[vpn-help] unable to verify remote peer certificate
sftf
sftf-misc at mail.ru
Tue May 4 22:56:16 CDT 2010
Hi.
I'm trying to connect Shrew VPN Client with a Strongswan server and get an error.
I assume that this is a problem with my certificates, but I can't understand what exactly meens
"unable to verify remote peer certificate".
I try to connect for Windows with and get
Help, please.
/etc/ipsec.conf
=================================================
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
left=195.162.52.179
leftcert=gw.opene.ru-cert.pem
leftid=@gw.opene.ru
conn rw
left=195.162.52.179
leftcert=gw.opene.ru-cert.pem
right=%any
auto=add
type=tunnel
ike=aes256-sha1-modp1024
authby=rsasig
rightcert=rw1-cert.pem
keyexchange=ikev1
leftrsasigkey=%cert
rightrsasigkey=%cert
=================================================
Shrew VPN Client
==================================================
10/05/05 10:41:44 ## : IKE Daemon, ver 2.1.5
10/05/05 10:41:44 ## : Copyright 2009 Shrew Soft Inc.
10/05/05 10:41:44 ## : This product linked OpenSSL 0.9.8h 28 May 2008
10/05/05 10:41:44 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
10/05/05 10:41:44 ii : rebuilding vnet device list ...
10/05/05 10:41:44 ii : device ROOT\VNET\0000 disabled
10/05/05 10:41:44 ii : network process thread begin ...
10/05/05 10:41:44 ii : pfkey process thread begin ...
10/05/05 10:41:44 ii : ipc server process thread begin ...
10/05/05 10:41:56 ii : ipc client process thread begin ...
10/05/05 10:41:56 <A : peer config add message
10/05/05 10:41:56 DB : peer added ( obj count = 1 )
10/05/05 10:41:56 ii : local address 195.162.52.180 selected for peer
10/05/05 10:41:57 DB : tunnel added ( obj count = 1 )
10/05/05 10:41:57 <A : proposal config message
10/05/05 10:41:57 <A : proposal config message
10/05/05 10:41:57 <A : client config message
10/05/05 10:41:57 <A : remote cert 'C:\Program Files\ShrewSoft\VPN Client\certificates\gw.opene.ru-cert.pem' message
10/05/05 10:41:57 ii : 'C:\Program Files\ShrewSoft\VPN Client\certificates\gw.opene.ru-cert.pem' loaded
10/05/05 10:41:57 <A : local cert 'C:\Program Files\ShrewSoft\VPN Client\certificates\rw1-cert.pem' message
10/05/05 10:41:57 ii : 'C:\Program Files\ShrewSoft\VPN Client\certificates\rw1-cert.pem' loaded
10/05/05 10:41:57 <A : local key 'C:\Program Files\ShrewSoft\VPN Client\certificates\rw1-key.pem' message
10/05/05 10:41:57 ii : 'C:\Program Files\ShrewSoft\VPN Client\certificates\rw1-key.pem' loaded
10/05/05 10:41:57 <A : peer tunnel enable message
10/05/05 10:41:57 ii : obtained x509 cert subject ( 159 bytes )
10/05/05 10:41:57 DB : new phase1 ( ISAKMP initiator )
10/05/05 10:41:57 DB : exchange type is identity protect
10/05/05 10:41:57 DB : 195.162.52.180:500 <-> 195.162.52.179:500
10/05/05 10:41:57 DB : b4e5431244e7a8ff:0000000000000000
10/05/05 10:41:57 DB : phase1 added ( obj count = 1 )
10/05/05 10:41:57 >> : security association payload
10/05/05 10:41:57 >> : - proposal #1 payload
10/05/05 10:41:57 >> : -- transform #1 payload
10/05/05 10:41:57 >> : vendor id payload
10/05/05 10:41:57 ii : local supports nat-t ( draft v00 )
10/05/05 10:41:57 >> : vendor id payload
10/05/05 10:41:57 ii : local supports nat-t ( draft v01 )
10/05/05 10:41:57 >> : vendor id payload
10/05/05 10:41:57 ii : local supports nat-t ( draft v02 )
10/05/05 10:41:57 >> : vendor id payload
10/05/05 10:41:57 ii : local supports nat-t ( draft v03 )
10/05/05 10:41:57 >> : vendor id payload
