[Openswan Users] WG: Problems connecting to IPSec server
martin at krellmann.net
Sun Sep 23 05:57:10 EDT 2007
The certs are signed by the same CA.
> > The Oakley.log tells me that there is somewhere a private key missing,
> > I can't get where.
> Check with MMC:
Its the point that confuses me... I already checked that it is really there
and the key is associated with the cert (I've created a pfx for the
certificate installation on the client)
No the CN is different. The one of the server is
vpngate.potsdam.krellmann.net and the one of the client
(The one in the log snippet is from the client)
It is interesting, that the Peer SHA fingerprint is 00000000... Because of
course it is not zero
Eh, the error windows tells me at the connection attempt is: 786 ... failed
... Because no valid certificate was found on the computer.
Von: Jacco de Leeuw [mailto:jacco2 at dds.nl]
Gesendet: Samstag, 22. September 2007 13:40
An: users at openswan.org
Betreff: Re: [Openswan Users] WG: Problems connecting to IPSec server
Martin Krellmann wrote:
> - I think all certs are from the same CA... I set the ipsec up after a
> reinstallation of the system, so I had to configure a new CA an
> all certificates. I've even generated a new client certificate.
Make sure they are all issued by the same CA.
When you create a new CA, it is still a different CA even if the name stays
the same as the first CA. After all, a new private key is generated.
> The Oakley.log tells me that there is somewhere a private key missing, but
> I can't get where.
Check with MMC:
Verify in the properties of the imported cert that it says: "This
has a private key associated with it". If not, import it again or use
> Does both sides need all keys?
No, they only need their own private key, not the other side's.
They do need the root cert but not its private key.
> Oakley.log is attached (the other one is in a extreme weired format ;) )
> 9-22: 17:31:17:375:940 Zertifikatbasierte Identit<E4>t.
> Peer-SHA-Fingerabdruck 00000000000000000000000 00000000000000000 Peer,
> die Zertifizierungsstelle ausstellt: Stammzertifizierungsstelle
> Antragsteller C=DE, S=Thueringen, L=Trusetal, O=Krellmann,
> CN=vpngate.trusetal.krellmann.net, E=martin at krellmann.net Eigener
> SHA-Fingerabdruck 6 e5f83f0c04da39f76b5dde8f0700f774c24ca65
> Peer-IP-Adresse: 192.168.10.253
Does the cert of the Windows client have the same CN as the cert of the
server? If so, change it.
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users