[vpn-help] [Vpn-help] Shrewsoft VPN 2.1.5rc4 and Sidewinder using Self Signed

[Sam Liedl]

Phil,

Use version 2.1.4 of ShrewSoft - this VPN will work then.

I believe S.S. changed the way it authenticates certs in version 2.1.5:
From: http://www.shrew.net/download/changelog/ike/2.1.5-release
----------------------
r631 | mgrooms | 2009-07-13 04:25:51 +0000 (Mon, 13 Jul 2009) | 7 lines

Correct a regression in iked that caused negotiations with Checkpoint
VPN-1 gateways to fail.

Rework a few functions that are used to support RSA based certificate
authentication. When a gateway sends more than one certificate during
phase1, we need to determine which certificate is the leaf certificate
being used to generate the signature for authentication. It would be
good if we could just match the remote ID to the subject name in the
certificate, but many gateways support non ASN1 DN based identities with
certificate authentication. Instead, we attempt to build a certificate
chain by examining the certificate list sent. We search for a
certificate that was not used to sign any other received certificate and
use its public key to perform authentication. This method was tested
with several Cisco, Checkpoint and ipsec-tools gateways. Many thanks to
Daniel Sabanes Bove who identified and reported this and other issues.

Correct a potential buffer overflow issue related to extracting a human
readable RSA key subject used in debug level output.

Increase the maximum packet length from 4k to 8k. This is necessary to
support large certificate chains.
--------------------------

I can get a VPN with certs working to a Sidewinder 7 with SS 2.1.4, but with
the same certs and config at SS 2.1.5 the tunnels fail with the same error
you posted in your message.  I can't get the tunnel to work at 2.1.5 with
certs at all.

-Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091230/7b429460/attachment-0001.html>