[Openswan Users] WG: Problems connecting to IPSec server

Jacco de Leeuw jacco2 at dds.nl
Sat Sep 22 07:39:50 EDT 2007

Martin Krellmann wrote:

> - I think all certs are from the same CA... I set the ipsec up after a 
> reinstallation of the system, so I had to configure a new CA an regenerated
>  all certificates. I've even generated a new client certificate.

Make sure they are all issued by the same CA.

When you create a new CA, it is still a different CA even if the name stays
the same as the first CA. After all, a new private key is generated.

> The Oakley.log tells me that there is somewhere a private key missing, but
> I can't get where.

Check with MMC:

Verify in the properties of the imported cert that it says: "This certificate
has a private key associated with it". If not, import it again or use
certimport (ftp://ftp.openswan.org/openswan/windows/certimport/).

> Does both sides need all keys?

No, they only need their own private key, not the other side's.
They do need the root cert but not its private key.

> Oakley.log is attached (the other one is in a extreme weired format ;) )
> 9-22: 17:31:17:375:940 Zertifikatbasierte Identit<E4>t.   Peerantragsteller
> Peer-SHA-Fingerabdruck 00000000000000000000000 00000000000000000  Peer, der
> die Zertifizierungsstelle ausstellt:   Stammzertifizierungsstelle   Eigener
> Antragsteller C=DE, S=Thueringen, L=Trusetal, O=Krellmann,
> CN=vpngate.trusetal.krellmann.net, E=martin at krellmann.net  Eigener
> SHA-Fingerabdruck 6 e5f83f0c04da39f76b5dde8f0700f774c24ca65
> Peer-IP-Adresse:

Does the cert of the Windows client have the same CN as the cert of the
server? If so, change it.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list