Hosting Provided By

[Users] XP: "IKE failed to find valid machine certificate"

From: Charles Duffy <charlesduffy(at)isgenesis.com>
Date: Thu Mar 06 2003 - 11:28:42 EST

Running Linux FreeS/WAN super-freeswan-1.99_kb3rc7 on server, porthos (192.168.254.1). Client, opal (192.168.254.55) runs Windows XP Tablet.

The client's certificate is within the bounds of the CA's life. Said certificate was installed on tablet per instructions at http://www.natecarlson.com/linux/ipsec-x509.php#clientwin -- machine certificate (w/ private key) is in Personal certificates folder, while the CA is under Trusted Root Certification Authorities.

I'm quite stumped; any assistance would be greatly appreciated. Attached are logs and configuration files from both involved boxen. I take the "IKE failed to find valid machine certificate" in the Oakley log from opal to be the most relevant portion, but being that the certificate is (best I can tell) correctly installed and has its lifetime within the bounds of the CA's valid dates, I'm uncertain as to what could be the cause.

Thanks!

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# basic configuration

config setup

	# THIS SETTING MUST BE CORRECT or almost nothing will work;
	# %defaultroute is okay for most simple cases.
	interfaces="ipsec0=eth0"
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=none
	plutodebug=none
	# Use auto= parameters in conn descriptions to control startup actions.
	plutoload=%search
	plutostart=%search
	# Close down old connection when new one using same ID shows up.
	uniqueids=yes

# defaults for subsequent connection descriptions
# (these defaults will soon go away)

conn %default

	keyingtries=0
	compress=yes
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%cert
	rightrsasigkey=%cert

#conn sandstone-allnet

#	leftsubnet=0.0.0.0/0

#	also=sandstone

#conn sandstone

#	right=%any

#	rightcert=sandstone.wireless.isgenesis.com.pem

#	left=192.168.254.1

#	leftcert=porthos.isgenesis.com.pem

#	auto=add


#	pfs=yes


#conn moonstone-allnet

#	leftsubnet=0.0.0.0/0

#	also=moonstone

#conn moonstone

#	right=%any

#	rightcert=moonstone.wireless.isgenesis.com.pem

#	left=192.168.254.1

#	leftcert=porthos.isgenesis.com.pem

#	auto=add


#	pfs=yes



conn opal-allnet
	leftsubnet=0.0.0.0/0
	also=opal
conn opal
	right=%any
	rightcert=opal.wireless.isgenesis.com.pem
	#rightca="E=admin@isgenesis.com,CN=Certificate Authority for ReCare,O=ReCare Inc,L=Austin,S=Texas,C=US"
	left=192.168.254.1
	leftcert=porthos.isgenesis.com.pem
	auto=add
	pfs=yes

#conn granite-allnet

#	leftsubnet=0.0.0.0/0

#	also=granite

#conn granite

#	right=%any

#	rightcert=granite.wireless.isgenesis.com.pem

#	left=192.168.254.1

#	leftcert=porthos.isgenesis.com.pem

#	auto=add


#	pfs=yes

conn opal left=%any right=192.168.254.1 rightca="C=US,S=Texas,L=Austin,O=ReCare Inc,CN=Certificate Authority for ReCare,Email=admin@isgenesis.com" network=auto auto=start pfs=yes conn opal-allnet left=%any right=192.168.254.1 rightsubnet=* rightca="C=US,S=Texas,L=Austin,O=Recare Inc,CN=Certificate Authority for ReCare,Email=admin@isgenesis.com" network=auto auto=start pfs=yes

