[Openswan Users] WG: Problems connecting to IPSec server

Martin Krellmann martin at krellmann.net
Sun Sep 23 05:57:10 EDT 2007 

Hi.

The certs are signed by the same CA.

> > The Oakley.log tells me that there is somewhere a private key missing,
but
> > I can't get where.
>
> Check with MMC:

It’s the point that confuses me... I already checked that it is really there
and the key is associated with the cert (I've created a pfx for the
certificate installation on the client)

No the CN is different. The one of the server is
vpngate.potsdam.krellmann.net and the one of the client
vpngate.trusetal.krellmann.net
(The one in the log snippet is from the client)

It is interesting, that the Peer SHA fingerprint is 00000000... Because of
course it is not zero

Eh, the error windows tells me at the connection attempt is: 786 ... failed
... Because no valid certificate was found on the computer.

Martin.


-----Ursprüngliche Nachricht-----
Von: Jacco de Leeuw [mailto:jacco2 at dds.nl] 
Gesendet: Samstag, 22. September 2007 13:40
An: users at openswan.org
Betreff: Re: [Openswan Users] WG: Problems connecting to IPSec server

Martin Krellmann wrote:

> - I think all certs are from the same CA... I set the ipsec up after a 
> reinstallation of the system, so I had to configure a new CA an
regenerated
>  all certificates. I've even generated a new client certificate.

Make sure they are all issued by the same CA.

When you create a new CA, it is still a different CA even if the name stays
the same as the first CA. After all, a new private key is generated.

> The Oakley.log tells me that there is somewhere a private key missing, but
> I can't get where.

Check with MMC:
http://www.jacco2.dds.nl/networking/win2000xp-openswan.html#ImportingCertifi
cates

Verify in the properties of the imported cert that it says: "This
certificate
has a private key associated with it". If not, import it again or use
certimport (ftp://ftp.openswan.org/openswan/windows/certimport/).

> Does both sides need all keys?

No, they only need their own private key, not the other side's.
They do need the root cert but not its private key.

> Oakley.log is attached (the other one is in a extreme weired format ;) )
> 
> 9-22: 17:31:17:375:940 Zertifikatbasierte Identit<E4>t.
Peerantragsteller
> Peer-SHA-Fingerabdruck 00000000000000000000000 00000000000000000  Peer,
der
> die Zertifizierungsstelle ausstellt:   Stammzertifizierungsstelle
Eigener
> Antragsteller C=DE, S=Thueringen, L=Trusetal, O=Krellmann,
> CN=vpngate.trusetal.krellmann.net, E=martin at krellmann.net  Eigener
> SHA-Fingerabdruck 6 e5f83f0c04da39f76b5dde8f0700f774c24ca65
> Peer-IP-Adresse: 192.168.10.253

Does the cert of the Windows client have the same CN as the cert of the
server? If so, change it.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list