10/05/05 10:41:57 ii : local supports nat-t ( rfc )
10/05/05 10:41:57 >> : vendor id payload
10/05/05 10:41:57 ii : local supports FRAGMENTATION
10/05/05 10:41:57 >> : vendor id payload
10/05/05 10:41:57 ii : local supports DPDv1
10/05/05 10:41:57 >> : vendor id payload
10/05/05 10:41:57 ii : local is SHREW SOFT compatible
10/05/05 10:41:57 >> : vendor id payload
10/05/05 10:41:57 ii : local is NETSCREEN compatible
10/05/05 10:41:57 >> : vendor id payload
10/05/05 10:41:57 ii : local is SIDEWINDER compatible
10/05/05 10:41:57 >> : vendor id payload
10/05/05 10:41:57 ii : local is CISCO UNITY compatible
10/05/05 10:41:57 >= : cookies b4e5431244e7a8ff:0000000000000000
10/05/05 10:41:57 >= : message 00000000
10/05/05 10:41:57 -> : send IKE packet 195.162.52.180:500 -> 195.162.52.179:500 ( 344 bytes )
10/05/05 10:41:57 DB : phase1 resend event scheduled ( ref count = 2 )
10/05/05 10:41:57 <- : recv IKE packet 195.162.52.179:500 -> 195.162.52.180:500 ( 160 bytes )
10/05/05 10:41:57 DB : phase1 found
10/05/05 10:41:57 ii : processing phase1 packet ( 160 bytes )
10/05/05 10:41:57 =< : cookies b4e5431244e7a8ff:3a5d8321084855bc
10/05/05 10:41:57 =< : message 00000000
10/05/05 10:41:57 << : security association payload
10/05/05 10:41:57 << : - propsal #1 payload
10/05/05 10:41:57 << : -- transform #1 payload
10/05/05 10:41:57 ii : matched isakmp proposal #1 transform #1
10/05/05 10:41:57 ii : - transform = ike
10/05/05 10:41:57 ii : - cipher type = aes
10/05/05 10:41:57 ii : - key length = 256 bits
10/05/05 10:41:57 ii : - hash type = sha1
10/05/05 10:41:57 ii : - dh group = modp-1024
10/05/05 10:41:57 ii : - auth type = sig-rsa
10/05/05 10:41:57 ii : - life seconds = 86400
10/05/05 10:41:57 ii : - life kbytes = 0
10/05/05 10:41:57 << : vendor id payload
10/05/05 10:41:57 ii : unknown vendor id ( 16 bytes )
10/05/05 10:41:57 0x : cd5792d4 b70f0299 a6a1373d e236d2ac
10/05/05 10:41:57 << : vendor id payload
10/05/05 10:41:57 ii : peer is CISCO UNITY compatible
10/05/05 10:41:57 << : vendor id payload
10/05/05 10:41:57 ii : peer supports XAUTH
10/05/05 10:41:57 << : vendor id payload
10/05/05 10:41:57 ii : peer supports DPDv1
10/05/05 10:41:57 >> : key exchange payload
10/05/05 10:41:57 >> : nonce payload
10/05/05 10:41:57 >> : cert request payload
10/05/05 10:41:57 >= : cookies b4e5431244e7a8ff:3a5d8321084855bc
10/05/05 10:41:57 >= : message 00000000
10/05/05 10:41:57 DB : phase1 resend event canceled ( ref count = 1 )
10/05/05 10:41:57 -> : send IKE packet 195.162.52.180:500 -> 195.162.52.179:500 ( 217 bytes )
10/05/05 10:41:57 DB : phase1 resend event scheduled ( ref count = 2 )
10/05/05 10:41:57 <- : recv IKE packet 195.162.52.179:500 -> 195.162.52.180:500 ( 336 bytes )
10/05/05 10:41:57 DB : phase1 found
10/05/05 10:41:57 ii : processing phase1 packet ( 336 bytes )
10/05/05 10:41:57 =< : cookies b4e5431244e7a8ff:3a5d8321084855bc
10/05/05 10:41:57 =< : message 00000000
10/05/05 10:41:57 << : key exchange payload
10/05/05 10:41:57 << : nonce payload
10/05/05 10:41:57 << : cert request payload
10/05/05 10:41:57 ii : nat-t is unsupported by remote peer
10/05/05 10:41:57 == : DH shared secret ( 128 bytes )
10/05/05 10:41:57 == : SETKEYID ( 20 bytes )
10/05/05 10:41:57 == : SETKEYID_d ( 20 bytes )
10/05/05 10:41:57 == : SETKEYID_a ( 20 bytes )
10/05/05 10:41:57 == : SETKEYID_e ( 20 bytes )
10/05/05 10:41:57 == : cipher key ( 32 bytes )
10/05/05 10:41:57 == : cipher iv ( 16 bytes )
