[Openswan Users] OpenS/WAN and Win2K/XP

Paul Wouters paul at xelerance.com
Wed Jan 26 13:21:53 CET 2005

On Tue, 25 Jan 2005, David Spear wrote:

> The fact that you reply to these mundane problems greatly impresses me
> and, in fact, motivates me to be more active in the newsgroups in which
> I am expert (NOT ipsec, that's for sure although I may be before I'm
> done).  If I lived close enough I would definitely drop off some beer
> for you.  I am, as you may have guessed, still having trouble.

That's what free software is all about :)

> 1-25: 13:40:50:64 IKE failed to find valid machine certificate

Can you try and use certimport.exe to import your .p12 certificate
on windows and see what it then says?

You can find certimport.exe at:


> # CA -newreq (DN as above in logs, etc.)
> # CA -sign
> # cp newreq.pem /etc/ipsec.d/private/downstairs.key
> # cp newcert.pem /etc/ipsec.d/certs
> # openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile
> demoCA/cacert.pem -out downstairs.p12

Did you copy the CA into /etc/ipsec.d/cacerts/ ?
Do the startup logs show that downstairs.key is properly loaded? Does
ipsec auto --listall show 'has private key' for your gateway host


"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list