[vpn-help] Key daemon / IKE Service keeps dying with cert-based VPN in Win 7

Kevin VPN kvpn at live.com
Thu Dec 1 21:36:44 CST 2011


On 11/30/2011 05:41 PM, A. J. Clark wrote:
> Hi there,
>
> I can confirm that this issue exists in Linux as well... the same
> certificate/VPN setup shows the following;
>
...
> DB : phase1 resend event canceled ( ref count = 1 )
> ->  : send IKE packet 10.250.0.243:500 ->  10.250.0.241:500 ( 1984 bytes )
> ii : unable to get certificate CRL(3) at depth:0
> ii : subject :/ST=British Columbia/L=Kamloops/O=SuperTestzing/OU=IPSec
> VPN/CN=0162072007000231/CN=(250)
> 434-8700/CN=ecdsa-key/CN=test.cert.vpn/CN=Adam Clark
> ii : unable to get certificate CRL(3) at depth:1
> ii : subject :/C=CA/ST=British
> Columbia/L=Kamloops/O=Testzing/OU=StaffVPN/CN=test.cert.vpn
> Segmentation fault
>
>
> I'm not sure if/why iked might be having issues with no CRL setup (as
> there's no place to put a CRL setup), or if it's just coincidence that
> that's the last thing it logs before it crashes.
>

Hi Adam,

The only reason I think that there must be a CRL in your certs is 
because iirc none of the other cert-based iked logs that I've seen on 
this list say anything about CRLs.

Did I already ask if there's something that would block your certificate 
services on the client from going to the web to check a CRL?

BTW, if you've got linux, you should be able to run a command sort of 
like this to show you the cert and if there's a CRL in it (if it's not 
x509, use the appropriate format)
openssl x509 -in cert.crt -text



More information about the vpn-help mailing list