[Vpn-help] Shrewsoft VPN 2.1.5rc4 and Sidewinder using Self Signed certificates
Phil Mullins
philm at accruit.com
Thu Nov 19 10:55:15 CST 2009
I create self signed certs on my sidewinder6.1.2.05 and follow the steps
used on the wiki (except xauth - I only want to use Mutual RSA by importing
the certs from my Sidewinder).
I've tried this with Vista 32 and Windows7 64
I use ASN.1 Distinguished Name and check (Use the subject in the client
certificate) for both my local and remote identiies. Then under
credentials, is use my firewall.pem for my Server CA file, I use my
remote.pem for my Client certificate file and I use my remote.p12 for my
Client Private Key file.
I goto connect and I always receive "unable to verify remote peer
certificate.
Is there something with the Sidewinder self signed certs that is not
compatible? My Sidewinder does not have an imported CA file or any CA certs
on it. Is this a requirement for the Shrewsoft client. Here is my log from
the client. If I switch to MUTUAL PSK everything works aok. It just
doesn't work with MUTUAL RSA.
09/11/19 09:51:42 ## : IKE Daemon, ver 2.1.0
09/11/19 09:51:42 ## : Copyright 2008 Shrew Soft Inc.
09/11/19 09:51:42 ## : This product linked OpenSSL 0.9.8h 28 May 2008
09/11/19 09:51:42 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
09/11/19 09:51:42 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-decrypt.cap'
09/11/19 09:51:42 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-encrypt.cap'
09/11/19 09:51:42 ii : rebuilding vnet device list ...
09/11/19 09:51:42 ii : device ROOT\VNET\0000 disabled
09/11/19 09:51:42 ii : network process thread begin ...
09/11/19 09:51:42 ii : pfkey process thread begin ...
09/11/19 09:51:42 ii : ipc server process thread begin ...
09/11/19 09:51:46 ii : ipc client process thread begin ...
09/11/19 09:51:46 <A : peer config add message
09/11/19 09:51:46 DB : peer added ( obj count = 1 )
09/11/19 09:51:46 ii : local address 10.10.0.70 selected for peer
09/11/19 09:51:46 DB : tunnel added ( obj count = 1 )
09/11/19 09:51:46 <A : proposal config message
09/11/19 09:51:46 <A : proposal config message
09/11/19 09:51:46 <A : client config message
09/11/19 09:51:46 <A : remote cert
'C:\Users\philmadmin\Desktop\certs\Firewall.pem' message
09/11/19 09:51:46 ii : 'C:\Users\philmadmin\Desktop\certs\Firewall.pem'
loaded
09/11/19 09:51:46 <A : local cert
'C:\Users\philmadmin\Desktop\certs\Remote.pem' message
09/11/19 09:51:46 ii : 'C:\Users\philmadmin\Desktop\certs\Remote.pem' loaded
09/11/19 09:51:46 <A : local key
'C:\Users\philmadmin\Desktop\certs\Remote.p12' message
09/11/19 09:51:46 !! : 'C:\Users\philmadmin\Desktop\certs\Remote.p12' load
failed, requesting password
09/11/19 09:51:49 <A : file password
09/11/19 09:51:49 <A : local key
'C:\Users\philmadmin\Desktop\certs\Remote.p12' message
09/11/19 09:51:49 ii : 'C:\Users\philmadmin\Desktop\certs\Remote.p12' loaded
09/11/19 09:51:49 <A : remote resource message
09/11/19 09:51:49 <A : peer tunnel enable message
09/11/19 09:51:49 ii : obtained x509 cert subject ( 94 bytes )
09/11/19 09:51:49 DB : new phase1 ( ISAKMP initiator )
09/11/19 09:51:49 DB : exchange type is aggressive
09/11/19 09:51:49 DB : 10.10.0.70:500 <-> 216.150.200.143:500
09/11/19 09:51:49 DB : 6384ff0789267618:0000000000000000
09/11/19 09:51:49 DB : phase1 added ( obj count = 1 )
09/11/19 09:51:49 >> : security association payload
09/11/19 09:51:49 >> : - proposal #1 payload