Mar 4 14:05:28 porthos ipsec__plutorun: Starting Pluto subsystem... Mar 4 14:05:28 porthos pluto[3989]: Starting Pluto (FreeS/WAN Version super-freeswan-1.99_kb3rc7) Mar 4 14:05:28 porthos pluto[3989]: including X.509 patch (Version 0.9.18) Mar 4 14:05:28 porthos pluto[3989]: including Traffic Selectors patch (Version 1.1) Mar 4 14:05:28 porthos pluto[3989]: including NAT-Traversal patch (Version 0.5) [disabled] Mar 4 14:05:28 porthos pluto[3989]: ike_alg_register_enc: Activating OAKLEY_AES_CBC: Ok (ret=0) Mar 4 14:05:28 porthos pluto[3989]: ike_alg_register_enc: Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0) Mar 4 14:05:28 porthos pluto[3989]: ike_alg_register_enc: Activating OAKLEY_CAST_CBC: Ok (ret=0) Mar 4 14:05:28 porthos pluto[3989]: ike_alg_register_enc: Activating OAKLEY_SERPENT_CBC: Ok (ret=0) Mar 4 14:05:28 porthos pluto[3989]: ike_alg_register_hash: Activating OAKLEY_SHA2_256: Ok (ret=0) Mar 4 14:05:28 porthos pluto[3989]: ike_alg_register_hash: Activating OAKLEY_SHA2_512: Ok (ret=0) Mar 4 14:05:28 porthos pluto[3989]: ike_alg_register_enc: Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) Mar 4 14:05:28 porthos pluto[3989]: ike_alg_register_enc: Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0) Mar 4 14:05:28 porthos pluto[3989]: Changing to directory '/etc/ipsec.d/cacerts' Mar 4 14:05:28 porthos pluto[3989]: loaded cacert file 'cacert.pem' (1294 bytes) Mar 4 14:05:28 porthos pluto[3989]: Changing to directory '/etc/ipsec.d/crls' Mar 4 14:05:28 porthos pluto[3989]: loaded crl file 'crl.pem' (520 bytes) Mar 4 14:05:28 porthos pluto[3989]: could not open my default X.509 cert file '/etc/x509cert.der' Mar 4 14:05:28 porthos pluto[3989]: OpenPGP certificate file '/etc/pgpcert.pgp' not found Mar 4 14:05:29 porthos pluto[3989]: | from whack: got --esp=3des Mar 4 14:05:29 porthos pluto[3989]: | from whack: got --ike=3des Mar 4 14:05:29 porthos pluto[3989]: loaded host cert file '/etc/ipsec.d/porthos.isgenesis.com.pem' (3652 bytes) Mar 4 14:05:29 porthos pluto[3989]: loaded host cert file '/etc/ipsec.d/opal.wireless.isgenesis.com.pem' (3666 bytes) Mar 4 14:05:29 porthos pluto[3989]: added connection description "opal" Mar 4 14:05:29 porthos pluto[3989]: | from whack: got --esp=3des Mar 4 14:05:29 porthos pluto[3989]: | from whack: got --ike=3des Mar 4 14:05:29 porthos pluto[3989]: loaded host cert file '/etc/ipsec.d/porthos.isgenesis.com.pem' (3652 bytes) Mar 4 14:05:29 porthos pluto[3989]: loaded host cert file '/etc/ipsec.d/opal.wireless.isgenesis.com.pem' (3666 bytes) Mar 4 14:05:29 porthos pluto[3989]: added connection description "opal-allnet" Mar 4 14:05:29 porthos pluto[3989]: listening for IKE messages Mar 4 14:05:29 porthos pluto[3989]: adding interface ipsec0/eth0 192.168.254.1 Mar 4 14:05:29 porthos pluto[3989]: loading secrets from "/etc/ipsec.secrets" Mar 4 14:05:29 porthos pluto[3989]: loaded private key file '/etc/ipsec.d/private/porthos.isgenesis.com.key' (963 bytes) Mar 4 14:08:40 porthos pluto[3989]: packet from 192.168.254.55:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003] Mar 4 14:08:40 porthos pluto[3989]: "opal"[1] 192.168.254.55 #1: responding to Main Mode from unknown peer 192.168.254.55 Mar 4 14:08:40 porthos pluto[3989]: "opal"[1] 192.168.254.55 #1: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA Mar 4 14:09:50 porthos pluto[3989]: "opal"[1] 192.168.254.55 #1: max number of retransmissions (2) reached STATE_MAIN_R2 Mar 4 14:09:50 porthos pluto[3989]: "opal"[1] 192.168.254.55: deleting connection "opal" instance with peer 192.168.254.55 Mar 4 14:10:21 porthos pluto[3989]: packet from 192.168.254.55:500: Informational Exchange is for an unknown (expired?) SA Mar 4 14:29:35 porthos pluto[3989]: packet from 192.168.254.55:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003] Mar 4 14:29:35 porthos pluto[3989]: "opal"[2] 192.168.254.55 #2: responding to Main Mode from unknown peer 192.168.254.55 Mar 4 14:29:36 porthos pluto[3989]: "opal"[2] 192.168.254.55 #2: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA Mar 4 14:30:45 porthos pluto[3989]: "opal"[2] 192.168.254.55 #2: max number of retransmissions (2) reached STATE_MAIN_R2 Mar 4 14:30:45 porthos pluto[3989]: "opal"[2] 192.168.254.55: deleting connection "opal" instance with peer 192.168.254.55 Mar 4 14:31:21 porthos pluto[3989]: packet from 192.168.254.55:500: Informational Exchange is for an unknown (expired?) SA

