[vpn-help] Unable to verify remote peer certificate
Matthew Grooms
mgrooms at shrew.net
Mon Apr 19 22:35:30 CDT 2010
On 3/31/2010 7:44 AM, Michael wrote:
>
> Hello list,
>
> I'm using the shrew ike daemon (packaged with the Qt client) version
> 2.1.4 on Ubuntu Linux 9.10. The goal is a roadwarrior installation
> with X.509 certificate authentication.
>
> When using preshared keys this same configuration works. Mobile
> clients using other software (IPSecuritas) with the same
> certificates I'm loading in Shrew work as well so...
>
> The problem is that I see 'Gateway authentication error' in the
> GUI window after trying to connect. The log /var/log/iked.log:
>
> ii : unable to get local issuer certificate(20) at depth:0
> ii : subject :/CN=name.host.tld
> !! : unable to verify remote peer certificate
>
> The host 'name.host.tld' is in the SubjectAltName of the X.509
> certificate loaded on the ike v1 server m0n0wall 1.31. I have
> concatanated the root and intermediate CA certificates of CaCert.org
> to the file 'cacert-combi.pem':
>
> s:ident-server-type:asn1dn
> s:auth-server-cert:/home/username/.ike/certs/cacert-combi.pem
> s:auth-client-cert:/home/username/.ike/certs/myclienthost-cacert-rsa-4096-crt.pem
> s:auth-client-key:/home/username/.ike/keys/myclienthost-cacert-rsa-4096-key.pem
>
> What can be the problem?
>
I don't believe concatenating the certificate files together will have
any effect. A lot of work was done between 2.1.4 and 2.1.6 to handle a
multi-certificate chain to be interpreted correctly when received from
the peer during phase1 negotiations. And on the windows platform, we
have a special directory where a user can drop additional certificates
that are used as intermediates during certificate verification. But on
Linux/BSD, there is no analog to this.
I think we need to allow a certificate directory to be passed instead of
a single certificate file. This will allow a client to configure a group
of certificate files that can be used for chained authentication.
Unfortunately, I don't have time to do this at the moment. This should
be completed before 2.2.0 release. Sorry I can't be more help at this time.
-Matthew
More information about the vpn-help
mailing list