,
I was un-aware of any differences. Here is what my situation is intended to be:

Linux Gateway www2 is the CA, as well as the VPN gateway

I created a CA certificate, then a gateway certificate for my gateway as 
per Nate Carlson's How-To, or at least, as per my interpretation. I believe 
that I entered identical values for all but the passphrase and the 
challenge password.  I then stashed this gateway certificate in the 
/etc/ipsec.d/private/ folder. I signed this and other certificates for 
client with the demoCA/cacert.pem file, which I assumed to be my root 
certificate. I guess I have created some confusion in this? How could you 
determine that my public and CA have different names?

I have created a mess, I guess, but how to solve, regenerate all (not a 
problem if I have to), or just re-generate my gateway cert?

r.b.



At 09:19 PM 7/13/2004 +0200, you wrote:
>Why is the Linux gateway's certificate self-signed but has the
>same distinguished name but a different public than your CA certificate?
>Your Windows peer will not be able to put trust into this certificate.
>With a correct setup all end certificate should be signed by the private
>key of your CA.
>
>Regards
>
>Andreas
>
>Robert W. Burgholzer wrote:
>
>>Andreas,
>>My pleasure. Here it is:
>>[root at www2 root]# ipsec auto --listall
>>000
>>000 List of Public Keys:
>>000
>>000 Jul 13 14:52:13 2004, 2048 RSA Key AwEAAbtrv, until Apr 15 10:47:50 
>>2005 ok
>>000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Dayton, O=MapTech 
>>Incorporated, OU=Environmental, CN=rbodkin.maptech-inc.com, 
>>E=rbodkin at maptech-inc.com'
>>000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000 Jul 13 14:49:42 2004, 2048 RSA Key AwEAAate8, until Apr 15 10:47:50 
>>2005 ok
>>000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Christiansburg, O=MapTech 
>>Incorporated, OU=fieldservices, CN=annex.maptech-inc.com, 
>>E=efitchett at maptech-inc.com'
>>000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000 Jul 13 14:27:26 2004, 2048 RSA Key AwEAAca/6, until Apr 15 10:47:50 
>>2005 ok
>>000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Richmond, O=MapTech 
>>Incorporated, OU=Network, CN=soulswimmer.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000 Jul 13 14:27:23 2004, 2048 RSA Key AwEAAc4dT, until Apr 15 10:47:50 
>>2005 ok
>>000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Richmond, O=MapTech 
>>Incorporated, OU=Engineering, CN=robertwb.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000 Jul 13 14:27:21 2004, 2048 RSA Key AwEAAdR5c, until Apr 13 10:52:47 
>>2014 ok
>>000        ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000        Issuer 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000
>>000 List of X.509 End Certificates:
>>000
>>000 Jul 13 14:27:21 2004, count: 7
>>000        subject: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000        issuer:  'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000        serial:   01
>>000        pubkey:   2048 RSA Key AwEAAdR5c, has private key
>>000        validity: not before Apr 15 10:52:47 2004 ok
>>000                  not after  Apr 13 10:52:47 2014 ok
>>000        subjkey: 
>>ed:f9:71:ac:db:77:1b:a2:0c:f1:bb:95:f2:b9:79:fc:6c:9a:d4:53
>>000        authkey: 
>>c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
>>000        aserial:  00
>>000
>>000 List of X.509 CA Certificates:
>>000
>>000 Jul 13 14:27:20 2004, count: 1
>>000        subject: 'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000        issuer:  'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000        serial:   00
>>000        pubkey:   2048 RSA Key AwEAAZyX3
>>000        validity: not before Apr 15 10:47:50 2004 ok
>>000                  not after  Apr 15 10:47:50 2005 ok
>>000        subjkey: 
>>c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
>>000        authkey: 
>>c9:20:bb:43:c3:00:52:13:86:4f:ec:95:95:03:5f:88:e8:a4:44:de
>>000        aserial:  00
>>000
>>000 List of X.509 CRLs:
>>000
>>000 Jul 13 14:27:20 2004, revoked certs: 0
>>000        issuer:  'C=US, ST=Virginia, L=Blacksburg, O=MapTech 
>>Incorporated, OU=Network, CN=www2.maptech-inc.com, 
>>E=rburgholzer at maptech-inc.com'
