[vpn-help] Key daemon / IKE Service keeps dying with cert-based VPN in Win 7

Tue Nov 22 15:53:47 CST 2011

On 11/21/2011 08:16 PM, Kevin VPN wrote:
> On 11/18/2011 05:40 PM, A. J. Clark wrote:
>> Hi there,
>>
>> I've been trying for the past few days to get a cert-based VPN setup
>> between the Shrew soft client in Win 7 Enterprise and a Juniper SSG5.
>>
> <snip>
>>
>> Unfortunately on the Shrew side, as it's going through the process, the
>> key daemon stops and there's no log, no matter how verbose, as to the
>> problem.  The key daemon logs look similar to this when it stops:
>>
>> 11/11/17 15:44:19 DB : phase1 resend event canceled ( ref count = 1 )
>> 11/11/17 15:44:19 ->  : send IKE packet 10.250.0.242:500 ->
>> 10.250.0.241:500 ( 1304 bytes )
>> 11/11/17 15:44:19 ii : added ca.crt to x509 store
>> 11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:0
>> 11/11/17 15:44:19 ii : subject :/ST=British
>> Columbia/L=Kamloops/O=SuperTest/OU=IPSec
>> VPN/CN=0162072007000231/CN=(250)
>> 434-8700/CN=ecdsa-key/CN=testcertvpn.testing.com/CN=Bob Smith
>> 11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:1
>> 11/11/17 15:44:19 ii : subject
>> :/C=CA/ST=BC/L=Kamloops/O=SuperTesting/OU=Staff VPN/CN=SuperTesting
>> CA/emailAddress=bob.smith at testing.com
>>
>> I've attached a window shot of what the Acess Manager connect window
>> looks like.
>>
>> Again, Phase1 completes successfully - I setup a whole new batch of keys
>> &  certs today to re-do the tests from scratch and I have exactly the
>> same results - here's what the screenOS side says:
>>
>> 2011-11-18 14:07:52    info    IKE 10.250.0.242 Phase 1: Completed
>> Aggressive
>> mode negotiations with a 28800-second lifetime.
>> 2011-11-18 14:07:52    info    IKE 10.250.0.242 Phase 1: Completed for
>> user User1.
>> 2011-11-18 14:07:51    notif    PKI: No revocation check, per config,
>> for cert
>> with subject name Email=User1 at testzing.com,CN=User1,.
>> 2011-11-18 14:07:51    info    IKE 10.250.0.242 phase 1:The symmetric
>> crypto
>> key has been generated successfully.
>> 2011-11-18 14:07:51    info    IKE 10.250.0.242 Phase 1: Responder starts
>> AGGRESSIVE mode negotiations.
>>
> 
> Hi Adam,
> 
> I don't know much about certificates, having never worked with them, but
> I can try to help.
> 
> First, I think you have a subject name mismatch, but maybe that's
> because your log outputs are from different days with different
> keys/certs.  And it's probably intentional, but in case not, your
> ScreenOS log shows 'testZing.com' as the domain.
> 
> When you generated your certificates, did you specify a CRL?  If so, is
> the CRL server you specified accessible to the Shrew client over the
> plain Internet?
> 
> If it's not available, can you try generating some certificates that do
> not specify a CRL?

Hi Kevin,

Yes, the subject mismatch you see comes from different CA/cert setups on
different days.  I wanted to try things the way I knew how with
openvpn's easy-rsa scripts, and then I tried it following the ShrewVPN
wiki documentation to the letter.

In both cases, I could get Phase 1 to complete, so I'm pretty sure the
contents of the certificates and xauth information (I tested with and
without xauth) were all meshing appropriately.

For the CRL - I believe that's generally a function of the VPN "server"
device, not the client end.  I have disabled CRL checking for this setup
on the ScreenOS device side of things - I think it's interesting that
the Shrewsoft side complains about it, but I suspect it complains about
it for everyone as I don't see anywhere the client can be configured
with a CRL, nor would I expect the client end to handle the CRL.

Also, I don't believe the certificates specify a CRL - I haven't seen
any information anywhere on the certificates specifying that information
at all.  I've only ever seen it specified as something on the 'server'
end of these types of connections.

Thanks,