[Vpn-help] Shrewsoft VPN 2.1.5rc4 and Sidewinder using Self Signed certificates

Phil Mullins philm at accruit.com
Thu Nov 19 10:55:15 CST 2009 

I create self signed certs on my sidewinder6.1.2.05  and follow the steps
used on the wiki (except xauth - I only want to use Mutual RSA by importing
the certs from my Sidewinder).

 

I've tried this with Vista 32 and Windows7 64

 

I use ASN.1 Distinguished Name and check (Use the subject in the client
certificate) for both my local and remote identiies.  Then under
credentials, is use my firewall.pem for my Server CA file, I use my
remote.pem for my Client certificate file and I use my remote.p12 for my
Client Private Key file.

 

I goto connect and I always receive  "unable to verify remote peer
certificate.

 

Is there something with the Sidewinder self signed certs that is not
compatible?  My Sidewinder does not have an imported CA file or any CA certs
on it.  Is this a requirement for the Shrewsoft client.  Here is my log from
the client.  If I switch to MUTUAL PSK everything works aok.  It just
doesn't work with MUTUAL RSA.

 

09/11/19 09:51:42 ## : IKE Daemon, ver 2.1.0

09/11/19 09:51:42 ## : Copyright 2008 Shrew Soft Inc.

09/11/19 09:51:42 ## : This product linked OpenSSL 0.9.8h 28 May 2008

09/11/19 09:51:42 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'

09/11/19 09:51:42 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-decrypt.cap'

09/11/19 09:51:42 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-encrypt.cap'

09/11/19 09:51:42 ii : rebuilding vnet device list ...

09/11/19 09:51:42 ii : device ROOT\VNET\0000 disabled

09/11/19 09:51:42 ii : network process thread begin ...

09/11/19 09:51:42 ii : pfkey process thread begin ...

09/11/19 09:51:42 ii : ipc server process thread begin ...

09/11/19 09:51:46 ii : ipc client process thread begin ...

09/11/19 09:51:46 <A : peer config add message

09/11/19 09:51:46 DB : peer added ( obj count = 1 )

09/11/19 09:51:46 ii : local address 10.10.0.70 selected for peer

09/11/19 09:51:46 DB : tunnel added ( obj count = 1 )

09/11/19 09:51:46 <A : proposal config message

09/11/19 09:51:46 <A : proposal config message

09/11/19 09:51:46 <A : client config message

09/11/19 09:51:46 <A : remote cert
'C:\Users\philmadmin\Desktop\certs\Firewall.pem' message

09/11/19 09:51:46 ii : 'C:\Users\philmadmin\Desktop\certs\Firewall.pem'
loaded

09/11/19 09:51:46 <A : local cert
'C:\Users\philmadmin\Desktop\certs\Remote.pem' message

09/11/19 09:51:46 ii : 'C:\Users\philmadmin\Desktop\certs\Remote.pem' loaded

09/11/19 09:51:46 <A : local key
'C:\Users\philmadmin\Desktop\certs\Remote.p12' message

09/11/19 09:51:46 !! : 'C:\Users\philmadmin\Desktop\certs\Remote.p12' load
failed, requesting password

09/11/19 09:51:49 <A : file password

09/11/19 09:51:49 <A : local key
'C:\Users\philmadmin\Desktop\certs\Remote.p12' message

09/11/19 09:51:49 ii : 'C:\Users\philmadmin\Desktop\certs\Remote.p12' loaded

09/11/19 09:51:49 <A : remote resource message

09/11/19 09:51:49 <A : peer tunnel enable message

09/11/19 09:51:49 ii : obtained x509 cert subject ( 94 bytes )

09/11/19 09:51:49 DB : new phase1 ( ISAKMP initiator )

09/11/19 09:51:49 DB : exchange type is aggressive

09/11/19 09:51:49 DB : 10.10.0.70:500 <-> 216.150.200.143:500

09/11/19 09:51:49 DB : 6384ff0789267618:0000000000000000

09/11/19 09:51:49 DB : phase1 added ( obj count = 1 )

09/11/19 09:51:49 >> : security association payload

09/11/19 09:51:49 >> : - proposal #1 payload 

09/11/19 09:51:49 >> : -- transform #1 payload 

09/11/19 09:51:49 >> : key exchange payload

09/11/19 09:51:49 >> : nonce payload

09/11/19 09:51:49 >> : cert request payload

09/11/19 09:51:49 >> : identification payload

09/11/19 09:51:49 >> : vendor id payload

09/11/19 09:51:49 ii : local supports nat-t ( draft v00 )

