[vpn-help] Windows 2008 R2 CA, OpenBSD 4.8 isakmpd, "unable to verify remote peer certificate"

[Matthew Grooms]

On 11/6/2010 7:44 PM, dontek wrote:
> Hey folks:
>
> I am having an issue with the Shrew Soft VPN client connecting to my
> OpenBSD 4.8 isakmpd gateway since attempting a switch from Pre-Shared
> Key Auth to Mutual RSA Auth using a Windows 2008 R2 Certificate Services CA.
>
> I am using the sscep client to connect to the Windows CA via Network
> Device Enrollment Service (mscep) to pull the CA certificate and request
> and pull client certificates to isakmpd on the OpenBSD gateway.
>
> I have installed the Windows CA certificate to /etc/isakmpd/ca/ca.crt
> and I am able to verify client certificates against it using `openssl
> verify –Cafile /etc/isakmpd/ca/ca.crt /etc/isakmpd/certs/local.crt` etc…
>
> I have a local cert and key as well as a client cert and key installed
> into isakmpd.
>
> Upon attempting a connection via Shrew Soft VPN client, Phase 1 fails
> with “unable to verify remote peer certificate”.
>
> On the OpenBSD gateway isakmpd logs:
>
> …Default isakmpd: phase 1 done: initiator id…
>
> …Default isakmpd: Peer <ipaddress> made us delete live SA peer-default
> for proto 1, initiator id…
>
> I am assuming Shrew is complaining about my OpenBSD gateway’s issued
> cert and not the CA cert correct?
>
> Can someone help give me a clue as to what is going on here?
>

Have you looked at the debug level output using the VPN Trace 
application? It may provide some insight ...

http://www.shrew.net/support/wiki/BugReportVpnWindows

-Matthew