[Openswan Users] WinXP SP2 Installation breaks x.509 ipsec functionality

Uwe Knop Uwe.Knop at lds.brandenburg.de
Fri Oct 15 09:44:29 CEST 2004

Hallo Dieter,

i had this problem for weeks.
Microsoft has change the certificate-search in the certificate tree.

my solution , we must change the DNS Name "rightca=..." in ipsec.conf
ours certificate is in two stages. 
MS change from "between certificates" to "root certificates" in the DNS

Hope i can help you


>>> Dieter Kastrau <kastrau at forsec.de> 14.10.04 16:15:22 >>>
Dear all,

I searched this list and other related ones,
but found no solution:

with winxp sp1 and Marcus Muellers ipsec tool,
I had a perfectly working VPN/ipsec roadwarrior connection to

after installing winxp sp2 (and changing nothing else),
my simple winxp roadwarrior<-> openswan configuration (no NAT-T)
stops working.(A friend of mine could reproduce this sp2 problem)

with sp2, I just get to this point:
Oct 14 15:00:43 pois2 pluto[12889]: "test"[1] #1: sent
MR3, ISAKMP SA established

and udp port 500 packets are flowing. last packet comes from the
openswan side,
then no more replies from winxp sp2...
Nothing else happens, no esp packets and no IPSEC SA established.

Like some people suggested,
I disabled winxp sp2 firewall=> still the same problem.

Has anyone heard of similar problems?

I am really clueless at the moment :-[

Thanks a lot

Users mailing list
Users at openswan.org 

More information about the Users mailing list