09/11/19 09:51:49 >> : vendor id payload

09/11/19 09:51:49 ii : local supports nat-t ( draft v01 )

09/11/19 09:51:49 >> : vendor id payload

09/11/19 09:51:49 ii : local supports nat-t ( draft v02 )

09/11/19 09:51:49 >> : vendor id payload

09/11/19 09:51:49 ii : local supports nat-t ( draft v03 )

09/11/19 09:51:49 >> : vendor id payload

09/11/19 09:51:49 ii : local supports nat-t ( rfc )

09/11/19 09:51:49 >> : vendor id payload

09/11/19 09:51:49 ii : local supports FRAGMENTATION

09/11/19 09:51:49 >> : vendor id payload

09/11/19 09:51:49 ii : local supports DPDv1

09/11/19 09:51:49 >> : vendor id payload

09/11/19 09:51:49 ii : local is SHREW SOFT compatible

09/11/19 09:51:49 >> : vendor id payload

09/11/19 09:51:49 ii : local is NETSCREEN compatible

09/11/19 09:51:49 >> : vendor id payload

09/11/19 09:51:49 ii : local is SIDEWINDER compatible

09/11/19 09:51:49 >> : vendor id payload

09/11/19 09:51:49 ii : local is CISCO UNITY compatible

09/11/19 09:51:49 >= : cookies 6384ff0789267618:0000000000000000

09/11/19 09:51:49 >= : message 00000000

09/11/19 09:51:49 -> : send IKE packet 10.10.0.70:500 -> 216.150.200.143:500
( 603 bytes )

09/11/19 09:51:49 DB : phase1 resend event scheduled ( ref count = 2 )

09/11/19 09:51:49 <- : recv IKE packet 216.150.200.143:500 -> 10.10.0.70:500
( 1107 bytes )

09/11/19 09:51:49 DB : phase1 found

09/11/19 09:51:49 ii : processing phase1 packet ( 1107 bytes )

09/11/19 09:51:49 =< : cookies 6384ff0789267618:5cf6fcf41c9ea379

09/11/19 09:51:49 =< : message 00000000

09/11/19 09:51:49 << : security association payload

09/11/19 09:51:49 << : - propsal #1 payload 

09/11/19 09:51:49 << : -- transform #1 payload 

09/11/19 09:51:49 ii : matched isakmp proposal #1 transform #1

09/11/19 09:51:49 ii : - transform    = ike

09/11/19 09:51:49 ii : - cipher type  = 3des

09/11/19 09:51:49 ii : - key length   = default

09/11/19 09:51:49 ii : - hash type    = sha1

09/11/19 09:51:49 ii : - dh group     = modp-1024

09/11/19 09:51:49 ii : - auth type    = sig-rsa

09/11/19 09:51:49 ii : - life seconds = 3600

09/11/19 09:51:49 ii : - life kbytes  = 0

09/11/19 09:51:49 << : key exchange payload

09/11/19 09:51:49 << : nonce payload

09/11/19 09:51:49 << : identification payload

09/11/19 09:51:49 ii : phase1 id match ( cert check only )

09/11/19 09:51:49 ii : received = asn1-dn
C=us,ST=Colorado,L=Lakewood,O=Accruit,CN=Firewall-pro

09/11/19 09:51:49 << : cert request payload

09/11/19 09:51:49 << : certificate payload

09/11/19 09:51:49 << : signature payload

09/11/19 09:51:49 << : vendor id payload

09/11/19 09:51:49 ii : peer is SIDEWINDER compatible

09/11/19 09:51:49 << : vendor id payload

09/11/19 09:51:49 ii : unknown vendor id ( 16 bytes )

09/11/19 09:51:49 0x : e720cdd4 9d2ee7b8 3ce1970a 6c69b528

09/11/19 09:51:49 ii : nat-t is unsupported by remote peer

09/11/19 09:51:49 == : DH shared secret ( 128 bytes )

09/11/19 09:51:49 == : SETKEYID ( 20 bytes )

09/11/19 09:51:49 == : SETKEYID_d ( 20 bytes )

09/11/19 09:51:49 == : SETKEYID_a ( 20 bytes )

