[vpn-help] Key daemon / IKE Service keeps dying with cert-based VPN in Win 7
A. J. Clark
va7aqd at isurf.ca
Tue Nov 22 15:42:09 CST 2011
On 11/21/2011 08:16 PM, Kevin VPN wrote:
> On 11/18/2011 05:40 PM, A. J. Clark wrote:
>> Hi there,
>>
>> I've been trying for the past few days to get a cert-based VPN setup
>> between the Shrew soft client in Win 7 Enterprise and a Juniper SSG5.
>>
> <snip>
>>
>> Unfortunately on the Shrew side, as it's going through the process, the
>> key daemon stops and there's no log, no matter how verbose, as to the
>> problem. The key daemon logs look similar to this when it stops:
>>
>> 11/11/17 15:44:19 DB : phase1 resend event canceled ( ref count = 1 )
>> 11/11/17 15:44:19 -> : send IKE packet 10.250.0.242:500 ->
>> 10.250.0.241:500 ( 1304 bytes )
>> 11/11/17 15:44:19 ii : added ca.crt to x509 store
>> 11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:0
>> 11/11/17 15:44:19 ii : subject :/ST=British
>> Columbia/L=Kamloops/O=SuperTest/OU=IPSec
>> VPN/CN=0162072007000231/CN=(250)
>> 434-8700/CN=ecdsa-key/CN=testcertvpn.testing.com/CN=Bob Smith
>> 11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:1
>> 11/11/17 15:44:19 ii : subject
>> :/C=CA/ST=BC/L=Kamloops/O=SuperTesting/OU=Staff VPN/CN=SuperTesting
>> CA/emailAddress=bob.smith at testing.com
>>
>> I've attached a window shot of what the Acess Manager connect window
>> looks like.
>>
>> Again, Phase1 completes successfully - I setup a whole new batch of keys
>> & certs today to re-do the tests from scratch and I have exactly the
>> same results - here's what the screenOS side says:
>>
>> 2011-11-18 14:07:52 info IKE 10.250.0.242 Phase 1: Completed
>> Aggressive
>> mode negotiations with a 28800-second lifetime.
>> 2011-11-18 14:07:52 info IKE 10.250.0.242 Phase 1: Completed for
>> user User1.
>> 2011-11-18 14:07:51 notif PKI: No revocation check, per config,
>> for cert
>> with subject name Email=User1 at testzing.com,CN=User1,.
>> 2011-11-18 14:07:51 info IKE 10.250.0.242 phase 1:The symmetric
>> crypto
>> key has been generated successfully.
>> 2011-11-18 14:07:51 info IKE 10.250.0.242 Phase 1: Responder starts
>> AGGRESSIVE mode negotiations.
>>
>
> Hi Adam,
>
> I don't know much about certificates, having never worked with them, but
> I can try to help.
>
> First, I think you have a subject name mismatch, but maybe that's
> because your log outputs are from different days with different
> keys/certs. And it's probably intentional, but in case not, your
> ScreenOS log shows 'testZing.com' as the domain.
>
> When you generated your certificates, did you specify a CRL? If so, is
> the CRL server you specified accessible to the Shrew client over the
> plain Internet?
>
> If it's not available, can you try generating some certificates that do
> not specify a CRL?
Hi Kevin,
Yes, the subject mismatch you see comes from different CA/cert setups on
different days. I wanted to try things the way I knew how with
openvpn's easy-rsa scripts, and then I tried it following the ShrewVPN
wiki documentation to the letter.
In both cases, I could get Phase 1 to complete, so I'm pretty sure the
contents of the certificates and xauth information (I tested with and
without xauth) were all meshing appropriately.
For the CRL - I believe that's generally a function of the VPN "server"
device, not the client end. I have disabled CRL checking for this setup
on the ScreenOS device side of things - I think it's interesting that
the Shrewsoft side complains about it, but I suspect it complains about
it for everyone as I don't see anywhere the client can be configured
with a CRL, nor would I expect the client end to handle the CRL.
Also, I don't believe the certificates specify a CRL - I haven't seen
any information anywhere on the certificates specifying that information
at all. I've only ever seen it specified as something on the 'server'
end of these types of connections.
Thanks,
--
VA7AQD
Adam Clark
Kamloops, BC
More information about the vpn-help
mailing list