[vpn-help] Mutual RSA+XAuth problem
Kevin VPN
kvpn at live.com
Mon Apr 22 07:25:26 CDT 2013
Hi Gerd,
I disagree with your statement because I think you're not making two key
differentiations that result in an unfair blanket judgment.
First, there was a post a while ago stating that there is a known
problem using XAUTH with Juniper SRX-based devices, because Juniper has
changed how their XAUTH implementation works between the older SSG
devices and their newer SRX devices.
On the other hand, the SSG devices seem to work very well with the Shrew
Soft VPN Client - there are lots of people successfully using SSGs and
Shrew on this list.
The second differentiation is relevant to the issue below, which is the
difference between using passwords vs certificates. Certificates are
hard; people struggle with them all the time in all kinds of
applications (try getting an embedded Java implementation to trust
self-signed certificates for instance) and signing chains are frequently
an issue. That people trying to use certificates are having problems is
not necessarily a problem with Shrew or Juniper - it could just be the
certificates themselves.
I am sure that there are people on this list who use certificates with
Juniper SSGs and Shrew who can help. We merely have to be patient in
the hope that one of them will help out.
On 04/22/2013 07:58 AM, Gerd Röthig wrote:
> Hello all,
>
> I read this mailing list for some time now. Again and again, there are
> problems with Shrew Soft VPN client and several Juniper equipment. It seems
> that Shrew Soft VPN Client simply does not work with the Juniper devices.
> Perhaps, this is by design (if Juniper offers their own client software).
> Or, it is like many ultra-professional "Web Applications" which only work
> with Internet Explorer. Although it seems like a suboptimal idea at a first
> glance, you should perhaps be thinking about using the Juniper certified
> client software (if there is any) or reverting to Cisco Systems VPN client.
>
> Kind regards,
>
> Gerd
>
>
> 2013/4/22 eric xu <chixu8341 at hotmail.com>
>
>> Hi All,
>>
>> While testing Client 2.17 on Ubuntu 12.04 LTS following
>> Howto_Juniper_SSG_Using_Certs) with SSG20 I come across following problem:
>>
>> 13/04/22 15:34:16 -> : send NAT-T:IKE packet 192.168.1.108:4500 ->
>> 120.72.49.xxx:4500 ( 2036 bytes )
>> 13/04/22 15:34:16 ii : *unable to get local issuer certificate(20) at
>> depth:0*
>> 13/04/22 15:34:16 ii : subject :/C=CN/ST=Beijing/L=Beijing/O= Ltd.
>> /O=Chenhongli Beijing Co./OU=IT/CN=0164022011000224/CN=rsa-key/CN=
>> vpn.chenhongli-bj.net/CN=Ms. Helen Wang
>> 13/04/22 15:34:16 !! : unable to verify remote peer certificate
>>
>> Since it is a self-signed certificate and per howto I did place the ca.crt
>> into ~/.ike/certs but still has above problem.
>>
>> Any help will be appreciated.
>>
More information about the vpn-help
mailing list