 3-04: 12:22:52:93:158 Acquire from driver: op=80E18758 src=192.168.254.55.0 dst=132.241.66.6.0 proto = 0, SrcMask=255.255.255.255, DstMask=0.0.0.0, Tunnel 1, TunnelEndpt=192.168.254.1 Inbound TunnelEndpt=192.168.254.55
 3-04: 12:22:52:93:398 Filter to match: Src 192.168.254.1 Dst 192.168.254.55
 3-04: 12:22:52:93:398 MM PolicyName: 5
 3-04: 12:22:52:93:398 MMPolicy dwFlags 2 SoftSAExpireTime 28800
 3-04: 12:22:52:93:398 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
 3-04: 12:22:52:93:398 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
 3-04: 12:22:52:93:398 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
 3-04: 12:22:52:93:398 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
 3-04: 12:22:52:93:398 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
 3-04: 12:22:52:93:398 MMOffer[2] Encrypt: DES CBC Hash: SHA
 3-04: 12:22:52:93:398 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
 3-04: 12:22:52:93:398 MMOffer[3] Encrypt: DES CBC Hash: MD5
 3-04: 12:22:52:93:398 Auth[0]:RSA Sig C=US, S=Texas, L=Austin, O=Recare Inc, CN=Certificate Authority for ReCare, E=admin@isgenesis.com
 3-04: 12:22:52:93:398 QM PolicyName: Host-opal-allnet filter action dwFlags 1
 3-04: 12:22:52:93:398 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
 3-04: 12:22:52:93:398 QMOffer[0] dwFlags 0 dwPFSGroup 268435456
 3-04: 12:22:52:93:398  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
 3-04: 12:22:52:93:398 Starting Negotiation: src = 192.168.254.55.0000, dst = 192.168.254.1.0500, proto = 00, context = 80E18758, ProxySrc = 192.168.254.55.0000, ProxyDst = 0.0.0.0.0000 SrcMask = 255.255.255.255 DstMask = 0.0.0.0
 3-04: 12:22:52:93:398 constructing ISAKMP Header
 3-04: 12:22:52:93:398 constructing SA (ISAKMP)
 3-04: 12:22:52:93:398 Constructing Vendor
 3-04: 12:22:52:93:398 
 3-04: 12:22:52:93:398 Sending: SA = 0x001049F8 to 192.168.254.1:Type 2
 3-04: 12:22:52:93:398 ISAKMP Header: (V1.0), len = 216 
 3-04: 12:22:52:93:398   I-COOKIE 455e1c97dbe6c192
 3-04: 12:22:52:93:398   R-COOKIE 0000000000000000
 3-04: 12:22:52:93:398   exchange: Oakley Main Mode
 3-04: 12:22:52:93:398   flags: 0 
 3-04: 12:22:52:93:398   next payload: SA
 3-04: 12:22:52:93:398   message ID: 00000000
 3-04: 12:22:52:103:398 
 3-04: 12:22:52:103:398 Receive: (get) SA = 0x001049f8 from 192.168.254.1
 3-04: 12:22:52:103:398 ISAKMP Header: (V1.0), len = 84 
 3-04: 12:22:52:103:398   I-COOKIE 455e1c97dbe6c192
 3-04: 12:22:52:103:398   R-COOKIE 7c7a035f1dcf12c5
 3-04: 12:22:52:103:398   exchange: Oakley Main Mode
 3-04: 12:22:52:103:398   flags: 0 
 3-04: 12:22:52:103:398   next payload: SA
 3-04: 12:22:52:103:398   message ID: 00000000
 3-04: 12:22:52:103:398 processing payload SA  
 3-04: 12:22:52:103:398 Received Phase 1 Transform 1
 3-04: 12:22:52:103:398      Encryption Alg Triple DES CBC(5)
 3-04: 12:22:52:103:398      Hash Alg SHA(2)
 3-04: 12:22:52:103:398      Oakley Group 2
 3-04: 12:22:52:103:398      Auth Method RSA Signature with Certificates(3)
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
 3-04: 12:22:52:103:398      Life type in Seconds
 3-04: 12:22:52:103:398      Life duration of 28800
 3-04: 12:22:52:103:398 Phase 1 SA accepted: transform=1
 3-04: 12:22:52:103:398 SA - Oakley proposal accepted
 3-04: 12:22:52:103:398 constructing ISAKMP Header
 3-04: 12:22:52:163:398 constructing KE
 3-04: 12:22:52:163:398 constructing NONCE (ISAKMP)
 3-04: 12:22:52:163:398 
