[vpn-help] Windows 2008 R2 CA, OpenBSD 4.8 isakmpd, "unable to verify remote peer certificate"

[dontek]

Hey folks:

 

I am having an issue with the Shrew Soft VPN client connecting to my OpenBSD
4.8 isakmpd gateway since attempting a switch from Pre-Shared Key Auth to
Mutual RSA Auth using a Windows 2008 R2 Certificate Services CA.

 

I am using the sscep client to connect to the Windows CA via Network Device
Enrollment Service (mscep) to pull the CA certificate and request and pull
client certificates to isakmpd on the OpenBSD gateway.

 

I have installed the Windows CA certificate to /etc/isakmpd/ca/ca.crt and I
am able to verify client certificates against it using `openssl verify
-Cafile /etc/isakmpd/ca/ca.crt /etc/isakmpd/certs/local.crt` etc.

 

I have a local cert and key as well as a client cert and key installed into
isakmpd.

 

Upon attempting a connection via Shrew Soft VPN client, Phase 1 fails with
"unable to verify remote peer certificate".

 

On the OpenBSD gateway isakmpd logs:

 

.Default isakmpd: phase 1 done: initiator id.

.Default isakmpd: Peer <ipaddress> made us delete live SA peer-default for
proto 1, initiator id.

 

I am assuming Shrew is complaining about my OpenBSD gateway's issued cert
and not the CA cert correct?

 

Can someone help give me a clue as to what is going on here?

 

Thanks,

 

don..

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20101106/8864d3c0/attachment-0001.html>