>>000        distPts: 'file:///etc/ipsec.d/crls/crl.pem'
>>000        updates:  this Jul 13 09:40:07 2004
>>000                  next Aug 12 09:40:07 2004 ok
>>
>>At 08:49 PM 7/13/2004 +0200, you wrote:
>>
>>>Hi Robert,
>>>
>>>could you send my the output of the command
>>>
>>>   ipsec auto --listall
>>>
>>>which would give me an overview over the certificate and key situation
>>>on the Linux gateway?
>>>
>>>Regards
>>>
>>>Andreas
>>>
>>>Robert W. Burgholzer wrote:
>>>
>>>>Andreas,
>>>>Thanks for the info regarding the warnings about my crl being out of 
>>>>date. I updated that, and those errors dissapeared. However, my client 
>>>>still will not connect, with the problem appearing to be: "Microsoft 
>>>>IPsec VPN\L2TP/IPsec - Certificate verification failed: Invalid 
>>>>certificate signature". Of course, I signed this certificate just as I 
>>>>signed my others. And, the MS client is selecting the appropriate 
>>>>certificate. I guess I am wondering, is the MSL2TP saying that IT has 
>>>>the wrong cert, or the gateway? I am at a loss. Any help would be great.
>>>>
>>>>The contents of the isakmp.log on the windows machine is as follows:
>>>>7-13: 09:42:30.620 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE 
>>>>Phase 1 (IP
>>>>ADDR=12.5.17.226)
>>>>  7-13: 09:42:30.620 Microsoft IPsec VPN\L2TP/IPsec - Generic entry 
>>>> match with
>>>>remote address w.x.y.z.
>>>>  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> 
>>>> ISAKMP OAK MM
>>>>(SA, VID, VID, VID)
>>>>  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< 
>>>> ISAKMP OAK MM
>>>>(SA)
>>>>  7-13: 09:42:30.680 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> 
>>>> ISAKMP OAK MM
>>>>(KE, NON, VID, VID, VID, VID)
>>>>  7-13: 09:42:30.790 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< 
>>>> ISAKMP OAK MM
>>>>(KE, NON, CERT_REQ)
>>>>  7-13: 09:42:31.610 Microsoft IPsec VPN\L2TP/IPsec - Using 
>>>> auto-selected user
>>>>certificate "myhost.mycompany.com's My Company Network ID".
>>>>  7-13: 09:42:31.780 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> 
>>>> ISAKMP OAK MM
>>>>*(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT)
>>>>  7-13: 09:42:32.050 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< 
>>>> ISAKMP OAK MM
>>>>*(ID, CERT, SIG)
>>>>  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - Certificate 
>>>> verification
>>>>failed: Invalid certificate signature
>>>>  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> 
>>>> ISAKMP OAK
>>>>INFO *(HASH, NOTIFY:INVALID_CERT)
>>>>  7-13: 09:42:32.160 Microsoft IPsec VPN\L2TP/IPsec - Discarding IKE SA
>>>>negotiation
>>>>  7-13: 09:42:32.160    MY COOKIE ba 99 d4 ff e2 87 47 72
>>>>  7-13: 09:42:32.160    HIS COOKIE d8 58 b4 9 6a f4 2b 14
>>>
>>>
>>>=======================================================================
>>>Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
>>>strongSec GmbH                    home:   http://www.strongsec.com
>>>Alter Zürichweg 20                phone:  +41 1 730 80 64
>>>CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
>>>==========================================[strong internet security]===
>>>_______________________________________________
>>>Users mailing list
>>>Users at lists.openswan.org
>>>http://lists.openswan.org/mailman/listinfo/users
>>
>>Robert Burgholzer
>>Environmental Engineer
>>MapTech Inc.
>>http://www.maptech-inc.com/
>>_______________________________________________
>>Users mailing list
>>Users at lists.openswan.org
>>http://lists.openswan.org/mailman/listinfo/users
>
>
>--
>=======================================================================
>Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
>strongSec GmbH                    home:   http://www.strongsec.com
>Alter Zürichweg 20                phone:  +41 1 730 80 64
>CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
>==========================================[strong internet security]===
>_______________________________________________
>Users mailing list
>Users at lists.openswan.org
>http://lists.openswan.org/mailman/listinfo/users

Robert Burgholzer
Environmental Engineer
MapTech Inc.
http://www.maptech-inc.com/

More information about the Users mailing list