10/05/05 10:41:57 >> : identification payload
10/05/05 10:41:57 >> : certificate payload
10/05/05 10:41:57 == : phase1 hash_i ( computed ) ( 20 bytes )
10/05/05 10:41:57 >> : signature payload
10/05/05 10:41:57 >= : cookies b4e5431244e7a8ff:3a5d8321084855bc
10/05/05 10:41:57 >= : message 00000000
10/05/05 10:41:57 >= : encrypt iv ( 16 bytes )
10/05/05 10:41:57 == : encrypt packet ( 1597 bytes )
10/05/05 10:41:57 == : stored iv ( 16 bytes )
10/05/05 10:41:57 DB : phase1 resend event canceled ( ref count = 1 )
10/05/05 10:41:57 -> : send IKE packet 195.162.52.180:500 -> 195.162.52.179:500 ( 1640 bytes )
10/05/05 10:41:57 ii : fragmented packet to 1514 bytes ( MTU 1500 bytes )
10/05/05 10:41:57 ii : fragmented packet to 174 bytes ( MTU 1500 bytes )
10/05/05 10:41:57 <- : recv IKE packet 195.162.52.179:500 -> 195.162.52.180:500 ( 1596 bytes )
10/05/05 10:41:57 DB : phase1 found
10/05/05 10:41:57 ii : processing phase1 packet ( 1596 bytes )
10/05/05 10:41:57 =< : cookies b4e5431244e7a8ff:3a5d8321084855bc
10/05/05 10:41:57 =< : message 00000000
10/05/05 10:41:57 =< : decrypt iv ( 16 bytes )
10/05/05 10:41:57 == : decrypt packet ( 1596 bytes )
10/05/05 10:41:57 <= : trimmed packet padding ( 8 bytes )
10/05/05 10:41:57 <= : stored iv ( 16 bytes )
10/05/05 10:41:57 << : identification payload
10/05/05 10:41:57 ii : phase1 id target is any
10/05/05 10:41:57 ii : phase1 id match
10/05/05 10:41:57 ii : received = fqdn gw.opene.ru
10/05/05 10:41:57 << : certificate payload
10/05/05 10:41:57 << : signature payload
10/05/05 10:41:57 ii : added gw.opene.ru-cert.pem to x509 store
10/05/05 10:41:57 ii : added rw1-cert.pem to x509 store
10/05/05 10:41:57 !! : unable to verify remote peer certificate
10/05/05 10:41:57 ii : sending peer DELETE message
10/05/05 10:41:57 ii : - 195.162.52.180:500 -> 195.162.52.179:500
10/05/05 10:41:57 ii : - isakmp spi = b4e5431244e7a8ff:3a5d8321084855bc
10/05/05 10:41:57 ii : - data size 0
10/05/05 10:41:57 >> : hash payload
10/05/05 10:41:57 >> : delete payload
10/05/05 10:41:57 == : new informational hash ( 20 bytes )
10/05/05 10:41:57 == : new informational iv ( 16 bytes )
10/05/05 10:41:57 >= : cookies b4e5431244e7a8ff:3a5d8321084855bc
10/05/05 10:41:57 >= : message 64fd5955
10/05/05 10:41:57 >= : encrypt iv ( 16 bytes )
10/05/05 10:41:57 == : encrypt packet ( 80 bytes )
10/05/05 10:41:57 == : stored iv ( 16 bytes )
10/05/05 10:41:57 -> : send IKE packet 195.162.52.180:500 -> 195.162.52.179:500 ( 120 bytes )
10/05/05 10:41:57 ii : phase1 removal before expire time
10/05/05 10:41:57 DB : phase1 deleted ( obj count = 0 )
10/05/05 10:41:57 <- : recv IKE packet 195.162.52.179:500 -> 195.162.52.180:500 ( 92 bytes )
10/05/05 10:41:57 DB : phase1 not found
10/05/05 10:41:57 ww : ike packet from 195.162.52.179 ignored, unknown phase1 sa for peer
10/05/05 10:41:57 ww : b4e5431244e7a8ff:3a5d8321084855bc
10/05/05 10:41:57 DB : tunnel stats event canceled ( ref count = 1 )
10/05/05 10:41:57 DB : removing tunnel config references
10/05/05 10:41:57 DB : removing tunnel phase2 references
10/05/05 10:41:57 DB : removing tunnel phase1 references
10/05/05 10:41:57 DB : tunnel deleted ( obj count = 0 )
10/05/05 10:41:57 DB : removing all peer tunnel refrences
10/05/05 10:41:57 DB : peer deleted ( obj count = 0 )
10/05/05 10:41:57 ii : ipc client process thread exit ...
==================================================
More information about the vpn-help
mailing list