09/11/19 09:51:49 >> : -- transform #1 payload
09/11/19 09:51:49 >> : key exchange payload
09/11/19 09:51:49 >> : nonce payload
09/11/19 09:51:49 >> : cert request payload
09/11/19 09:51:49 >> : identification payload
09/11/19 09:51:49 >> : vendor id payload
09/11/19 09:51:49 ii : local supports nat-t ( draft v00 )
09/11/19 09:51:49 >> : vendor id payload
09/11/19 09:51:49 ii : local supports nat-t ( draft v01 )
09/11/19 09:51:49 >> : vendor id payload
09/11/19 09:51:49 ii : local supports nat-t ( draft v02 )
09/11/19 09:51:49 >> : vendor id payload
09/11/19 09:51:49 ii : local supports nat-t ( draft v03 )
09/11/19 09:51:49 >> : vendor id payload
09/11/19 09:51:49 ii : local supports nat-t ( rfc )
09/11/19 09:51:49 >> : vendor id payload
09/11/19 09:51:49 ii : local supports FRAGMENTATION
09/11/19 09:51:49 >> : vendor id payload
09/11/19 09:51:49 ii : local supports DPDv1
09/11/19 09:51:49 >> : vendor id payload
09/11/19 09:51:49 ii : local is SHREW SOFT compatible
09/11/19 09:51:49 >> : vendor id payload
09/11/19 09:51:49 ii : local is NETSCREEN compatible
09/11/19 09:51:49 >> : vendor id payload
09/11/19 09:51:49 ii : local is SIDEWINDER compatible
09/11/19 09:51:49 >> : vendor id payload
09/11/19 09:51:49 ii : local is CISCO UNITY compatible
09/11/19 09:51:49 >= : cookies 6384ff0789267618:0000000000000000
09/11/19 09:51:49 >= : message 00000000
09/11/19 09:51:49 -> : send IKE packet 10.10.0.70:500 -> 216.150.200.143:500
( 603 bytes )
09/11/19 09:51:49 DB : phase1 resend event scheduled ( ref count = 2 )
09/11/19 09:51:49 <- : recv IKE packet 216.150.200.143:500 -> 10.10.0.70:500
( 1107 bytes )
09/11/19 09:51:49 DB : phase1 found
09/11/19 09:51:49 ii : processing phase1 packet ( 1107 bytes )
09/11/19 09:51:49 =< : cookies 6384ff0789267618:5cf6fcf41c9ea379
09/11/19 09:51:49 =< : message 00000000
09/11/19 09:51:49 << : security association payload
09/11/19 09:51:49 << : - propsal #1 payload
09/11/19 09:51:49 << : -- transform #1 payload
09/11/19 09:51:49 ii : matched isakmp proposal #1 transform #1
09/11/19 09:51:49 ii : - transform = ike
09/11/19 09:51:49 ii : - cipher type = 3des
09/11/19 09:51:49 ii : - key length = default
09/11/19 09:51:49 ii : - hash type = sha1
09/11/19 09:51:49 ii : - dh group = modp-1024
09/11/19 09:51:49 ii : - auth type = sig-rsa
09/11/19 09:51:49 ii : - life seconds = 3600
09/11/19 09:51:49 ii : - life kbytes = 0
09/11/19 09:51:49 << : key exchange payload
09/11/19 09:51:49 << : nonce payload
09/11/19 09:51:49 << : identification payload
09/11/19 09:51:49 ii : phase1 id match ( cert check only )
09/11/19 09:51:49 ii : received = asn1-dn
C=us,ST=Colorado,L=Lakewood,O=Accruit,CN=Firewall-pro
09/11/19 09:51:49 << : cert request payload
09/11/19 09:51:49 << : certificate payload
09/11/19 09:51:49 << : signature payload
09/11/19 09:51:49 << : vendor id payload
09/11/19 09:51:49 ii : peer is SIDEWINDER compatible
09/11/19 09:51:49 << : vendor id payload
09/11/19 09:51:49 ii : unknown vendor id ( 16 bytes )
09/11/19 09:51:49 0x : e720cdd4 9d2ee7b8 3ce1970a 6c69b528
09/11/19 09:51:49 ii : nat-t is unsupported by remote peer
09/11/19 09:51:49 == : DH shared secret ( 128 bytes )
09/11/19 09:51:49 == : SETKEYID ( 20 bytes )
09/11/19 09:51:49 == : SETKEYID_d ( 20 bytes )
09/11/19 09:51:49 == : SETKEYID_a ( 20 bytes )
09/11/19 09:51:49 == : SETKEYID_e ( 20 bytes )
09/11/19 09:51:49 == : cipher key ( 40 bytes )
09/11/19 09:51:49 == : cipher iv ( 8 bytes )
