[vpn-help] Key daemon / IKE Service keeps dying with cert-based VPN in Win 7
Kevin VPN
kvpn at live.com
Mon Nov 21 22:16:14 CST 2011
On 11/18/2011 05:40 PM, A. J. Clark wrote:
> Hi there,
>
> I've been trying for the past few days to get a cert-based VPN setup
> between the Shrew soft client in Win 7 Enterprise and a Juniper SSG5.
>
<snip>
>
> Unfortunately on the Shrew side, as it's going through the process, the
> key daemon stops and there's no log, no matter how verbose, as to the
> problem. The key daemon logs look similar to this when it stops:
>
> 11/11/17 15:44:19 DB : phase1 resend event canceled ( ref count = 1 )
> 11/11/17 15:44:19 -> : send IKE packet 10.250.0.242:500 ->
> 10.250.0.241:500 ( 1304 bytes )
> 11/11/17 15:44:19 ii : added ca.crt to x509 store
> 11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:0
> 11/11/17 15:44:19 ii : subject :/ST=British
> Columbia/L=Kamloops/O=SuperTest/OU=IPSec
> VPN/CN=0162072007000231/CN=(250)
> 434-8700/CN=ecdsa-key/CN=testcertvpn.testing.com/CN=Bob Smith
> 11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:1
> 11/11/17 15:44:19 ii : subject
> :/C=CA/ST=BC/L=Kamloops/O=SuperTesting/OU=Staff VPN/CN=SuperTesting
> CA/emailAddress=bob.smith at testing.com
>
> I've attached a window shot of what the Acess Manager connect window
> looks like.
>
> Again, Phase1 completes successfully - I setup a whole new batch of keys
> & certs today to re-do the tests from scratch and I have exactly the
> same results - here's what the screenOS side says:
>
> 2011-11-18 14:07:52 info IKE 10.250.0.242 Phase 1: Completed Aggressive
> mode negotiations with a 28800-second lifetime.
> 2011-11-18 14:07:52 info IKE 10.250.0.242 Phase 1: Completed for user User1.
> 2011-11-18 14:07:51 notif PKI: No revocation check, per config, for cert
> with subject name Email=User1 at testzing.com,CN=User1,.
> 2011-11-18 14:07:51 info IKE 10.250.0.242 phase 1:The symmetric crypto
> key has been generated successfully.
> 2011-11-18 14:07:51 info IKE 10.250.0.242 Phase 1: Responder starts
> AGGRESSIVE mode negotiations.
>
Hi Adam,
I don't know much about certificates, having never worked with them, but
I can try to help.
First, I think you have a subject name mismatch, but maybe that's
because your log outputs are from different days with different
keys/certs. And it's probably intentional, but in case not, your
ScreenOS log shows 'testZing.com' as the domain.
When you generated your certificates, did you specify a CRL? If so, is
the CRL server you specified accessible to the Shrew client over the
plain Internet?
If it's not available, can you try generating some certificates that do
not specify a CRL?
More information about the vpn-help
mailing list