On 11/6/2010 7:44 PM, dontek wrote:
Hey folks:
I am having an issue with the Shrew Soft VPN client connecting to my
OpenBSD 4.8 isakmpd gateway since attempting a switch from Pre-Shared
Key Auth to Mutual RSA Auth using a Windows 2008 R2 Certificate Services CA.
I am using the sscep client to connect to the Windows CA via Network
Device Enrollment Service (mscep) to pull the CA certificate and request
and pull client certificates to isakmpd on the OpenBSD gateway.
I have installed the Windows CA certificate to /etc/isakmpd/ca/ca.crt
and I am able to verify client certificates against it using `openssl
verify –Cafile /etc/isakmpd/ca/ca.crt /etc/isakmpd/certs/local.crt` etc…
I have a local cert and key as well as a client cert and key installed
into isakmpd.
Upon attempting a connection via Shrew Soft VPN client, Phase 1 fails
with “unable to verify remote peer certificate”.
On the OpenBSD gateway isakmpd logs:
…Default isakmpd: phase 1 done: initiator id…
…Default isakmpd: Peer <ipaddress> made us delete live SA peer-default
for proto 1, initiator id…
I am assuming Shrew is complaining about my OpenBSD gateway’s issued
cert and not the CA cert correct?
Can someone help give me a clue as to what is going on here?
Have you looked at the debug level output using the VPN Trace
application? It may provide some insight ...
http://www.shrew.net/support/wiki/BugReportVpnWindows
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