09/11/19 09:51:49 >> : certificate payload
09/11/19 09:51:49 == : phase1 hash_i ( computed ) ( 20 bytes )
09/11/19 09:51:49 >> : signature payload
09/11/19 09:51:49 >= : cookies 6384ff0789267618:5cf6fcf41c9ea379
09/11/19 09:51:49 >= : message 00000000
09/11/19 09:51:49 >= : encrypt iv ( 8 bytes )
09/11/19 09:51:49 == : encrypt packet ( 748 bytes )
09/11/19 09:51:49 == : stored iv ( 8 bytes )
09/11/19 09:51:49 DB : phase1 resend event canceled ( ref count = 1 )
09/11/19 09:51:49 -> : send IKE packet 10.10.0.70:500 -> 216.150.200.143:500
( 776 bytes )
09/11/19 09:51:49 !! : unable to verify remote peer certificate
09/11/19 09:51:49 ii : sending peer DELETE message
09/11/19 09:51:49 ii : - 10.10.0.70:500 -> 216.150.200.143:500
09/11/19 09:51:49 ii : - isakmp spi = 6384ff0789267618:5cf6fcf41c9ea379
09/11/19 09:51:49 ii : - data size 0
09/11/19 09:51:49 >> : hash payload
09/11/19 09:51:49 >> : delete payload
09/11/19 09:51:49 == : new informational hash ( 20 bytes )
09/11/19 09:51:49 == : new informational iv ( 8 bytes )
09/11/19 09:51:49 >= : cookies 6384ff0789267618:5cf6fcf41c9ea379
09/11/19 09:51:49 >= : message 6009d5ac
09/11/19 09:51:49 >= : encrypt iv ( 8 bytes )
09/11/19 09:51:49 == : encrypt packet ( 80 bytes )
09/11/19 09:51:49 == : stored iv ( 8 bytes )
09/11/19 09:51:49 -> : send IKE packet 10.10.0.70:500 -> 216.150.200.143:500
( 112 bytes )
09/11/19 09:51:49 ii : phase1 removal before expire time
09/11/19 09:51:49 DB : phase1 deleted ( obj count = 0 )
09/11/19 09:51:49 DB : policy not found
09/11/19 09:51:49 DB : policy not found
09/11/19 09:51:49 DB : tunnel stats event canceled ( ref count = 1 )
09/11/19 09:51:49 DB : removing tunnel config references
09/11/19 09:51:49 DB : removing tunnel phase2 references
09/11/19 09:51:49 DB : removing tunnel phase1 references
09/11/19 09:51:49 DB : tunnel deleted ( obj count = 0 )
09/11/19 09:51:49 DB : removing all peer tunnel refrences
09/11/19 09:51:49 DB : peer deleted ( obj count = 0 )
09/11/19 09:51:49 ii : ipc client process thread exit ...
http://www.accruit.com/images/e-mail-footer.gif
Phil Mullins
Systems Administrator
Accruit, LLC
1514 Curtis Street, Suite 300
Denver, Colorado 80202
Tel: 303-865-7320
Fax: 303-865-7399
Mobile: 303-915-0646
E-mail: philm at accruit.com
<http://www.accruit.com> www.accruit.com
PLEASE NOTE: In order for Accruit, LLC to act as "Qualified Intermediary"
as defined within the Treasury regulations under section 1031 of the
Internal Revenue Code, Accruit and its employees are prohibited from
providing tax advice. Any written or oral communication with an employee of
Accruit must not be construed as tax advice. Accruit strongly recommends
that you consult with your tax advisor.
CONFIDENTIALITY NOTICE: This e-mail message and any attachments may contain
confidential, legally privileged information. If you are not the intended
recipient, please be advised that any disclosure, distribution, or use of
any of the information contained in or attached to this message is
prohibited. If you have received this e-mail message in error, please notify
us immediately and destroy this e-mail message and any attachments. Thank
you in advance for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091119/ec246abe/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2839 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091119/ec246abe/attachment-0001.gif>
More information about the vpn-help
mailing list