[Openswan Users] Host Certifcate

Oliver Tomkins oliver.tomkins at alliedvehicles.co.uk
Thu May 11 16:46:27 CEST 2006

Paul and Brian,

thanks very much for replying.

The CA had expired and even when I extended the authority the old 
certificates refused to work.  Newly issued certificates work fine, so I 
now need to reissue for all the client machines.

Thanks again,


Paul Wouters wrote:
> On Thu, 11 May 2006, Oliver Tomkins wrote:
>> I should probably make this clearer.
>> I don't think the certificate had actually expired.  I noticed the date on the
>> hosts certificate was exactly 1 year old yesterday and made 2 + 2 = 5.
>> No configuration changes were made to the ipsec machine yesterday but as of a
>> certain point yesterday I start to see this in /var/log/secure for our non-NAT
>> clients:
>> max number of retransmissions (2) reached STATE_MAIN_I3.  Possible
>> authentication failure: no acceptable response to our first encrypted message
>> Eventually the tunnels went down and they were unable to reconnect.
>> Clients trying to reconnect afterwards failed with the messages below.
> Seems like something expired. Check the certificate on the windows machine via
> the MMC, and run ipsec auto --listall to see if your CA cert and gateway cert
> indeed did not expire.
> Paul

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
For details of our products and services please visit our website at www.alliedvehicles.co.uk

More information about the Users mailing list