[Openswan Users] Host Certifcate

Paul Wouters paul at xelerance.com
Thu May 11 17:36:31 CEST 2006

On Thu, 11 May 2006, Oliver Tomkins wrote:

> I should probably make this clearer.
> I don't think the certificate had actually expired.  I noticed the date on the
> hosts certificate was exactly 1 year old yesterday and made 2 + 2 = 5.
> No configuration changes were made to the ipsec machine yesterday but as of a
> certain point yesterday I start to see this in /var/log/secure for our non-NAT
> clients:
> max number of retransmissions (2) reached STATE_MAIN_I3.  Possible
> authentication failure: no acceptable response to our first encrypted message
> Eventually the tunnels went down and they were unable to reconnect.
> Clients trying to reconnect afterwards failed with the messages below.

Seems like something expired. Check the certificate on the windows machine via
the MMC, and run ipsec auto --listall to see if your CA cert and gateway cert
indeed did not expire.


More information about the Users mailing list