[vpn-help] Key daemon / IKE Service keeps dying with cert-based VPN in Win 7
A. J. Clark
kinetix at dhbit.ca
Fri Nov 18 16:40:35 CST 2011
Hi there,
I've been trying for the past few days to get a cert-based VPN setup
between the Shrew soft client in Win 7 Enterprise and a Juniper SSG5.
I've had no issues with the client and PSK-based setups, utilizing some
Xauth setups and non-Xauth setups. Haven't seen any issues like this
before.
I've walked through the wiki doc on this setup several times and tested
with Shrew client versions 2.1.6, 2.1.7 and 2.2.0-beta-2.
I get exactly the same issue every time, and I know I have things
configured to the point where the remote endpoint things things are
good, and Phase 1 completes successfully.
Unfortunately on the Shrew side, as it's going through the process, the
key daemon stops and there's no log, no matter how verbose, as to the
problem. The key daemon logs look similar to this when it stops:
11/11/17 15:44:19 DB : phase1 resend event canceled ( ref count = 1 )
11/11/17 15:44:19 -> : send IKE packet 10.250.0.242:500 ->
10.250.0.241:500 ( 1304 bytes )
11/11/17 15:44:19 ii : added ca.crt to x509 store
11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:0
11/11/17 15:44:19 ii : subject :/ST=British
Columbia/L=Kamloops/O=SuperTest/OU=IPSec
VPN/CN=0162072007000231/CN=(250)
434-8700/CN=ecdsa-key/CN=testcertvpn.testing.com/CN=Bob Smith
11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:1
11/11/17 15:44:19 ii : subject
:/C=CA/ST=BC/L=Kamloops/O=SuperTesting/OU=Staff VPN/CN=SuperTesting
CA/emailAddress=bob.smith at testing.com
I've attached a window shot of what the Acess Manager connect window
looks like.
Again, Phase1 completes successfully - I setup a whole new batch of keys
& certs today to re-do the tests from scratch and I have exactly the
same results - here's what the screenOS side says:
2011-11-18 14:07:52 info IKE 10.250.0.242 Phase 1: Completed Aggressive
mode negotiations with a 28800-second lifetime.
2011-11-18 14:07:52 info IKE 10.250.0.242 Phase 1: Completed for user User1.
2011-11-18 14:07:51 notif PKI: No revocation check, per config, for cert
with subject name Email=User1 at testzing.com,CN=User1,.
2011-11-18 14:07:51 info IKE 10.250.0.242 phase 1:The symmetric crypto
key has been generated successfully.
2011-11-18 14:07:51 info IKE 10.250.0.242 Phase 1: Responder starts
AGGRESSIVE mode negotiations.
To me, this appears to be an issue with the key daemon in windows - in
all other methods of deployment that I've tested & used, I've never seen
the key daemon disappear. Yet it's reproducible for me every time I've
tried using certificates.
I'm also attaching the exported Shrew client config for this setup
"10.250.0.241.vpn".
I hope I've provided enough information here - and I also hope that it's
actually a config issue on my end, rather than a bug.
Thanks in advance,
-Adam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shrew-key-daemon-disappear.png
Type: image/png
Size: 7037 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20111118/efe4aaa3/attachment-0001.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 10.250.0.241.vpn
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20111118/efe4aaa3/attachment-0001.ksh>
More information about the vpn-help
mailing list