09/11/19 09:51:49 == : SETKEYID_e ( 20 bytes )

09/11/19 09:51:49 == : cipher key ( 40 bytes )

09/11/19 09:51:49 == : cipher iv ( 8 bytes )

09/11/19 09:51:49 >> : certificate payload

09/11/19 09:51:49 == : phase1 hash_i ( computed ) ( 20 bytes )

09/11/19 09:51:49 >> : signature payload

09/11/19 09:51:49 >= : cookies 6384ff0789267618:5cf6fcf41c9ea379

09/11/19 09:51:49 >= : message 00000000

09/11/19 09:51:49 >= : encrypt iv ( 8 bytes )

09/11/19 09:51:49 == : encrypt packet ( 748 bytes )

09/11/19 09:51:49 == : stored iv ( 8 bytes )

09/11/19 09:51:49 DB : phase1 resend event canceled ( ref count = 1 )

09/11/19 09:51:49 -> : send IKE packet 10.10.0.70:500 -> 216.150.200.143:500
( 776 bytes )

09/11/19 09:51:49 !! : unable to verify remote peer certificate

09/11/19 09:51:49 ii : sending peer DELETE message

09/11/19 09:51:49 ii : - 10.10.0.70:500 -> 216.150.200.143:500

09/11/19 09:51:49 ii : - isakmp spi = 6384ff0789267618:5cf6fcf41c9ea379

09/11/19 09:51:49 ii : - data size 0

09/11/19 09:51:49 >> : hash payload

09/11/19 09:51:49 >> : delete payload

09/11/19 09:51:49 == : new informational hash ( 20 bytes )

09/11/19 09:51:49 == : new informational iv ( 8 bytes )

09/11/19 09:51:49 >= : cookies 6384ff0789267618:5cf6fcf41c9ea379

09/11/19 09:51:49 >= : message 6009d5ac

09/11/19 09:51:49 >= : encrypt iv ( 8 bytes )

09/11/19 09:51:49 == : encrypt packet ( 80 bytes )

09/11/19 09:51:49 == : stored iv ( 8 bytes )

09/11/19 09:51:49 -> : send IKE packet 10.10.0.70:500 -> 216.150.200.143:500
( 112 bytes )

09/11/19 09:51:49 ii : phase1 removal before expire time

09/11/19 09:51:49 DB : phase1 deleted ( obj count = 0 )

09/11/19 09:51:49 DB : policy not found

09/11/19 09:51:49 DB : policy not found

09/11/19 09:51:49 DB : tunnel stats event canceled ( ref count = 1 )

09/11/19 09:51:49 DB : removing tunnel config references

09/11/19 09:51:49 DB : removing tunnel phase2 references

09/11/19 09:51:49 DB : removing tunnel phase1 references

09/11/19 09:51:49 DB : tunnel deleted ( obj count = 0 )

09/11/19 09:51:49 DB : removing all peer tunnel refrences

09/11/19 09:51:49 DB : peer deleted ( obj count = 0 )

09/11/19 09:51:49 ii : ipc client process thread exit ...

 

 

 

 


http://www.accruit.com/images/e-mail-footer.gif


Phil Mullins 
Systems Administrator
Accruit, LLC
1514 Curtis Street, Suite 300
Denver, Colorado  80202
Tel: 303-865-7320
Fax: 303-865-7399
Mobile: 303-915-0646 
E-mail: philm at accruit.com
 <http://www.accruit.com> www.accruit.com 


PLEASE NOTE:  In order for Accruit, LLC to act as "Qualified Intermediary"
as defined within the Treasury regulations under section 1031 of the
Internal Revenue Code, Accruit and its employees are prohibited from
providing tax advice. Any written or oral communication with an employee of
Accruit must not be construed as tax advice. Accruit strongly recommends
that you consult with your tax advisor.


CONFIDENTIALITY NOTICE:  This e-mail message and any attachments may contain
confidential, legally privileged information.  If you are not the intended
recipient, please be advised that any disclosure, distribution, or use of
any of the information contained in or attached to this message is
prohibited. If you have received this e-mail message in error, please notify
us immediately and destroy this e-mail message and any attachments.  Thank
you in advance for your cooperation.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091119/ec246abe/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2839 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091119/ec246abe/attachment-0001.gif>

More information about the vpn-help mailing list