 3-04: 12:22:52:163:398 Sending: SA = 0x001049F8 to 192.168.254.1:Type 2
 3-04: 12:22:52:163:398 ISAKMP Header: (V1.0), len = 184 
 3-04: 12:22:52:163:398   I-COOKIE 455e1c97dbe6c192
 3-04: 12:22:52:163:398   R-COOKIE 7c7a035f1dcf12c5
 3-04: 12:22:52:163:398   exchange: Oakley Main Mode
 3-04: 12:22:52:163:398   flags: 0 
 3-04: 12:22:52:163:398   next payload: KE
 3-04: 12:22:52:163:398   message ID: 00000000
 3-04: 12:22:52:193:398 
 3-04: 12:22:52:193:398 Receive: (get) SA = 0x001049f8 from 192.168.254.1
 3-04: 12:22:52:193:398 ISAKMP Header: (V1.0), len = 188 
 3-04: 12:22:52:193:398   I-COOKIE 455e1c97dbe6c192
 3-04: 12:22:52:193:398   R-COOKIE 7c7a035f1dcf12c5
 3-04: 12:22:52:193:398   exchange: Oakley Main Mode
 3-04: 12:22:52:193:398   flags: 0 
 3-04: 12:22:52:193:398   next payload: KE
 3-04: 12:22:52:193:398   message ID: 00000000
 3-04: 12:22:52:193:398 processing payload KE  
 3-04: 12:22:52:213:398 processing payload NONCE
 3-04: 12:22:52:213:398 processing payload CRP
 3-04: 12:22:52:213:398 constructing ISAKMP Header
 3-04: 12:22:52:213:398 constructing ID
 3-04: 12:22:52:213:398 Received no valid CRPs.  Using all configured
 3-04: 12:22:52:213:398 Looking for IPSec only cert
 3-04: 12:22:52:213:398 failed to get chain 80092004
 3-04: 12:22:52:213:398 Received no valid CRPs.  Using all configured
 3-04: 12:22:52:213:398 Looking for any cert
 3-04: 12:22:52:213:398 failed to get chain 80092004
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
 3-04: 12:22:52:213:398 ProcessFailure: sa:001049F8 centry:00000000 status:35ee
 3-04: 12:22:52:213:398 isadb_set_status sa:001049F8 centry:00000000 status 35ee
 3-04: 12:22:52:213:398 Key Exchange Mode (Main Mode)
 3-04: 12:22:52:213:398 Source IP Address 192.168.254.55Source IP Address Mask 255.255.255.255Destination IP Address 192.168.254.1Destination IP Address Mask 255.255.255.255Protocol 0Source Port 0Destination Port 0IKE Local Addr IKE Peer Addr 
 3-04: 12:22:52:213:398 Certificate based Identity.  Peer IP Address: 192.168.254.1
 3-04: 12:22:52:213:398 Me
 3-04: 12:22:52:213:398 IKE failed to find valid machine certificate
 3-04: 12:22:52:213:398 0x80092004 0x0
 3-04: 12:22:52:213:398 ProcessFailure: sa:001049F8 centry:00000000 status:35ee
 3-04: 12:22:52:213:398 constructing ISAKMP Header
 3-04: 12:22:52:213:398 constructing HASH (null)
 3-04: 12:22:52:213:398 constructing NOTIFY 28
 3-04: 12:22:52:213:398 constructing HASH (Notify/Delete)
 3-04: 12:22:52:213:398 
 3-04: 12:22:52:213:398 Sending: SA = 0x001049F8 to 192.168.254.1:Type 1
 3-04: 12:22:52:213:398 ISAKMP Header: (V1.0), len = 84 
 3-04: 12:22:52:213:398   I-COOKIE 455e1c97dbe6c192
 3-04: 12:22:52:213:398   R-COOKIE 7c7a035f1dcf12c5
 3-04: 12:22:52:213:398   exchange: ISAKMP Informational Exchange
 3-04: 12:22:52:213:398   flags: 1 ( encrypted )
 3-04: 12:22:52:213:398   next payload: HASH
 3-04: 12:22:52:213:398   message ID: 43b8e406


_______________________________________________

Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users Received on Thu Mar 6 13:51:24 2003

Do you need help?

This message: [ Message body ]
Next message: Oleksandr Darchuk: "[Users] W2K server, L2TP and FreeSWAN -- 789 error on W2K"
Previous message: Paul Wouters: "[Users] Re: [Design] interaction between confread and pluto"
Reply: Mark Lundy: "[Users] Need config help"
Reply: Marcel J.E. Mol: "[Users] Problem with Openswan 1 where Freeswan works.."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:00:42 EDT