On 3/31/2010 7:44 AM, Michael wrote: > > Hello list, > > I'm using the shrew ike daemon (packaged with the Qt client) version > 2.1.4 on Ubuntu Linux 9.10. The goal is a roadwarrior installation > with X.509 certificate authentication. > > When using preshared keys this same configuration works. Mobile > clients using other software (IPSecuritas) with the same > certificates I'm loading in Shrew work as well so... > > The problem is that I see 'Gateway authentication error' in the > GUI window after trying to connect. The log /var/log/iked.log: > > ii : unable to get local issuer certificate(20) at depth:0 > ii : subject :/CN=name.host.tld > !! : unable to verify remote peer certificate > > The host 'name.host.tld' is in the SubjectAltName of the X.509 > certificate loaded on the ike v1 server m0n0wall 1.31. I have > concatanated the root and intermediate CA certificates of CaCert.org > to the file 'cacert-combi.pem': > > s:ident-server-type:asn1dn > s:auth-server-cert:/home/username/.ike/certs/cacert-combi.pem > s:auth-client-cert:/home/username/.ike/certs/myclienthost-cacert-rsa-4096-crt.pem > s:auth-client-key:/home/username/.ike/keys/myclienthost-cacert-rsa-4096-key.pem > > What can be the problem? >
I don't believe concatenating the certificate files together will have any effect. A lot of work was done between 2.1.4 and 2.1.6 to handle a multi-certificate chain to be interpreted correctly when received from the peer during phase1 negotiations. And on the windows platform, we have a special directory where a user can drop additional certificates that are used as intermediates during certificate verification. But on Linux/BSD, there is no analog to this. I think we need to allow a certificate directory to be passed instead of a single certificate file. This will allow a client to configure a group of certificate files that can be used for chained authentication. Unfortunately, I don't have time to do this at the moment. This should be completed before 2.2.0 release. Sorry I can't be more help at this time. -Matthew _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
